cURL / Mailing Lists / curl-users / Single Mail

curl-users

Curl with nss error

From: Craig Foote <craigfoote_at_gmail.com>
Date: Fri, 25 Sep 2015 17:06:23 -0400

I'm trying to use curl to access a https address passing it my certificate and validating the server's certificate with my own truststore (we have our own CA). I am for now running as root.

curl -v --cert /home/cdfoote/myCertificate.pem:mypassword --cert /home/cdfoote/truststore.pem https://host.com:8444

This gives me the error:

Unable to load client cert -8018
NSS error -8018

Googling that and determining that my curl was compiled with nss I've converted my certificate to a .pfx (I started with a .jks) and imported it into the nss db via:

pk12util -i /home/cdfoote/myCertificate.pfx -d /etc/pki/nssdb

I see it when I list all certs in the db:

certutil -L -d /etc/pki/nssdb

I see its details when I list it by nickname:

certutil -L -d /etc/pki/nssdb -n myCert

I've made the db available via:

export SSL_DIR=/etc/pki/nssdb

Now, the curl command I'm running is:

curl -v --cert myCert --cert /home/cdfoote/truststore.pem https://host.com:8444

The response is:

About to connect to https//host.com port 8444 (#0)
Trying ipaddress
Connected to host.com (ipaddress) port 8444(#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /home/cdfoote/truststore.pem
CApath: none
NSS: client certificate not found: myCert
SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Server certificate:
...
{
    "status" : "403 - Forbidden",
...

A few questions:

Does 'CApath: none' indicate the truststore is not found even though the 'CAfile' is correct? If so, any ideas why it isn't found?

Any idea why 'myCert' is not found even though NSS is initialized to the correct 'certpath' (and it listed fine)?

On another box, where apparently curl is compiled with openssl rather than NSS, the original curl command above works. Is there any way I can run curl that way without recompiling it?

Thanks in advance, Craig

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-09-25