So since the Mavericks upgrade curl has more issues with certificates. Show
When trying to curl a file from my web server with it's self-signed certificate it was getting the error "SSL Certificate: Invalid certificate chain". This was corrected by adding the certificate to my system keychain and setting it to always allow SSL, information I found here and here. This works fine and when I curl a file it downloads properly. However if I run curl with sudo before (e.g I have a script which needs to be run with sudo and does a curl in it) then I'm back to the same error message. I'm guessing that root doesn't read from the system keychain perhaps? Does anyone know a way to fix this?
asked Feb 21, 2014 at 16:36
Jacob TomlinsonJacob Tomlinson 2551 gold badge2 silver badges13 bronze badges f you store your CA certificates on the filesystem (in PEM format) you can tell curl to use them with sudo curl --cacert /path/to/cacert.pem ...You can also turn off the certificate verification with sudo curl --insecure ...Edit: Updated with regard to feedback If you want to set this permanently, you should create a .curlrc files and place in your home directory. sudo commands may need this file in /var/root The file takes the same options as the command line but without the dashes. One option per line: cacert=/path/to/my/certs.pemanswered Feb 28, 2014 at 11:46
4 Root doesn't read from the current user trust settings, but there are both an admin trust settings and root-user-specific trust settings. (These are also distinct from the system trust settings.) Note, also, that certificate trust settings are somewhat distinct from just adding a certificate to a keychain; you can mark a cert as trusted without fully adding it. (The exact situation here is not clear to me, and the docs I've seen are vague.) You can mark a cert as trusted for your current user as $ security add-trusted-cert /path/to/cert.pembut that doesn't help with root. The solution, as you might now guess, is either to sudo the above, which then marks it as trusted for the root user specifically: $ sudo security add-trusted-cert /path/to/cert.pemor to use the -d flag to add it to the admin trust settings: $ security add-trusted-cert -d /path/to/cert.pem(OS X will pop up a password dialog to confirm this one.) Either of the latter two seems to be sufficient for sudo curl. Reference: https://developer.apple.com/library/mac/Documentation/Darwin/Reference/ManPages/man1/security.1.html answered Mar 2, 2014 at 1:38
 Wes CampaigneWes Campaigne 2,2801 gold badge18 silver badges11 bronze badges 3 This is really in the output hint: echo insecure >> ~/.curlrcAdvantage of using above solution is that it works for all curl commands, but it is not recommended since it may introduce MITM attacks by connecting to insecure and untrusted hosts.
kenorb 11.9k15 gold badges79 silver badges136 bronze badges answered Sep 19, 2014 at 4:35
zinkingzinking 1591 silver badge3 bronze badges If you use MacPorts (and the 3rd-party script you mentioned doesn't remove it from $PATH or calls /usr/bin/curl) you can install the certsync and curl ports in this order. certsync is a tool and a corresponding launchd plist that will export your system keychain to $prefix/etc/openssl/cert.pem and install a symlink $prefix/share/curl/curl-ca-bundle.crt -> $prefix/etc/openssl/cert.pem so MacPorts curl will automatically pick up the certificates. certsync will also automatically update the generated files when you change your system keychain. answered Mar 4, 2014 at 1:14
neverpanicneverpanic 8365 silver badges10 bronze badges 1 To make sudo curl work (on OSX Sierra), we had to import the certificate into the System.keychain and trust it there. This could be done manually in the Keychain app or using this command: sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain /path/to/cert.pemIt was important to both specify -d and manually set the path to the System keychain via -k to make sure the cert actually gets imported there if it isn't yet. The command works without sudo, but then would ask for the password via a UI dialog, which might be a hurdle for scripts. answered Nov 30, 2016 at 0:55
2 You must log in to answer this question.Not the answer you're looking for? Browse other questions tagged macos command-line keychain sudo ssl .How do I fix curl 60 SSL certificate problem selfLocate the curl certificate PEM file location 'curl-config --ca' -- > /usr/local/etc/openssl/cert.pem.. Use the folder location to identify the PEM file 'cd /usr/local/etc/openssl'. Create a backup of the cert.pem file 'cp cert.pem cert_pem.bkup'. How do I fix curl 60 SSL certificate problem certificate has expired?The only solution to this problem is to get your host to update the root certificate on your server. So, you need to contact your server host and ask them to insert a new cacert. pem file into their servers, and configure it within their php.
How do you curl with a selfHow use a self-signed certificate with Curl?. Download and save the self-signed certificate.. Tell the Curl client about it with --cacert [file] command-line switch. This parameter tells the Curl to use the specified certificate file to verify the peer.. How do you fix a curl Error 60?Solution:. Save the cacert. pem file anywhere on your system. Example: Since you're modifying both php. ... . Open your php.ini file. If your php.ini file doesn't have the curl.cainfo line, just add it to the end of the file, then add the file path where you saved your cacert.pem file: ... . Restart your server.. |
Curl: 60 ssl certificate problem: self signed certificate in certificate chain
zusammenhängende Posts
Urheberrechte © © 2024 ketiadaan Inc.
