https(SSL)的curl命令 [英] Curl command for https ( SSL )
问题描述
我尝试运行以下CURL命令,但我收到SSL证书错误:
curl https:// example.com:8443/cli/agentCLI -u用户名:密码
错误:
curl:(60)SSL证书问题,请验证CA证书是否正确。详细信息:
错误:14090086:SSL例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败
更多详细信息: http://curl.haxx.se/docs/sslcerts.html
curl默认执行SSL证书验证,使用捆绑
的证书颁发机构(CA)公钥(CA证书)。默认的
包名为curl-ca-bundle.crt;您可以使用--cacert选项指定备用文件
。
如果此HTTPS服务器使用由
表示的CA签名的证书,则证书验证可能失败,原因是证书存在
问题(可能已过期,或者名称可能
与网址中的域名不匹配)。
如果您想要关闭curl对证书的验证,请使用
-k(或--insecure)选项。
如果您使用的是SSL,我将如何解决这个问题,允许使用SSL网址?
自签名证书,可以使用:
curl -k https://example.com:8443/cli/ agentCLI -u用户名:password
但是请注意,这不比使用非SSL连接服务器,因为你的通信将不再安全,使各种中间人的攻击。</ p>
虽然我的建议是下载 .pem :
- / ssl / 如果您有权访问服务器,
- 或您可以下载
使用:
echoHEAD / HTTP / 1.0 \\\
Host:example.com\\\
\\\
EOT\\\
| openssl s_client -prexit -connect example.com:8443> cert.pem
到您的计算机,只保留 BEGIN CERTIFICATE 和 END CERTIFICATE (包括BEGIN / END行),并将其作为参数提供给 - cacert 选项,您也可以下载它。然后,您将在每次连接时验证您的服务器!
curl --cacert cert.pem https:// example .com:8443 / cli / agentCLI -u用户名:密码
测试我自己的自签名服务器,工作正常:
%openssl s_client -showcerts -connect example.com :443< / dev / null 2> / dev / null | sed -n'/ ----- BEGIN CERTIFICATE ----- /,/ ----- END CERTIFICATE ----- / p'| grep -m1 -B-1 - '----- END CERTIFICATE -----'> cert.pem
%curl --cacert cert.pem https://example.com
例如:
%openssl s_client -showcerts - connect git.cryptolib.org:443< / dev / null 2> / dev / null | sed -n'/ ----- BEGIN CERTIFICATE ----- /,/ ----- END CERTIFICATE ----- / p'| grep -m1 -B-1 - '----- END CERTIFICATE -----'> cert.pem
%curl --cacert cert.pem https://git.cryptolib.org
curl:(51)SSL:证书验证失败(结果:5)
但不幸的是它不是。
我也试过, 此处:
%openssl x509 -inform PEM -in cert.pem -text -out certdata.pem
%curl --cacert certdata.pem https://git.cryptolib.org
这不工作,因为我用于测试的网站(git.cryptolib.org)签名,但它是从CACert链,这可以通过使用CACert根证书,解决这个常见问题 a>。
一些资源:
- http://curl.haxx.se/docs/sslcerts.html
- http:/ /curl.haxx.se/mail/archive-2012-01/0049.html
- https://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting -new-self-signed-certificate /
- http://curl.haxx.se/docs/caextract.html
但是没有确定的答案到目前为止:-s
I am trying to run the following CURL command but I am getting a SSL Certificate error:
curl https://example.com:8443/cli/agentCLI -u username:password
Error:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
How would I fix this issue to allow for SSL URLs?
if you're using a self signed certificate on the server, you can use:
curl -k https://example.com:8443/cli/agentCLI -u username:password
but be aware that then it's no better than using non SSL connection to the server, as your communication won't be secure anymore, enabling all sorts of man in the middle attacks.
Though my advice to you is to download the .pem from the server:
- that is usually found in
/etc/ssl/if you have access to the server, - or that you can download,
using:
echo "HEAD / HTTP/1.0\n Host: example.com\n\n EOT\n" | openssl s_client -prexit -connect example.com:8443 > cert.pem
to your computer, keep only the part between BEGIN CERTIFICATE and END CERTIFICATE within the file (including the BEGIN/END lines) and give it as parameter to the --cacert option, you might also download it. Then you'll get to authenticate your server each time you connect!
curl --cacert cert.pem https://example.com:8443/cli/agentCLI -u username:password
Testing on my own self-signed server, it's working fine:
% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----' > cert.pem
% curl --cacert cert.pem https://example.com
for an example that should be working:
% openssl s_client -showcerts -connect git.cryptolib.org:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----' > cert.pem
% curl --cacert cert.pem https://git.cryptolib.org
curl: (51) SSL: certificate verification failed (result: 5)
but sadly it's not.
I also tried to do, as suggested here:
% openssl x509 -inform PEM -in cert.pem -text -out certdata.pem
% curl --cacert certdata.pem https://git.cryptolib.org
Which is not working, because that site (git.cryptolib.org) I'm using for testing is not self-signed, but it's from the CACert chain, which can be solved by using the CACert root certificates, following this FAQ.
a few resources to dig:
- http://curl.haxx.se/docs/sslcerts.html
- http://curl.haxx.se/mail/archive-2012-01/0049.html
- https://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/
- http://curl.haxx.se/docs/caextract.html
- curl self-signed certificate web service over SSL
But no definitive answer so far :-s
这篇关于https(SSL)的curl命令的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
