12:27 p.m.
Some of you may be interested:
http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
Here's the short of it: once you have an NSS database set up, you can do
something like:
curl --cacert ./CA.crt \
--cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat
Domain ID" \
https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
--pass freeipa4all
10:34 p.m.
On 09/15/2011 10:57 PM, Adam Young wrote:
Some of you may be interested:
http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
Here's the short of it: once you have an NSS database set up, you can do something
like:
curl --cacert ./CA.crt \
--cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat
Domain ID" \
https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
--pass freeipa4all
After setting the env variable SSL_DIR, I notice a
'peer certificate cannot be authenticated with known CA certificates'
What I'm unclear is: we're explicitly using --cacert, but still, the below error
indicates
that it's referring to it's internal CA certs "bundle" ?
############################################################################
kashyap@temp$ env | grep SSL_DIR
SSL_DIR=/var/tmp/temp/
kashyap@temp$
############################################################################
kashyap@temp$ curl --cacert CA.crt --pass redhat --cert "CA Administrator of
Instance
pki-ca1-sep6's domaindrmtool1 ID"
"https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
kashyap@temp$
######################################################################
kashyap@temp$ certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Certificate Authority - domaindrmtool1 ,,
CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
kashyap@temp$
######################################################################
Though, if I pass the '--insecure' option as curl says above, I can get the
desired
output, but that beats the point..
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel
--
/kashyap
4:16 a.m.
On 09/16/2011 09:04 AM, Kashyap Chamarthy wrote:
On 09/15/2011 10:57 PM, Adam Young wrote:
> Some of you may be interested:
>
> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
>
> Here's the short of it: once you have an NSS database set up, you can do
something like:
>
> curl --cacert ./CA.crt \
> --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat
Domain ID" \
> https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
> --pass freeipa4all
After setting the env variable SSL_DIR, I notice a
'peer certificate cannot be authenticated with known CA certificates'
What I'm unclear is: we're explicitly using --cacert, but still, the below error
indicates
that it's referring to it's internal CA certs "bundle" ?
############################################################################
kashyap@temp$ env | grep SSL_DIR
SSL_DIR=/var/tmp/temp/
kashyap@temp$
############################################################################
kashyap@temp$ curl --cacert CA.crt --pass redhat --cert "CA Administrator of
Instance
pki-ca1-sep6's domaindrmtool1 ID"
"https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
kashyap@temp$
######################################################################
kashyap@temp$ certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Certificate Authority - domaindrmtool1 ,,
CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
kashyap@temp$
######################################################################
Though, if I pass the '--insecure' option as curl says above, I can get the
desired
output, but that beats the point.
Verbose info says 'untrusted issuer' . Trying to dig more..
####################################################################################
kashyap@temp$ curl --verbose --cacert CA.crt --pass redhat --cert "CA Administrator
of
Instance pki-ca1-sep6's domaindrmtool1 ID"
"https://cspki.lab.eng.pnq.redhat.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
* About to connect() to cspki.lab.eng.pnq.redhat.com port 9443 (#0)
* Trying 10.65.201.38... connected
* Connected to cspki.lab.eng.pnq.redhat.com (10.65.201.38) port 9443 (#0)
* Initializing NSS with certpath: /var/tmp/temp/
* CAfile: CA.crt
CApath: none
* Certificate is signed by an untrusted issuer: 'CN=Certificate
Authority,OU=pki-ca1-sep6,O=domaindrmtool1'
* NSS error -8172
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
kashyap@temp$
####################################################################################
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>
--
/kashyap
5 a.m.
New subject: [resolved] Talking to PKI-CA via Curl
On 09/16/2011 02:46 PM, Kashyap Chamarthy wrote:
On 09/16/2011 09:04 AM, Kashyap Chamarthy wrote:
> On 09/15/2011 10:57 PM, Adam Young wrote:
>> Some of you may be interested:
>>
>> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
>>
>> Here's the short of it: once you have an NSS database set up, you can do
something like:
>>
>> curl --cacert ./CA.crt \
>> --cert "CA Administrator of Instance pki-ca2's
AyoungBostonDevelRedhat Domain ID" \
>> https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
>> --pass freeipa4all
>
>
> After setting the env variable SSL_DIR, I notice a
> 'peer certificate cannot be authenticated with known CA certificates'
>
> What I'm unclear is: we're explicitly using --cacert, but still, the below
error indicates
> that it's referring to it's internal CA certs "bundle" ?
>
>
> ############################################################################
> kashyap@temp$ env | grep SSL_DIR
> SSL_DIR=/var/tmp/temp/
> kashyap@temp$
> ############################################################################
> kashyap@temp$ curl --cacert CA.crt --pass redhat --cert "CA Administrator of
Instance
> pki-ca1-sep6's domaindrmtool1 ID"
>
"https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
> curl: (60) Peer certificate cannot be authenticated with known CA certificates
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
> kashyap@temp$
> ######################################################################
> kashyap@temp$ certutil -L -d .
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Certificate Authority - domaindrmtool1 ,,
> CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
> kashyap@temp$
> ######################################################################
CA cert is the culprit. It doesn't have right trust attributes.
This does the trick
#############
$ certutil -M -d . -n "Certificate Authority - domaindrmtool1" -t
"CT,,"
#############
>
> Though, if I pass the '--insecure' option as curl says above, I can get the
desired
> output, but that beats the point.
Verbose info says 'untrusted issuer' . Trying to dig more..
####################################################################################
kashyap@temp$ curl --verbose --cacert CA.crt --pass redhat --cert "CA
Administrator of
Instance pki-ca1-sep6's domaindrmtool1 ID"
"https://cspki.lab.eng.pnq.redhat.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
* About to connect() to cspki.lab.eng.pnq.redhat.com port 9443 (#0)
* Trying 10.65.201.38... connected
* Connected to cspki.lab.eng.pnq.redhat.com (10.65.201.38) port 9443 (#0)
* Initializing NSS with certpath: /var/tmp/temp/
* CAfile: CA.crt
CApath: none
* Certificate is signed by an untrusted issuer: 'CN=Certificate
Authority,OU=pki-ca1-sep6,O=domaindrmtool1'
* NSS error -8172
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
kashyap@temp$
####################################################################################
>
>
>
>>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>
>
--
/kashyap
9:05 a.m.
New subject: [resolved] Talking to PKI-CA via Curl
On 09/16/2011 06:00 AM, Kashyap Chamarthy wrote:
On 09/16/2011 02:46 PM, Kashyap Chamarthy wrote:
> On 09/16/2011 09:04 AM, Kashyap Chamarthy wrote:
>> On 09/15/2011 10:57 PM, Adam Young wrote:
>>> Some of you may be interested:
>>>
>>> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
>>>
>>> Here's the short of it: once you have an NSS database set up, you can do
something like:
>>>
>>> curl --cacert ./CA.crt \
>>> --cert "CA Administrator of Instance pki-ca2's
AyoungBostonDevelRedhat Domain ID" \
>>> https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
>>> --pass freeipa4all
>>
>> After setting the env variable SSL_DIR, I notice a
>> 'peer certificate cannot be authenticated with known CA certificates'
>>
>> What I'm unclear is: we're explicitly using --cacert, but still, the
below error indicates
>> that it's referring to it's internal CA certs "bundle" ?
>>
>>
>> ############################################################################
>> kashyap@temp$ env | grep SSL_DIR
>> SSL_DIR=/var/tmp/temp/
>> kashyap@temp$
>> ############################################################################
>> kashyap@temp$ curl --cacert CA.crt --pass redhat --cert "CA Administrator
of Instance
>> pki-ca1-sep6's domaindrmtool1 ID"
>>
"https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
>> curl: (60) Peer certificate cannot be authenticated with known CA certificates
>> More details here: http://curl.haxx.se/docs/sslcerts.html
>>
>> curl performs SSL certificate verification by default, using a
"bundle"
>> of Certificate Authority (CA) public keys (CA certs). If the default
>> bundle file isn't adequate, you can specify an alternate file
>> using the --cacert option.
>> If this HTTPS server uses a certificate signed by a CA represented in
>> the bundle, the certificate verification probably failed due to a
>> problem with the certificate (it might be expired, or the name might
>> not match the domain name in the URL).
>> If you'd like to turn off curl's verification of the certificate, use
>> the -k (or --insecure) option.
>> kashyap@temp$
>> ######################################################################
>> kashyap@temp$ certutil -L -d .
>>
>> Certificate Nickname Trust Attributes
>> SSL,S/MIME,JAR/XPI
>>
>> Certificate Authority - domaindrmtool1 ,,
>> CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
>> kashyap@temp$
>> ######################################################################
CA cert is the culprit. It doesn't have right trust attributes.
This does the trick
#############
$ certutil -M -d . -n "Certificate Authority - domaindrmtool1" -t
"CT,,"
#############
That explains why I had to use the CA cert outside the DB,
>> Though, if I pass the '--insecure' option as curl
says above, I can get the desired
>> output, but that beats the point.
> Verbose info says 'untrusted issuer' . Trying to dig more..
> ####################################################################################
> kashyap@temp$ curl --verbose --cacert CA.crt --pass redhat --cert "CA
Administrator of
> Instance pki-ca1-sep6's domaindrmtool1 ID"
>
"https://cspki.lab.eng.pnq.redhat.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
>
> * About to connect() to cspki.lab.eng.pnq.redhat.com port 9443 (#0)
> * Trying 10.65.201.38... connected
> * Connected to cspki.lab.eng.pnq.redhat.com (10.65.201.38) port 9443 (#0)
> * Initializing NSS with certpath: /var/tmp/temp/
> * CAfile: CA.crt
> CApath: none
> * Certificate is signed by an untrusted issuer: 'CN=Certificate
> Authority,OU=pki-ca1-sep6,O=domaindrmtool1'
> * NSS error -8172
> * Closing connection #0
> * Peer certificate cannot be authenticated with known CA certificates
> curl: (60) Peer certificate cannot be authenticated with known CA certificates
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
> kashyap@temp$
> ####################################################################################
>
>>
>>
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>>>
>>
>
8:52 a.m.
On 09/15/2011 11:34 PM, Kashyap Chamarthy wrote:
On 09/15/2011 10:57 PM, Adam Young wrote:
> Some of you may be interested:
>
> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
>
> Here's the short of it: once you have an NSS database set up, you can do
something like:
>
> curl --cacert ./CA.crt \
> --cert "CA Administrator of Instance pki-ca2's AyoungBostonDevelRedhat
Domain ID" \
> https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
> --pass freeipa4all
After setting the env variable SSL_DIR, I notice a
'peer certificate cannot be authenticated with known CA certificates'
What I'm unclear is: we're explicitly using --cacert, but still, the below error
indicates
that it's referring to it's internal CA certs "bundle" ?
Al I can think is that it is an RHEL 5 Curl issue. Use the curl -vv
option to get more debugging information.
############################################################################
kashyap@temp$ env | grep SSL_DIR
SSL_DIR=/var/tmp/temp/
kashyap@temp$
############################################################################
kashyap@temp$ curl --cacert CA.crt --pass redhat --cert "CA Administrator of
Instance
pki-ca1-sep6's domaindrmtool1 ID"
"https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
kashyap@temp$
######################################################################
kashyap@temp$ certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Certificate Authority - domaindrmtool1 ,,
CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
kashyap@temp$
######################################################################
Though, if I pass the '--insecure' option as curl says above, I can get the
desired
output, but that beats the point..
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
>
8:58 a.m.
On 09/16/2011 07:22 PM, Adam Young wrote:
On 09/15/2011 11:34 PM, Kashyap Chamarthy wrote:
> On 09/15/2011 10:57 PM, Adam Young wrote:
>> Some of you may be interested:
>>
>> http://adam.younglogic.com/2011/09/talking-to-dogtag-pki-via-curl/
>>
>> Here's the short of it: once you have an NSS database set up, you can do
something like:
>>
>> curl --cacert ./CA.crt \
>> --cert "CA Administrator of Instance pki-ca2's
AyoungBostonDevelRedhat Domain ID" \
>> https://servername:8443/ca/agent/ca/displayBySerial?serialNumber=0x6 \
>> --pass freeipa4all
>
> After setting the env variable SSL_DIR, I notice a
> 'peer certificate cannot be authenticated with known CA certificates'
>
> What I'm unclear is: we're explicitly using --cacert, but still, the below
error indicates
> that it's referring to it's internal CA certs "bundle" ?
Al I can think is that it is an RHEL 5 Curl issue. Use the curl -vv option to get more
debugging information.
Never mind, this is resolved. Please check my other reply w/ [resolved] in the subject.
I was missing the trust attributes for CA. (the verbose output gave the clue)
Thanks.
>
> ############################################################################
> kashyap@temp$ env | grep SSL_DIR
> SSL_DIR=/var/tmp/temp/
> kashyap@temp$
> ############################################################################
> kashyap@temp$ curl --cacert CA.crt --pass redhat --cert "CA Administrator of
Instance
> pki-ca1-sep6's domaindrmtool1 ID"
>
"https://foo.bar.com:9443/ca/agent/ca/displayBySerial?op=displayBySerial&serialNumber=0x3"
> curl: (60) Peer certificate cannot be authenticated with known CA certificates
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
> kashyap@temp$
> ######################################################################
> kashyap@temp$ certutil -L -d .
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Certificate Authority - domaindrmtool1 ,,
> CA Administrator of Instance pki-ca1-sep6's domaindrmtool1 ID u,u,u
> kashyap@temp$
> ######################################################################
>
> Though, if I pass the '--insecure' option as curl says above, I can get the
desired
> output, but that beats the point..
>
>
>
>>
>> _______________________________________________
>> Pki-devel mailing list
>> Pki-devel(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-devel
>>
>
--
/kashyap
4854
days inactive
4855
days old
6 comments
2 participants
participants (2)
-
Adam Young -
Kashyap Chamarthy