具有相互身份验证的 cUrl

cUrl with mutual authentication

我正在尝试对第 3 方服务器执行 cUrl。他们为我提供了一个 p12 文件,我将其安装在浏览器中。使用浏览器时,我会收到服务器的响应。从 linux 终端执行 cUrl 时出现握手错误。

我将 .p12 提取到密钥和证书中,然后我 运行 执行以下命令:

curl --key client.key --cert client.crt -X GET -v https://x.x.x.x:xxxx/folder/endpoint

并得到如下回复:

Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying x.x.x.x...
* TCP_NODELAY set
* Connected to x.x.x.x (x.x.x.x) port xxxx (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

我需要在某处添加自签名证书吗?我觉得我错过了什么。如前所述,它可以在导入证书的浏览器中运行,因此我确信他们的证书没有问题。我知道我错过了一些东西。

谢谢,

您的错误信息是:

unable to get local issuer certificate

这意味着 curl 无法从信任库中找到颁发者(签署服务器证书的 CA)的证书:

/etc/ssl/certs/ca-certificates.crt

您只需下载 CA 证书并将其添加到信任库即可。

是的,如果您下载了 curl 命令或自签名证书(在我的例子中),您需要向 curl 命令添加 --cacert 选项

curl --key client.key --cert client.crt --cacert bundle.pem -X GET -v https://x.x.x.x:xxxx/folder/endpoint.

bundle.pem 有 server.crt 和 rootCA.crt。

cat server.crt rootCA.crt >> bundle.pem