If you access the HTTPS url via cURL, you will get the below error. This is curl’s way of warning you that the server certificate is self-signed and could not be validated against it’s ‘CA bundle’ (list of pre-downloaded certificates that are safe).
curl: (60) SSL certificate problem: self signed certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
In our case since it is a self-signed certificate we created for manual purposes, we need to let cUrl know that is ok to communicate with this URL. There are 2 ways to do it:
curl -koption to connect to the SSL site without certificate. Of course, this in not safe.
- Add our self-signed certificate to the default CA certificate bundle. Curl’s default CA bundle is stored in a file called
ca-bundle.crt. If you don’t find it in your machine, there are couple of ways to get it.
(A) Download the generic version from curl website.
curl http://curl.haxx.se/ca/cacert.pem -o C:\Fig\ca-bundle.crt
(B) If you are not comfortable using the generic version, you can download the source code for curl from github and generate it locally as follows: (Reference: https://gist.github.com/jjb/996292)
git clone https://github.com/bagder/curl.git cd curl/lib //edit mk-ca-bundle.pl and change http to https in the below line: my $url = 'http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1'; perl ./mk-ca-bundle.pl //creates the ca-bundle.crt file.
Before appending our certificate to the above
ca-bundle.crt file, we need to first download the self-signed certificate from the server.
(1) Downloading server certificate locally
(a) From browser you can save the certificate directly in a
.cer file. This file needs to be converted to PEM format using
C:\OpenSSL-Win64\bin\openssl x509 -inform DES -in c:\figserver.cer -out C:\figservercert.pem -text
(b) Via OpenSSL: enter below command with your own server name and HTTPS port. After the certificate details are printed on the console, type QUIT.
C:\apps\OpenSSL-Win64\bin\openssl s_client -connect localhost:8443]
(2) Copy & save the content between the BEGIN & END CERTIFICATE blocks (including BEGIN & END) and append it to ca-bundle.crt file.
Run the curl command now pointing to the local ca-bundle.crt file and access the SSL site.
curl -D- --cacert ./ca-bundle.crt -H "Authorization: Basic Zml6YWxhZG1pbjpmaXphbGFkbWlu" -X GET https://localhost:8443/Fig-0.0.1/fig/task/z4