Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Help Understanding curl and tls/ssl certificates
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Michael Newman via curl-users <curl-users_at_lists.haxx.se>
Date: Thu, 20 Jun 2024 14:36:27 +0700
Thanks to Dan for helping me understand.
> You don't provide the URL scheme you're using to upload, but --pubkey is only
> used for scp/sftp transfers. So, if that's what you're trying to do reading
> about SSL certs is irrelevant and will just confuse you.
The URL I was using is this: host=sftp://ftp.mgnewman.com/~/public_html/
If I use this instead: host=sftp://mgnewman.com/~/public_html/
Then the error message ("curl failed to verify the legitimacy of the server….”) goes away.
I don’t understand why I was able to use the “wrong” url scheme for years without ever getting an error message. What could have caused the error to just suddenly appear the day before yesterday?
Here’s the verbose output with the correct url scheme:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.254.225.101...
* TCP_NODELAY set
* Connected to mgnewman.com (192.254.225.101) port 22 (#0)
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* SSH MD5 fingerprint: 4b17cad500a405c850e118c1deec0f96
* SSH host check: 0, key: AAAAB3NzaC1yc2EAAAADAQABAAABAQCzCyhhdYNOn5Zgib7qhPKevsPrZ+FHDdhmSqt1+o4T+znoewjIfrsevNyS6vL2km8dKSNKBxAZNJBGXeQtZLMg8DFfoeE9Qia1Ut3yWZStFsi49Djh6TWR8jE10qhsdXo6L9ahPvScseZtWJlNNESg7OHPnFnbPtxe8gXT37u0SHrEg+wQjv1awR1mtXk1WK2NhQzdtbK+vFjqOPDE07ErxNgaodXkPDLrff0CMIDG1dAfmDFtw0oUqaQwP2lPDD8SRCnv2Gm6yC8iQSrQatMiV9rOcnA8FXkqAQjgZZ1EQf826HpeDXXVYBtJbfsnMuxHbInfUQAEeoYS8h98bD2f
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0* SSH authentication methods available: publickey,password,keyboard-interactive
* Using SSH public key file '/home/pi/.ssh/id_rsa.pub'
* Using SSH private key file '/home/pi/.ssh/id_rsa'
* Initialized SSH public key authentication
* Authentication complete
0 91 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0} [0 bytes data]
* We are completely uploaded and fine
100 91 0 0 100 91 0 17 0:00:05 0:00:05 --:--:-- 20
100 91 0 0 100 91 0 17 0:00:05 0:00:05 --:--:-- 17
* Connection #0 to host mgnewman.com left intact
So, I have learned a great deal. Thanks for taking the time to set me on the right path.
Mike
> On Jun 20, 2024, at 1:56 PM, Dan Fandrich via curl-users <curl-users_at_lists.haxx.se> wrote:
>
> On Thu, Jun 20, 2024 at 08:56:29AM +0700, Michael Newman via curl-users wrote:
>> Note that I have read this: https://curl.se/docs/sslcerts.html
>
> SSL/TLS certs are used for protocols like FTPS and HTTPS, but notably NOT with
> SCP/SFTP/SSH.
>
>> To be perfectly honest, it baffles me.
>
> I have an idea why you're baffled.
>
>> I have three Raspberry Pi 4s running Buster. Each one uploads an image to a web
>> host (HostGator) every two minutes using curl. The code is simple:
>>
>> curl -s -S -u myname: \
>> --connect-timeout 25 \
>> --max-time 40 \
>> --retry 3 \
>> --pubkey ~/.ssh/id_rsa.pub \
>> -T $file $host >> $log 2>&1
>
> You don't provide the URL scheme you're using to upload, but --pubkey is only
> used for scp/sftp transfers. So, if that's what you're trying to do reading
> about SSL certs is irrelevant and will just confuse you.
>
>> It has been working fine for several years on all machines. Yesterday morning
>> all three machines got the same error message at exactly the same time:
>>
>> Tue Jun 18 12:42:04 +07 2024 convert finish upload begin
>> curl: (7) Failed to connect to ftp.mydomain.com port 22: Connection refused
>
> However, this error message implies that you're actually using (ftp or ftps) to
> connect to the server, not sftp.
>
>> This went on for about 20 minutes after which each machine started to get the
>> following:
>>
>> Tue Jun 18 13:06:04 +07 2024 convert finish upload begin
>> curl: (60) SSL peer certificate or SSH remote key was not OK
>>
>> The only way I managed to "fix" this was by adding the following to the curl
>> command:
>>
>> --insecure
>>
>> Clearly, this is not ideal.
>
> Adding -v will show more information about the certificate that's failing.
>
>> I have been dealing with several support people from HostGator none of whom
>> seem to have a clue.
>>
>> They claim that nothing was changed on their end. However, this seems unlikely
>> to me. How else could three identical machines to which I've done nothing
>
> That seems unlikely to me as well, although there are some other explanations.
> For example, a proxy server between you and the host may have changed instead,
> or a firewall on the local machine.
>
>> recently start receiving the same error messages if the problem is not with the
>> server?
>>
>> Their advice was for me to continue using curl in insecure mode; something I do
>> not want to do.
>
> That sounds like advice from people who don't really want to give you advice.
>
>> I can ssh into the machine and I can start an sftp session:
>
> This is a strong clue that you actually *do* want sftp and not ftp/ftps. Since
> the curl command is doing an ftp transfer, the first thing to change is the URL
> select an sftp transfer instead.
>
> Dan
> --
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
> Etiquette: https://curl.se/mail/etiquette.html
Received on 2024-06-20
Date: Thu, 20 Jun 2024 14:36:27 +0700
Thanks to Dan for helping me understand.
> You don't provide the URL scheme you're using to upload, but --pubkey is only
> used for scp/sftp transfers. So, if that's what you're trying to do reading
> about SSL certs is irrelevant and will just confuse you.
The URL I was using is this: host=sftp://ftp.mgnewman.com/~/public_html/
If I use this instead: host=sftp://mgnewman.com/~/public_html/
Then the error message ("curl failed to verify the legitimacy of the server….”) goes away.
I don’t understand why I was able to use the “wrong” url scheme for years without ever getting an error message. What could have caused the error to just suddenly appear the day before yesterday?
Here’s the verbose output with the correct url scheme:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.254.225.101...
* TCP_NODELAY set
* Connected to mgnewman.com (192.254.225.101) port 22 (#0)
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* SSH MD5 fingerprint: 4b17cad500a405c850e118c1deec0f96
* SSH host check: 0, key: AAAAB3NzaC1yc2EAAAADAQABAAABAQCzCyhhdYNOn5Zgib7qhPKevsPrZ+FHDdhmSqt1+o4T+znoewjIfrsevNyS6vL2km8dKSNKBxAZNJBGXeQtZLMg8DFfoeE9Qia1Ut3yWZStFsi49Djh6TWR8jE10qhsdXo6L9ahPvScseZtWJlNNESg7OHPnFnbPtxe8gXT37u0SHrEg+wQjv1awR1mtXk1WK2NhQzdtbK+vFjqOPDE07ErxNgaodXkPDLrff0CMIDG1dAfmDFtw0oUqaQwP2lPDD8SRCnv2Gm6yC8iQSrQatMiV9rOcnA8FXkqAQjgZZ1EQf826HpeDXXVYBtJbfsnMuxHbInfUQAEeoYS8h98bD2f
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0* SSH authentication methods available: publickey,password,keyboard-interactive
* Using SSH public key file '/home/pi/.ssh/id_rsa.pub'
* Using SSH private key file '/home/pi/.ssh/id_rsa'
* Initialized SSH public key authentication
* Authentication complete
0 91 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0} [0 bytes data]
* We are completely uploaded and fine
100 91 0 0 100 91 0 17 0:00:05 0:00:05 --:--:-- 20
100 91 0 0 100 91 0 17 0:00:05 0:00:05 --:--:-- 17
* Connection #0 to host mgnewman.com left intact
So, I have learned a great deal. Thanks for taking the time to set me on the right path.
Mike
> On Jun 20, 2024, at 1:56 PM, Dan Fandrich via curl-users <curl-users_at_lists.haxx.se> wrote:
>
> On Thu, Jun 20, 2024 at 08:56:29AM +0700, Michael Newman via curl-users wrote:
>> Note that I have read this: https://curl.se/docs/sslcerts.html
>
> SSL/TLS certs are used for protocols like FTPS and HTTPS, but notably NOT with
> SCP/SFTP/SSH.
>
>> To be perfectly honest, it baffles me.
>
> I have an idea why you're baffled.
>
>> I have three Raspberry Pi 4s running Buster. Each one uploads an image to a web
>> host (HostGator) every two minutes using curl. The code is simple:
>>
>> curl -s -S -u myname: \
>> --connect-timeout 25 \
>> --max-time 40 \
>> --retry 3 \
>> --pubkey ~/.ssh/id_rsa.pub \
>> -T $file $host >> $log 2>&1
>
> You don't provide the URL scheme you're using to upload, but --pubkey is only
> used for scp/sftp transfers. So, if that's what you're trying to do reading
> about SSL certs is irrelevant and will just confuse you.
>
>> It has been working fine for several years on all machines. Yesterday morning
>> all three machines got the same error message at exactly the same time:
>>
>> Tue Jun 18 12:42:04 +07 2024 convert finish upload begin
>> curl: (7) Failed to connect to ftp.mydomain.com port 22: Connection refused
>
> However, this error message implies that you're actually using (ftp or ftps) to
> connect to the server, not sftp.
>
>> This went on for about 20 minutes after which each machine started to get the
>> following:
>>
>> Tue Jun 18 13:06:04 +07 2024 convert finish upload begin
>> curl: (60) SSL peer certificate or SSH remote key was not OK
>>
>> The only way I managed to "fix" this was by adding the following to the curl
>> command:
>>
>> --insecure
>>
>> Clearly, this is not ideal.
>
> Adding -v will show more information about the certificate that's failing.
>
>> I have been dealing with several support people from HostGator none of whom
>> seem to have a clue.
>>
>> They claim that nothing was changed on their end. However, this seems unlikely
>> to me. How else could three identical machines to which I've done nothing
>
> That seems unlikely to me as well, although there are some other explanations.
> For example, a proxy server between you and the host may have changed instead,
> or a firewall on the local machine.
>
>> recently start receiving the same error messages if the problem is not with the
>> server?
>>
>> Their advice was for me to continue using curl in insecure mode; something I do
>> not want to do.
>
> That sounds like advice from people who don't really want to give you advice.
>
>> I can ssh into the machine and I can start an sftp session:
>
> This is a strong clue that you actually *do* want sftp and not ftp/ftps. Since
> the curl command is doing an ftp transfer, the first thing to change is the URL
> select an sftp transfer instead.
>
> Dan
> --
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
> Etiquette: https://curl.se/mail/etiquette.html
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
- application/pkcs7-signature attachment: smime.p7s