将自签名证书与 cURL 一起使用? [英] Use self signed certificate with cURL?

问题描述

我有一个使用自签名证书运行的烧瓶应用程序.我可以使用以下方法发送 curl 请求:

I have a flask application running using a self signed certificate. I'm able to send in a curl request using:

curl -v -k -H "Content-Type: application/json" -d '{"data":"value1","key":"value2"}' https://<server_ip>:<port>

详细日志显示一切正常.

The verbose logs show that everything went alright.

我想避免使用 -k (--insecure) 选项，而是指定 curl 可以使用的 .pem 文件.查看 curl 手册页，我发现您可以使用 --cert 选项执行此操作.所以我用这个创建了一个 .pem 文件:

I wanted to avoid using the -k (--insecure) option and instead specify a .pem file that curl could use. Looking at the curl man page I found that you could do this using the --cert option. So I created a .pem file using this:

openssl rsa -in server.key -text > private.pem

在使用 private.pem 文件时，CURL 向我抛出此错误:

CURL throws me this error when using the private.pem file:

curl: (58) unable to use client certificate (no key found or wrong pass phrase?)

有什么建议吗?- 或者这只能通过正确签名的证书来实现?

Any suggestions? - or is this only possible with a properly signed certificate?

Tnx

推荐答案

这只是这个问题的另一个版本:使用openssl从服务器获取证书

This is just another version of this question: Using openssl to get the certificate from a server

或者更直白地说:

使用 curl --cert 是错误的，它用于客户端证书.

Using curl --cert is wrong, it is for client certificates.

首先，获取您的服务器正在使用的证书:

First, get the the certs your server is using:

$ echo quit | openssl s_client -showcerts -servername server -connect server:443 > cacert.pem

(-servername 是 SNI 所必需的，以便您获得正确的虚拟服务器证书)

(-servername is necessary for SNI so that you get the right virtual server's certificate back)

然后让您的 curl 命令行使用该设置在后续操作中验证服务器:

Then make your curl command line use that set to verify the server in subsequent operations:

$ curl --cacert cacert.pem https://server/ [and the rest]

这篇关于将自签名证书与 cURL 一起使用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！