Why are we getting "tls handshake error using curl"? - ssl

I'm trying to use curl to access a URL of an app we've developed internally, and on the server I'm seeing
http: TLS handshake error from 1.2.3.4 remote error: tls: unknown certificate authority.
This only happens when we hit the endpoint using curl (inside git bash ) or wget. When we use IE on Windows it works just fine. I've even tried re-installing git bash using Native SSL library (which should be the same as IE), but still getting the same error message.
Have even tried downloading the curl-ca-bundle.crt file and saving to the same place as the curl binary, or even directly telling it to use this file with curl --cacert option, but still no joy.
I've compared the root certs that IE is reporting, and the ones in that curl-ca-bundle.crt and they look the same (they don't line up exactly the same, but they have the same text in them between the BEGIN and END markers, one is just wider on the screen and therefore uses fewer lines if that makes sense).
Hopefully someone has ideas what to try next as two of us have been tearing our hair out all afternoon with this.
wget also gives an error message :-
$ wget https://bler.com/admin/user
--2018-09-03 15:53:43-- https://bler.com/admin/user
Connecting to 132.146.1.142:8090... connected.
ERROR: cannot verify oss.dns.networks.bt.com's certificate, issued by 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US':
Unable to locally verify the issuer's authority.
To connect to oss.dns.networks.bt.com insecurely, use '--no-check-certificate'.
We're using a local proxy server, and HTTP_PROXY is set. It must be using the proxy, as we can see we're hitting the end point.

I also had the same error. This problem occurs when you install on Golang web server the only certificate. You must use a certificate chain instead.
For example, Letsencrypt gives "cert.pem" and "fullchain.pem". "cert.pem" works in browsers, but curl cannot work with this file (curl: (60) SSL certificate problem: unable to get local issuer certificate). "fullchain.pem" works fine in browsers and curl.

Related

Firefox can find certificate, but curl cannot (while tunneling https through ssh)

Background:
I have a running app at ports 8080 in the remote server and a https ingress proxy at 443 on the same server, which redirects everything to 8080 app after handling the SSL.
What I want to do:
I want to communicate with the app through SSL remotely, while not having access directly to this domain (it is on a local network, I can access the server remotely via a different domain).
What I did:
I tunneled 443 port from my remote server ssh -L 3001:0.0.0.0:443 user#example.com. I then added 127.0.0.1 example.com to my /etc/hosts to make sure that the domain on my system is resolved properly.
Now, what I can do is enter https://example.com:3001/some/thing/ in firefox and it gets me a proper response from the server, while everything is ran through ssl without any problems. I also am able to use curl without checking the certificate: curl --insecure https://example.com:3001/some/thing works fine.
At the same time secure curl call fails: curl https://example.com:3001/some/thing with the error:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
Just to make sure both are using the same certificates, I actually used this tool: https://curl.haxx.se/docs/mk-ca-bundle.html to create a ca-bundle.crt from the most recent firefox certificates and passed it to curl with --cacert ca-bundle.crt. No luck - the same error. (I also tried following other curl tutorial on getting the local installation of firefox's certs, also no luck).
Question
What is going on? Why is curl's output different from firefox's even if I seem to use the same certificates? How can I debug this?
Side note
The real reason I am concerned about it is that with a normal (local) access to the server, I observed the same behaviour: I could connect to the server through chrome on https, but my react native app could not. I suspect the app to use libcurl under the hood or something similar and I believe debugging this problem could help me understand what's the problem with the app.

SSL Handshake error using Curl to POST a file to a web service

I've been playing around with Curl, trying to do what should be a simple POST of a file to a web service for a couple of days and not getting anywhere.
The target POST service is unauthenticated HTTPS. When trying to run my POST request via Curl or via Informatica, I am getting an SSL handshake failure with both methods.
For example:
curl -X POST -F 'file=#filename.dat' https://url
I have been able to get this to work using Postman, so I know the service works. According to network security, SSL is disabled in this environment. Am I out of luck, or is there a way to get this to work without SSL?
Specific error encountered:
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
By default, a client establishing a HTTPS URL connection will check the validity of a SSL certificate - otherwise, what's the point of using SSL?
In your case, you are saying "Pretend to use HTTPS but actually, ignore the certificate", because it's invalid, or you are still getting one, or you are in the development phase (I hope the latter is true, and get or create a valid sever certificate when needed).
But curl doesn't know that. It is assuming you are asking it to establish a connection with an HTTPS endpoint - thus it will try to validate the certificate - which, in your case, may be the source of the failure.
Try curl -k -X POST -F 'file=#filename.dat' https://url
From the manpage:
-k, --insecure
(TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate even for server connections otherwise considered insecure.
The server connection is verified by making sure the server's certificate contains the right name and verifies successfully using the cert store.
See this online resource for further details:
https://curl.haxx.se/docs/sslcerts.html
See also --proxy-insecure and --cacert.

Jenkins and SSL certificates

Firstly my exposure and experience with certificates is limited so I am trying to use this as a learning experience as well as obtaining an answer.
Using Jenkins I would like to be able to make a curl request as part of my build that uses a certificate (.p12) to authenticate.
Example
curl --cert /Users/Jenkins/.jenkins/workspace/develop-pipeline/../certificates/dev_cert.p12:password https://jira.dev.organisation.co.uk:443/rest/api/2/issue/MYSTATS-1234
So I have a Desktop certificate (private key) which I have saved onto the machine where Jenkins runs, but I also understand that I need a CA certificate to authorise this private key (hope this is correct so far).
When I have run the curl command from the terminal on the Jenkins machine I had a popup that asked me did I want to use the cert within the keychain to authorise and I clicked always allow, so command line curl requests always work.
However when I run this as part of a Jenkins build I get
(58) SSL: Can't load the certificate "/Users/Jenkins/.jenkins/workspace/develop-pipeline/../certificates/dev_cert.p12" and its private key: OSStatus -25308
The path to the cert is correct as the directory structure is
develop-pipeline
certificates
dev_cert.p12
What I don't understand is that if I don't provide a password
curl --cert /Users/Jenkins/.jenkins/workspace/develop-pipeline/../certificates/dev_cert.p12 https://jira.dev.organisation.co.uk:443/rest/api/2/issue/MYSTATS-1234
I get the message:
SSL The certificate "/Users/Jenkins/.jenkins/workspace/develop-pipeline/dev_cert.p12" requires a password
So it has found the certificate ?
Also providing an incorrect password yields
SSL: Incorrect password for the certificate "/Users/Jenkins/.jenkins/workspace/develop-pipeline/dev_cert.p12" and its private key.
What do I need to do to get this working?
This Github comment helped me sorting out the curl issue on OSX. So in my case installing curl via Homebrew with OpenSSL flags did the trick.

What is Apache's OpenSSL and why does one server have it but another not

I'm working with two servers; one localhost one on the web. Both are http; I don't have an SSL certificate installed on either.
When I'm trying to make a Curl request to an https url (in this case the Facebook API), one of the servers works and the other doesn't. The CURL error is "SSL certificate problem: unable to get local issuer certificate." Upon investigation, I noticed that $_SERVER["SERVER_SOFTWARE"] outputs something different on the two servers.
Server 1, which works with CURL to https
$_SERVER["SERVER_SOFTWARE"] = Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.6.3
Server 2, which doesn't work with CURL to https
$_SERVER["SERVER_SOFTWARE"] = Apache
I'm guessing that the fact that the second server has no mention of OpenSSL may have something to do with the error? Is that possible? What would I need to do to get OpenSSL on that server? Why would the first server be able to "find issuer certificate" when I don't have an SSL cert installed on it?
Since you are doing a request with curl to an external server the problem is completely unrelated to the web server software you are running locally, i.e. you don't even need to run a local web server at all. It only depends on the certificate the external server sends back to curl and if the necessary root CA can be found in the trust store of curl.

Download build files from Nexus, certificate error when running wget, but succeed with browser (Firefox, Chrome)

I've already purchased the SSL Certifcate from DigiCert and install it into my Nexus server (running in tomcat, jks)
It works well in firefox and chrome(green address bar indicates that a valid certificate received) , builds could be downloaded from Nexus WebUI too.
But, wget could not get the result without --no-check-certificate
something like
ERROR: cannot verify mydomain.com's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3':
Unable to locally verify the issuer's authority.
To connect to mydomain.com insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
Found something,
SSL connection fails with wget, curl, but succeed with firefox and lynx
linux wget not certified?
But neither of them gives a final solution, I want to know whether there are some (special) configurations on Nexus or this's a bug of wget command?
Google return many results about "digitcert wget",but I cannot find a clue either, Thank you!
You need to add the DigiCert root certificate to a store accessible by wget:
http://wiki.openwrt.org/doc/howto/wget-ssl-certs