0

I'm working on a script which depends on a remote API endpoint which I do not control.

Today, my script stopped working, because the endpoint's SSL certificate expired today and they haven't yet fixed it. Running curl -v, I get the following output:

wug@server:~$ curl -v -G -m5 [redacted]
* Connecting to hostname: 10.12.112.1
*   Trying 10.12.112.1:19999...
* TCP_NODELAY set
* Connected to 10.12.112.1 (10.12.112.1) port 19999 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /[redact]/ca.rsa.4096.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, certificate expired (557):
* SSL certificate problem: certificate has expired
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

I'm annoyed about this, but it's outside my control. Security is a concern here, so I don't want to disable all TLS verification with curl -k. Ideally, I would pass a parameter which instructs curl to selectively ignore errors about expired certificates (which appears to be TLS 1.3 error 557). Is it possible to do this? If not, can wget do it?

Wug
  • 151
  • 1
  • 5
  • 1
    If security was a concern, the certificate would not be expired. In any case this makes no sense, because the expired certificate is not valid for _any_ name or _any_ purpose. – Michael Hampton Jun 27 '21 at 11:04

1 Answers1

0

I did not find a way to selectively ignore errors about expired certificates.

It might help to use --pinnedpubkey with the hash of the server certificate. The downside is that, obviously, you will have to change the hash whenever the server certificate gets updated.

I am not entirely sure what will happen if the hash is correct, but when the certificate is expired. For my use-cases, it proved possible to combine --pinnedpubkey with --insecure without --insecure overriding the --pinnedpubkey setting, but I do not know if this is the assured behaviour of if it may change over curl versions.

Erpelstolz
  • 16
  • 2