0

I installed optware and I have curl available. I'm trying to get it to notify me (through pushover) when the router is rebooted.

curl \
-F "token=<token goes here>" \
-F "user=<user key goes here>" \
-F "message=ASUS Router WAN Up" \
https://api.pushover.net/1/messages

This is an Asus RT-N16 router using Tomato Firmware 1.28.0000 MIPSR2-097 K26 USB Mega-VPN

The error message indicates that it is an issue with the CA installed:

url: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

So what is the recommended way to install a CA bundle? Or should I just go insecure (-k works)?

Cade Roux
  • 375
  • 2
  • 5
  • 18
  • "curl isn't even working from a normal shell" - error? – DerfK Jul 31 '12 at 01:45
  • @DerfK No error message. It "runs". curl --help shows it's installed. Example I appended shows when I exit back from the shell into the router, the EXACT same command executes fine on Arch Linux (ARM). – Cade Roux Jul 31 '12 at 01:53
  • `-s` disables error messages. Try without it. – DerfK Jul 31 '12 at 02:00
  • @DerfK OK, thanks, I feel like an idiot not looking into that switch - I just had that script from the pushover API page. Looks like an SSL cert issue. – Cade Roux Jul 31 '12 at 02:10

1 Answers1

1

If you actually read the URL in the error message it will explain why this happened and what your options are. The summary is that you have two options:

  1. Disable certificate verification, which means that cURL will not check that you're connecting to the right server and you may be subject to a MITM attack. That's probably okay in this case, so specify the --insecure option to disable the check.
  2. Install a set of CA certificates for cURL to trust. If Tomato doesn't provide a package you can download a CA bundle from the cURL website (which are just converted from the Mozilla set). Store cacert.pem somewhere on the system and point cURL to this with the --cacert option.
mgorven
  • 30,615
  • 7
  • 79
  • 122