Re: [Pki-devel] [resolved] Talking to PKI-CA via Curl

On 09/16/2011 02:46 PM, Kashyap Chamarthy wrote: > On 09/16/2011 09:04 AM, Kashyap Chamarthy wrote: >> On 09/15/2011 10:57 PM, Adam Young wrote: >>> Some of you may be interested: >>> >>> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/ >>> >>> Here's the short of it: once you have an NSS database set up, you can do something like: >>> >>> curl --cacert ./CA.crt \ >>> --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID" \ >>> https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \ >>> --pass freeipa4all >> >> After setting the env variable SSL_DIR, I notice a >> 'peer certificate cannot be authenticated with known CA certificates' >> >> What I'm unclear is: we're explicitly using --cacert, but still, the below error indicates >> that it's referring to it's internal CA certs "bundle" ? >> >> >> ############################################################################ >> kashyap@temp$ env | grep SSL_DIR >> SSL_DIR=/var/tmp/temp/ >> kashyap@temp$ >> ############################################################################ >> kashyap@temp$ curl --cacert CA.crt --pass redhat --cert "CA Administrator of Instance >> pki-ca1-sep6's domaindrmtool1 ID" >> "https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3" >> curl: (60) Peer certificate cannot be authenticated with known CA certificates >> More details here: http://curl.haxx.se/docs/sslcerts.html >> >> curl performs SSL certificate verification by default, using a "bundle" >> of Certificate Authority (CA) public keys (CA certs). If the default >> bundle file isn't adequate, you can specify an alternate file >> using the --cacert option. >> If this HTTPS server uses a certificate signed by a CA represented in >> the bundle, the certificate verification probably failed due to a >> problem with the certificate (it might be expired, or the name might >> not match the domain name in the URL). >> If you'd like to turn off curl's verification of the certificate, use >> the -k (or --insecure) option. >> kashyap@temp$ >> ###################################################################### >> kashyap@temp$ certutil -L -d . >> >> Certificate Nickname Trust Attributes >> SSL,S/MIME,JAR/XPI >> >> Certificate Authority - domaindrmtool1 ,, >> CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u >> kashyap@temp$ >> ###################################################################### CA cert is the culprit. It doesn't have right trust attributes. This does the trick ############# $ certutil -M -d . -n "Certificate Authority - domaindrmtool1" -t "CT,," #############

>> Though, if I pass the '--insecure' option as curl says above, I can get the desired >> output, but that beats the point. > Verbose info says 'untrusted issuer' . Trying to dig more.. > #################################################################################### > kashyap@temp$ curl --verbose --cacert CA.crt --pass redhat --cert "CA Administrator of > Instance pki-ca1-sep6's domaindrmtool1 ID" > "https://cspki.lab.eng.pnq.redhat.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3" > > * About to connect() to cspki.lab.eng.pnq.redhat.com port 9443 (#0) > * Trying 10.65.201.38... connected > * Connected to cspki.lab.eng.pnq.redhat.com (10.65.201.38) port 9443 (#0) > * Initializing NSS with certpath: /var/tmp/temp/ > * CAfile: CA.crt > CApath: none > * Certificate is signed by an untrusted issuer: 'CN=Certificate > Authority,OU=pki-ca1-sep6,O=domaindrmtool1' > * NSS error -8172 > * Closing connection #0 > * Peer certificate cannot be authenticated with known CA certificates > curl: (60) Peer certificate cannot be authenticated with known CA certificates > More details here: http://curl.haxx.se/docs/sslcerts.html > > curl performs SSL certificate verification by default, using a "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > kashyap@temp$ > #################################################################################### > >> >> >>> >>> _______________________________________________ >>> Pki-devel mailing list >>> Pki-devel(a)redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-devel >>> >> >