I need to convert following curl command to JAVA code. to send HTTPS request with certificate,
curl https://connect2.pointclickcare.com/api/public/preview1/orgs/6a69f753-1353-4def-a428-e42e1206b90b/facs -H "Authorization: Bearer H6B2nrdEA9KuW6jrW3gOLJU5KwUd:2" --cert fullchain21.pem --key privkey21.pem
Related
Recently,I am learning about the authentication related knowledge of vault,and I plan to use the TLS Certificate Auth Method (API), but I have encountered some problems in the process of practice.
I have 4 self-generated certificates locally, clientCA.pem, serverCA.pem, client.pem and server.pem (cn is test.example.com). Here are the steps involved in the certificate.
1: My config.hcl file is as follows
listener "tcp" {
address = "[::]:8200"
tls_cert_file = "/certs/server.pem"
tls_key_file = "/certs/server.key"
tls_disable = false
}
2: Create CA Certificate Role
curl \
--header "X-Vault-Token: $VAULT_TOKEN" \
--request POST \
--cacert clientCA.pem \
--data '{"display_name": "test-ca"}' \
https://test.example.com:8200/v1/auth/cert/certs/test-ca
3: Login with TLS Certificate Method
curl \
--request POST \
--cacert serverCA.pem \
--cert client.pem \
--key clientkey.pem \
--data '{"name": "test-ca"}' \
https://test.example.com:8200/v1/auth/cert/login|jq -r ".data"
When executing the second step, an error will be reported,
curl: (60) SSL certificate problem: unable to get local issuer certificate
Then I log in via rootToken and operate on the Web interface. Created a test-ca role, the imported Certificate is clientCA.pem
When executing the third cloth, an error is reported curl:
(60) SSL certificate problem: unable to get local issuer certificate
When I replace the serverCA.pem in the original command with server.pem, the error
{"errors":["invalid certificate or no client certificate supplied"]}
curl \
--request POST \
--cacert server.pem \
--cert client.pem \
--key clientkey.pem \
--data '{"name": "test-ca"}' \
https://test.example.com:8200/v1/auth/cert/login|jq -r ".data"
When I went to the interface to change the Certificate of test-ca from clientCA.pem to client.pem, the modified curl was executed successfully.
curl \
--request POST \
--cacert server.pem \
--cert client.pem \
--key clientkey.pem \
--data '{"name": "test-ca"}' \
https://test.example.com:8200/v1/auth/cert/login|jq -r ".data".
Now I feel that I don't know the relationship between these certificates, and I have consulted a lot of documents, but I still do not understand it so far. I hope you can help me and provide me with a solution.
I have a client server interface.
The case is unusual, because the server authenticates client and not vice versa.
The client sends client cert to the server. The server authenticates the client cert with its root ca cert. There is also an intermediate cert being used, but I dont need that on server to authenticate the client.
The commands go as follows.
"curl -k --cert client-cert.pem --key client-key.pem https://server.com:443/endpoint" (FAIL)
But if I pass the intermediate cacert as argument to curl, its successful.
"curl -k --cert client-cert.pem --key client-key.pem --cacert intermediates.pem https://server.com:443/endpoint" (PASS)
Even if I pass in the root ca(same between client and server) it fails.
"curl -k --cert client-cert.pem --key client-key.pem --cacert root-ca.pem https://server.com:443/endpoint" (FAIL)
PS:
(FAIL) means, Server says authentication failure!
My Question is:
Why should a server care about the --cacert option at all. curl shouldn't be sending over the ca cert regardless. Correct?
Why do things work when I only pass intermediates file.
Thanks in advance for the response.
PS:
The client-cert.pem is signed by intermediate ca and intermediate ca is signed by root ca.
An SSL handshake error occurred in the process of making an API call with Python.
The reason for the SSL handshake error is that information such as client certificate, CA certificate, and client private key should be used as options.
Query curl -k --tlsv1.2 --cacert ./ca-chain.crt --cert ./client.crt --key ./client.key -H
You should have the above settings.
I found the tlsv1.2 part at the beginning through an internet search,
import ssl
I learned that I just need to add the syntax context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2) .
Then cacert ./ca-chain.crt --cert ./client.crt --key ./client.key did not know how to implement this part in Python code, so I asked a question.
The client certificate, CA certificate, and client private key are in the state that I extracted and kept with openssl.
Query: curl -k --tlsv1.2 --cacert ./ca-chain.crt --cert ./client.crt --key ./client.key -H I would like to know how to implement this in python code.
Thanks for reading this long post.
Then cacert ./ca-chain.crt --cert ./client.crt --key ./client.key did not know how to implement this part in Python code, so I asked a question.
ctx.load_verify_locations('./ca-chain.crt')
ctx.load_cert_chain('./client.crt', './client.key')
For more see the documentation.
I'm trying to get a cURL command to work and have been unable to figure out the correct syntax. Everything I've tried (listed below) results in an "Unknown SSL protocol error".
When I make the request in Chrome 42 I get a 200 response with the expected plaintext body "beat". There is a warning, however, and Chrome shows that the request is made using TLS 1.0 and the connection is encrypted using AES_128_CBC, with SHA1 for message authentication and RSA for key exchange.
Given this information, I would like to be able to make a request to the same URL using cURL and get the response "beat".
The certificates I am trying to pass to cURL were exported from Keychain into both the .pem and .cer formats.
Here's what I have tried. Every one of these commands has failed with the same message "curl: (35) Unknown SSL protocol error in connection to cxdev.sircon.com:-9824".
curl --trace - --ciphers ALL --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -k -v -1 -4 https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -k -v -1 https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -k -v https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --cacert ./sircon.pem https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --ciphers ALL --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --tlsv1 --cacert ./sircon.pem https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --tlsv1 --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --tlsv1 --ciphers AES128 --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --tlsv1 --ciphers AES128-SHA --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v --tlsv1 --ciphers ALL --cacert sircon.cer https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v -1 https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
curl -v https://cxdev.sircon.com/ComplianceExpress/AutomatedProcessing/rest/ekg
A new internal CA and certificate fixed the issue. Using TLS 1.0 and encrypting the connection using AES_256_CBC with SHA1 for message authentication and ECDHE_RSA, I was able to get Chrome to show a nice green lock icon when accessing the URL and every single one of the curl commands that I posted in my question are now able to successfully retrieve the resource.
I have my own CA and client certificate that I have been using successfully with cURL using the normal format:
curl --cacert /etc/myca.crt --cert /etc/myclient.pem:mypassword --cert-type PEM --get https://myhost.com
Now, for reasons outside the scope of this question, I have the same client certificate but the password has been removed using openssl. Using openssl I have verified that the new certificate is correct and I can use it to make SSL connections using applications other than cURL, but I cannot get it to work with cURL.
If I don't enter a password:
curl --cacert /etc/myca.crt --cert /etc/myclient.pem --cert-type PEM --get https://example.com
I get an error saying "curl: (58) unable to use client certificate (no key found or wrong pass phrase?)"
I have also tried:
curl --cacert /etc/myca.crt --cert /etc/myclient.pem: --cert-type PEM --get https://example.com
but I get the same error.
I am making the call to cURL from within a Perl script, so I need to find a way that will not prompt me for the password. I am using cURL 7.15.5 on RHEL 5.
Thank you.
You can make use of the --pass switch:
--pass <phrase> (SSL/SSH) Passphrase for the private key
To pass an empty passphrase you can use:
--pass ''