cURL / Mailing Lists / curl-library / Single Mail

curl-library

Seem to be Having some trouble acquiring the right CA crt file for conversion and to be used with the --cacert parameter

From: nonlin <nonlin_at_erols.com>
Date: Sun, 12 Aug 2012 10:09:19 -0400

Dear Sirs,

I am trying to learn cURL for the time, I am planning on running some client side rsa private key experiments with my own SSL server. but As you can see from this posting I not ready to do those experiments quite yet, I am stil learning the ropes. The problem is that even though I am fallowing the basic instructions, I am not getting the results the instructions suggest I will get. I got past some of theses on my own but now I am stuck.

I will lay it out for you:

so for the first time I trying to use cURL to access a Secure web site on my own server.

curl -v https://www.mysite.com/

and the Results:

curl: (60) SSL certificate problem: self signed certificate in certificate chain

Now luckily I was hopping for something like this So we are right on target.

So I did the fallowing:

Went to http://curl.haxx.se/docs/sslcerts.html

Determined that what I needed to do was to acquire the CA Cert over the network and bring it into curl though the use of the --cacert parameter.

So I went to we web browser (IE) and click on the padlock symbol and Click on View certificates, click on details tab, found the Authority Information Access line and copy down the URL, which I will share with you all: URL=http://certificates.starfieldtech.com/repository/sf_intermediate.crt (By the way this was not as the instructions stated it would be like, but I was able to figure at lease this much out on my own).

So (as the instruction suggested) acquired the certificate using cURL
curl -O http://certificates.starfieldtech.com/repository/sf_intermediate.crt

So far so good.

Now the instruction tell me to convert it with openSSL.
openssl x509 -inform DES -in sf_intermediate.crt -out sf_intermediate.pem -text

Unfortunately this is where things go wrong. I get the fallowing Error:
unable to load certificate
1840:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:.\crypto\as
n1\tasn_dec.c:1319:
1840:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:.\
crypto\asn1\tasn_dec.c:381:Type=X509

So I open up the sf_intermediate.crt to see if there is anything suped and simple. and well it look like it may already be in PEM format, take a look for yourselves:
-----BEGIN CERTIFICATE-----
MIIFBzCCA++gAwIBAgICAgEwDQY
............................
7KM/ozS4OUiDtSss4fJ2ubnnXlSyokfOGASGRS7VApA==
-----END CERTIFICATE-----

So as a shot it the dark I tried to use it as is:
C:\curl>curl -v https://www.mysite.com/ --cacert sf_intermediate.crt

But of course I get the same (60) SSL certificate problem: self signed certificate in certificate chain error as before.

So I am stuck, Can anyone point me in the right direction.

Sincerely,

Nonlin

For any of those who are cures hear is An upcoming question will be "how to limit the number of Ciphers in the suite that cURL will make available to my server", I would like to temporally disable the use of certain encryption algorithms such as Diffie Hellman Key Exchange until I have a better understanding of how the hole SSL system works. And cURL seems to have a suite of 46 Cipher to offer a SSL server, more then any web browsers I have ever seen.

 

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-08-12