there are a number of similar posts but I am trying to understand a little more than what those offer.
My curl commandline works fine and am able to talk to the server and get the data I want. The command looks like
curl -v --tlsv1.2 --cert ./service_cert.pem --key ./service_private.key "https://myserver"
But when I try to run my C program and examine the http client object I see this
errorBuffer = "NSS: client certificate not found (nickname not specified)
reading further I realized I have libcurl built with NSS which doesn't support reading cert from a flat file ( .pem)
How is then command line curl utility able to read the pem file ?
You need to import your client certificate into a NSS database, using certutil, and have your code use this database.
Reference:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil
Related
I am trying to run curl command from Red Hat Enterprise Linux 7 server with curl below:-
*curl -0 -v --cert-type p12 --cert /mycert.p12:<password> --cacert /my_sec_cert.cer -X GET "https://<url>"*
and ended up with the error :-
unable to load client cert: -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)
NSS error -8018 (SEC_ERROR_UNKNOWN_PKCS11_ERROR)
When i am using pem certificate for same curl command with private key. Its working fine for me.
Can anyone suggest how to use p12 with Rhel7 here? Thanks
I'm trying to build a Hyperledger Fabric network for version 1.4.6. I thought I had finally gotten most of it going. I tried, from the cli image:
peer channel create -o orderer.diro.umontreal.ca:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/indepedent/orderer/msp/tlscacerts/tls-cert.pem
But the logs for the orderer always said that the TLS connection failed. So then I tried to change --cafile to --certfile. The file in question is a certificate, after all. And I got this:
peer channel create -o orderer.diro.umontreal.ca:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --certfile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/indepedent/orderer/msp/tlscacerts/tls-cert.pem
Error: failed to create deliver client: failed to load config for OrdererClient: unable to load orderer.tls.rootcert.file: open : no such file or directory
I have no idea where this orderer.tls.rootcert.file setting comes from. I looked at everywhere I could think of that sets a TLS root certificate for the orderer, including the fabric-ca-server-config.yaml settings file, but I still get that message Apparerntly, I need to set it somewhere extra. I just don't know where. It's set in the base/peer-base.yaml file and I made sure that it now points to current values.
I'm completely out of ideas of where I can set a value that will even change this message. It's not even about giving it the right value; it's just about finding out where to set it.
The orderer container is not able to find the TLS root certificate. Check the path inside docker container corresponding to /var/hyperledger/orderer/tls. I think this folder is empty or atleast cannot find the ca.crt inside it.
If you are using different mount paths, check in the docker-compose file for the orderer container that where you are mounting the following folder inside the it.
crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/
The correct argument is --cafile (--certfile is for your client's certificate when using client authentication). But /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/indepedent/orderer/msp/tlscacerts/tls-cert.pem seems not to exist (according to your second error). Check that path inside your client (with ls, for instance). Maybe the CA certificate has not been included, maybe the file path is not correct (I don't know, "independent" instead of "indepedent"?), maybe the file name...
After checking and fixing that all, if still failing, check your orderer logs.
I am using curl command to invoke a rest service. It is as follows:
{curl -X POST --ssl-no-revoke --cacert xyz.pem -K urls.txt -H "Authorization:Basic XYZ" -H "Content-Type:application/json" -d #data.json}
The above command is used to hit the service using one way SSL and basic authorization. The data to be passed is enclosed in data.json file and the urls to be hit are enclosed in urls.txt file.
The above command works perfectly in Windows but when executed from linux, it says:
{curl: option --ssl-no-revoke: is unknown
curl: try 'curl --help' or 'curl --manual' for more information}
I want to disable certificate revocation checks altogether. It looks like {--ssl-no-revoke} works on Windows but not Unix/Linux.
Would like to know if any alternative.
ssl-no-revoke is Windows Only. The only alternative I'm aware of is to have a valid certificate or not use SSL.
https://curl.haxx.se/docs/manpage.html
Using a valid certificate is not always a solution as revocation checks will fail with a valid certificate too when there is no Internet connection (for example, in the presence of a captive portal).
One way is to disable certificate checking altogether, i.e.:
curl --insecure https://www.example.com
Note that this will greatly reduce the security as self signed certificates will also be accepted as well as revoked ones!
Is it possible to interact/bypass a dialog popup when running a curl command?
My example involves running a curl command within a jenkins build that is using a p.12 certificate for authentication.
curl -v -k -E dev_key.p12:password https://jira.dev.organisation.co.uk:443/rest/api/2/issue/MYSTATS-2213
So if I do this within my regular terminal I will get a popup first time round asking stating example wants to access key in your keychain with allow/always allow buttons after which I can make my curl requests uninterrupted. But for some reason when running the same command in a Jenkins pipeline I just get the error (which is the outcome if you press cancel on the popup)
SSL can't load the certificate and it's private key
Is there a way around this?
UPDATE
So I have found there is a --cacert option to pass through which I guess verifies the dev_key but when I export my ca certificate its a .crt file. is the right format?
For SSL (https), curl option -E expects a certificate in PEM format (not PKCS#12). From man page:
-E, --cert <certificate[:password]>
[...]
The certificate must be in PKCS#12 format if using Secure Transport, or
PEM format if using any other engine.
[...]
Full disclosure, I have very little idea what I'm doing.
I'm doing some troubleshooting with Curl and encryption, and I don't understand why this works for a certain website I'm testing against:
curl -v https://website
but none of these options work:
curl -v -1 https://website
curl -v -2 https://website
curl -v -3 https://website
The error I get back with all three options is:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
I've Googl'd the heck out of this error, and it seems like there are a millions reasons for Curl to return this.
I know that the -2 option uses super old and busted SSL, -3 uses less old (but still busted) SSL and that -1 uses TLS. The version of Curl I'm using doesn't seem to work if I try to get granular with --tlsv1.0, etc. I don't have permission to install a newer version of Curl on the machines I'm testing on.
So, my question is this: How do I know what method Curl is using to connect to https:// sites if I don't explicitly tell it what to use?
It depends entirely on what is negotiated with the peer. You would need to examine the handshake trace in each specific case.