使用带有 cURL 的自签名证书? [英] Use self signed certificate with cURL?
问题描述
我有一个使用自签名证书运行的烧瓶应用程序.我可以使用以下方式发送 curl 请求:
I have a flask application running using a self signed certificate. I'm able to send in a curl request using:
curl -v -k -H "Content-Type: application/json" -d '{"data":"value1","key":"value2"}' https://<server_ip>:<port>
详细日志显示一切正常.
The verbose logs show that everything went alright.
我想避免使用 -k (--insecure) 选项,而是指定 curl 可以使用的 .pem 文件.查看 curl 手册页,我发现您可以使用 --cert 选项执行此操作.所以我使用这个创建了一个 .pem 文件:
I wanted to avoid using the -k (--insecure) option and instead specify a .pem file that curl could use. Looking at the curl man page I found that you could do this using the --cert option. So I created a .pem file using this:
openssl rsa -in server.key -text > private.pem
使用 private.pem 文件时,CURL 向我抛出此错误:
CURL throws me this error when using the private.pem file:
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
有什么建议吗?- 还是只有使用正确签名的证书才能做到这一点?
Any suggestions? - or is this only possible with a properly signed certificate?
Tnx
推荐答案
这只是这个问题的另一个版本:使用 openssl 从服务器获取证书
This is just another version of this question: Using openssl to get the certificate from a server
或者说得更直白:
使用 curl --cert 是错误的,它是用于客户端证书的.
Using curl --cert is wrong, it is for client certificates.
首先,获取您的服务器正在使用的证书:
First, get the the certs your server is using:
$ echo quit | openssl s_client -showcerts -servername server -connect server:443 > cacert.pem
(-servername
是 SNI 所必需的,以便您获取正确的虚拟服务器证书)
(-servername
is necessary for SNI so that you get the right virtual server's certificate back)
然后让您的 curl 命令行使用该设置在后续操作中验证服务器:
Then make your curl command line use that set to verify the server in subsequent operations:
$ curl --cacert cacert.pem https://server/ [and the rest]
这篇关于使用带有 cURL 的自签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!