Curl doesn't accept my ssl key - ssl

I am running the following command on unix using curl :
curl -v -d #SampleRequest_OFFSHORE.xml -E ./mypemfile.pem:nopass --cacert ./ifind.prod.ClientAuth.abc.com.CER https://world-service-dev.intra.abc.com:4414/worldservice/CLIC/CaseManagementService/V1
I am getting the following error:
* About to connect() to world-service-dev.intra.abc.com port 4414 (#0)
* Trying 148.171.176.115... connected
* Connected to world-service-dev.intra.abc.com (148.171.176.115) port 4414 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: ./ifind.prod.ClientAuth.abc.com.CER
CApath: none
* Unable to load client key -8178.
* NSS error -8178
* Closing connection #0
curl: (58) Unable to load client key -8178.

Are you sure your keys are in the right keystore?
Did you try and change the file permissions on the keystore?

Related

How to run curl --retry command in GitLab-ci.yml

i am trying to run a curl --retry command in GitLab-ci pipeline and it fails in the pipeline but when i try to run it somewhere else it's working fine.
I am trying to check if my url is up or not and this will run till my url is up and after that rest of my script run to configure my application
curl -Is -k --retry 50 --retry-delay 0 --retry-connrefused https://{URL} -vvv
Trying 127.0.1.1:8443...
TCP_NODELAY set
Connected to {url} (127.0.1.1) port 8443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to {url}
Closing connection 0
Cleaning up file based variables
ERROR: Job failed: exit status 1
I think what is happening here that when we run curl --retry for every retry it closes the connection and restart it and that's where my pipeline breaks and i am not able to figure out how to handle this.
Is there any workaround to do this in the pipeline.
you can use a simple bash script and check for curl return value:
while true; do if curl --location 'http://localhost:8080'; then break; else sleep 1; fi; done

MQTT and SSL/TLS

I registered for an account on a mqtt server provider.
They provide 3 ports:
port: 1xxxx
ssl port: 2xxxx
websockets(TLS only): 3xxxx
I am publishing and receiving data from port 1xxx.
I would like to add encryption though. The mqtt server provider gives a "shared" subdomain but says:
If you want to use a custom domain for your instance you have to provide your own certificate to use with MQTT+TLS and Websockets. Certificates must be PEM encoded and the privte key unencrypted. Certs are only stored on your dedicated instance. When certs are installed you can point your domain as a CNAME to hairdresser.cloudmqtt.com.
I added a CNAME on my domain panel which I call it (mqtt.mydomain.com) and resolves to the above subdomain.
On my domain panel also I added ssl from letsenrypt(free) to my subdomain mqtt.mydomain.com(which points to mqtt server domain).
After adding the ssl I downloaded a zip file from the domain panel which contains 3 files:
mqtt.mydomain.com.ca
mqtt.mydomain.com.cert
mqtt.mydomain.com.key
I paste the contents of ca file to CA chain, cert file to Certificate and key file to Private key
Saved everything and restarted instance(mqtt server).
Then I tried from my computer:
mosquitto_pub -h "mqtt.mydomain.com" -p 1xxxx -i test1 -u test1 -P pass1 -t mytopics/test1 -m "hi everyone" -d -c
works but since its port 1xxxx its not SSL.
Trying the ssl:
mosquitto_pub -h "mqtt.mydomain.com" -p 2xxxx -i test1 -u test1 -P pass1 -t mytopics/test1 -m "hi everyone" -d -c --cafile C:\Users\CT\Downloads\certs\mqtt.mydomain.com.ca
gives me error on cmd:
OpenSSL Error[0]: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Error: A TLS error occurred.
Tried many different commands like passing cert file appart from ca and even key file(which is probably wrong i guess) and I am getting different errors on the server logs like:
OpenSSL Error: error:14094418:SSL routine
s:ssl3_read_bytes:tlsv1 alert unknown ca
OpenSSL Error: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Client connection from xx.xx.xx.xx failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

CentOS6 - curl NSS error -5961 resolved by updating packages. What did it actually do?

I was running into the same issue as described in this question: cURL SSL connect error 35 with NSS error -5961
$ curl --verbose https://api.hostname.com
* About to connect() to api.hostname.com port 443 (#0)
* Trying 1.2.3.4... connected
* Connected to api.hostname.com (1.2.3.4) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5961
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error
I followed user qingbo's advice after noticing that the server (CentOS 6.5 VM) had not been updated in a while. I ran this command:
$ yum update -y nss curl libcurl
and then re-ran the curl command and this time I received an expected HTTP/1.1 200 OK.
My question is - what did updating the nss, curl and libcurl packages do that fixed the connection issue?

curl does not have same result as browser

I am trying to download the following URL using from command line using curl. If the same URL is requested through the browser, it is able to fetch the image. But for curl, the server terminates the SSL handshake. Just to use exact same parameters; I tried the curl commands from 'developer tools' from google-chrome and firefox. But both fails with following error.
This question was asked before here here but there is no answer that works. I tried -http1.1 as suggested but did not work.
https://floridakeyswebcams.tv/sloppycam/camarchive/0807.jpg
(base) (15:39 test#testcomp ~) > curl -v 'https://floridakeyswebcams.tv/sloppycam/camarchive/0807.jpg' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,hi;q=0.8,mr;q=0.7' -H 'If-None-Match: "90cbf2d5a81d51:da782"' -H 'If-Modified-Since: Fri, 03 May 2019 12:07:53 GMT' --compressed
* Trying 74.209.245.140...
* TCP_NODELAY set
* Connected to floridakeyswebcams.tv (74.209.245.140) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /home/sagham/anaconda2/ssl/cacert.pem
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to floridakeyswebcams.tv:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to floridakeyswebcams.tv:443
it appears that floridakeyswebcams.tv requires TLS1.3 support, use the --tlsv1.3 argument,
curl --tlsv1.3 -v 'https://floridakeyswebcams.tv/sloppycam/camarchive/0807.jpg'
here is what i get when using --tlsv1.2:
$ ./CURL.EXE https://floridakeyswebcams.tv/sloppycam/camarchive/0807.jpg --tlsv1.2 -vv
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 74.209.245.140...
* TCP_NODELAY set
* Connected to floridakeyswebcams.tv (74.209.245.140) port 443 (#0)
* schannel: next InitializeSecurityContext failed: SEC_E_ALGORITHM_MISMATCH (0x80090331) - The client and server cannot communicate, because they do not possess a common algorit
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
* schannel: shutting down SSL/TLS connection with floridakeyswebcams.tv port 443
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ALGORITHM_MISMATCH (0x80090331) - The client and server cannot communicate, because they do not possess a common algorit
and here is (roughly, it was printed in the wrong order for some reason) what i get if i use --tlsv1.3:
./CURL.EXE https://floridakeyswebcams.tv/sloppycam/camarchive/0807.jpg --tlsv1.3 -v
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
* TCP_NODELAY set
* Connected to floridakeyswebcams.tv (74.209.245.140) port 443 (#0)
> GET /sloppycam/camarchive/0807.jpg HTTP/1.1
> Host: floridakeyswebcams.tv
> User-Agent: curl/7.64.1
> Accept: */*
>
▒▒▒▒
\▒.▒:\▒.▒:▒▒
▒▒
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
-truncated jpg binary-
question still remains about why this wasn't auto-negotiated tho, i'm not sure but i guess your TLS backend doesn't support tlv1.3, and that probably has something to do with why you just got a cryptic error..

Docker: TLS handshake timeout

I've created my own private registry (private-registry) but I'm unable to push images to it.
Than I get the following error:
The push refers to a repository [private-registry:5000/ubuntu] (len: 1)
unable to ping registry endpoint https://private-registry:5000/v0/
v2 ping attempt failed with error: Get https://private-registry:5000/v2/: net/http: TLS handshake timeout
v1 ping attempt failed with error: Get https://private-registry:5000/v1/_ping: net/http: TLS handshake timeout
The logs of the running registry are showing the following:
time="2015-12-14T07:59:21Z" level=warning msg="No HTTP secret provided - generated random secret. This may cause problems with uploads if multiple registries are behind a load-balancer. To provide a shared secret, fill in http.secret in the configuration file or set the REGISTRY_HTTP_SECRET environment variable." go.version=go1.5.2 instance.id=a77e1955-3688-4fe3-a06e-0341787f8d0f version=v2.2.1
time="2015-12-14T07:59:21Z" level=info msg="redis not configured" go.version=go1.5.2 instance.id=a77e1955-3688-4fe3-a06e-0341787f8d0f version=v2.2.1
time="2015-12-14T07:59:21Z" level=info msg="using inmemory blob descriptor cache" go.version=go1.5.2 instance.id=a77e1955-3688-4fe3-a06e-0341787f8d0f version=v2.2.1
time="2015-12-14T07:59:21Z" level=info msg="listening on [::]:5000, tls" go.version=go1.5.2 instance.id=a77e1955-3688-4fe3-a06e-0341787f8d0f version=v2.2.1
time="2015-12-14T07:59:21Z" level=info msg="Starting upload purge in 47m0s" go.version=go1.5.2 instance.id=a77e1955-3688-4fe3-a06e-0341787f8d0f version=v2.2.1
I'm unable to curl my registry (timeout).
This are the steps I performed:
First I've created selfsigned certificates:
mkdir -p certs && openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
-x509 -days 365 -out certs/domain.crt
I've created my registry, which will use this certificates:
docker run -d -p 5000:5000 --restart=always --name private-registry \
-v `pwd`/certs:/certs \
-e REGISTRY_HTTP_TLS_CERTIFICATE=certs/domain.crt \
-e REGISTRY_HTTP_TLS_KEY=certs/domain.key \
registry:2
I gave the right permissions:
chcon -Rt svirt_sandbox_file_t ~certs/
I've created: /etc/docker/etc.d/private-registry:5000/
And I copied my domain.crt in it.
I've edited my /etc/hosts and added:
10.0.0.X private-registry (my internal ip and the name of my registry)
I also restarted docker and my registry.
EDIT:
[centos# ~]$ curl -v private-registry:5000
* About to connect() to private-registry port 5000 (#0)
* Trying 10.0.0.xx...
* Connected to private-registry (10.0.0.xx) port 5000 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: private-registry:5000
> Accept: */*
>
* Connection #0 to host private-registry left intact
[centos#~]$ curl -v https://private-registry:5000
* About to connect() to private-registry port 5000 (#0)
* Trying 10.0.0.xx...
* Connected to private-registry (10.0.0.xx) port 5000 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -5990 (PR_IO_TIMEOUT_ERROR)
* I/O operation timed out
* Closing connection 0
curl: (35) I/O operation timed out
You may need to place the certificate into this directory.
/etc/docker/certs.d/private-registry.com:5000/ca.crt