Re: [Pki-devel] Talking to PKI-CA via Curl

On 09/15/2011 11:34 PM, Kashyap Chamarthy wrote: > On 09/15/2011 10:57 PM, Adam Young wrote: >> Some of you may be interested: >> >> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/ >> >> Here's the short of it: once you have an NSS database set up, you can do something like: >> >> curl --cacert ./CA.crt \ >> --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat Domain ID" \ >> https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \ >> --pass freeipa4all > > After setting the env variable SSL_DIR, I notice a > 'peer certificate cannot be authenticated with known CA certificates' > > What I'm unclear is: we're explicitly using --cacert, but still, the below error indicates > that it's referring to it's internal CA certs "bundle" ? Al I can think is that it is an RHEL 5 Curl issue. Use the curl -vv option to get more debugging information.

> > ############################################################################ > kashyap@temp$ env | grep SSL_DIR > SSL_DIR=/var/tmp/temp/ > kashyap@temp$ > ############################################################################ > kashyap@temp$ curl --cacert CA.crt --pass redhat --cert "CA Administrator of Instance > pki-ca1-sep6's domaindrmtool1 ID" > "https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3" > curl: (60) Peer certificate cannot be authenticated with known CA certificates > More details here: http://curl.haxx.se/docs/sslcerts.html > > curl performs SSL certificate verification by default, using a "bundle" > of Certificate Authority (CA) public keys (CA certs). If the default > bundle file isn't adequate, you can specify an alternate file > using the --cacert option. > If this HTTPS server uses a certificate signed by a CA represented in > the bundle, the certificate verification probably failed due to a > problem with the certificate (it might be expired, or the name might > not match the domain name in the URL). > If you'd like to turn off curl's verification of the certificate, use > the -k (or --insecure) option. > kashyap@temp$ > ###################################################################### > kashyap@temp$ certutil -L -d . > > Certificate Nickname Trust Attributes > SSL,S/MIME,JAR/XPI > > Certificate Authority - domaindrmtool1 ,, > CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u > kashyap@temp$ > ###################################################################### > > Though, if I pass the '--insecure' option as curl says above, I can get the desired > output, but that beats the point.. > > > >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel(a)redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel >> >