4

I'm trying to access a partners SOAP API, for that goal I made a CSR and received a CRT. I've made a PEM file with my key and the CRT:

cat mycert.crt mykey.key > mycertandkey.pem

When I try to hit the service with curl:

curl --verbose --cert mycertandkey.pem https://partner/service?wsdl
* Hostname was NOT found in DNS cache
*   Trying IP.IP.IP.IP...
* Connected to PARTNER (IP.IP.IP.IP) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Now when I try with the -k option everything works fine, but I'd rather add their current SSL certificate so I can connect without the -k option.

I'd like to try the second option in the following answer but haven't managed so far: https://stackoverflow.com/a/24618403/2730032

I retrieved different certificates from my partners service with openssl like in: https://stackoverflow.com/a/7886248/2730032

Afterwards I tried adding these certificates to my server with https://superuser.com/a/437377

But so far I still cannot get curl to work without the -k flag. Am I wrong in how I retrieve the needed certificate or in how I add it to my system? Or am I mistaken in my general approach?

EDIT 1: This is what happens when I try to get the certificates via SSL

openssl s_client -showcerts -connect PARTNER:443 </dev/null
CONNECTED(00000003)
depth=0 O = PARTNER_INFO, OU = PARTNER_INFO, CN = PARTNER_INFO
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = PARTNER_INFO, OU = PARTNER_INFO, CN = PARTNER_INFO
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = PARTNER_INFO, OU = PARTNER_INFO, CN = PARTNER_INFO
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/O=PARTNER_INFO/OU=PARTNER_INFO/CN=PARTNER_INFO
   i:/C=PARTNER_INFO/ST=PARTNER_INFO/L=PARTNER_INFO/O=PARTNER_INFO/OU=PARTNER_INFO/CN=PARTNER_INFO CA/emailAddress=PARTNER_INFO
-----BEGIN CERTIFICATE-----
CERTIFICATE1
-----END CERTIFICATE-----
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
-----BEGIN CERTIFICATE-----
CERTIFICATE2
-----END CERTIFICATE-----
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
-----BEGIN CERTIFICATE-----
CERTIFICATE3
-----END CERTIFICATE-----
---
Server certificate
subject=/O=PARTNER_INFO/OU=PARTNER_INFO/CN=PARTNER_INFO
issuer=/C=PARTNER_INFO/ST=PARTNER_INFO/L=PARTNER_INFO/O=PARTNER_INFO/OU=PARTNER_INFO/CN=PARTNER_INFO CA/emailAddress=PARTNER_INFO
---
No client certificate CA names sent
---
SSL handshake has read 3872 bytes and written 503 bytes
---
MORE INFO...

I've also tried openssl s_client -showcerts -key mycertandkey.pem -connect PARTNER:443 </dev/null but it gives me the same results (and certificates).

EDIT 2: As I've commented in the only answer so far: the partner in question added a Gandi CA to their server (at least that's what they tell me) and it now works. So it seems since their certificate is now signed by a CA that is in my default CA bundle I can now get curl to work without the -k flag. However it would be nice to know how I could've corrected the problem on my end.

Community
  • 1
Ixio
  • 173
  • 1
  • 2
  • 8
  • Importing a cert for a domain you do not own should always be a last resort. This can and will cause problems for you later on when that cert expires. You now have to manage certs that do not belong to you. Instead, get the owner of the domain to fix their ssl installation. Have them test their site in [Qualys](https://www.ssllabs.com/ssltest/index.html) and [SSL Shopper](https://www.sslshopper.com/ssl-checker.html) or via [TestSSL](https://github.com/drwetter/testssl.sh) This requires only openssl and bash. – Aaron Jul 05 '17 at 19:27

2 Answers2

1

Assuming your system with curl is up to date and has the latest CA certs from your vendor, then you should not import any certs. Importing a cert for a domain you do not own should always be a last resort. If doing this, set up a cron job to email you and the partner monthly to remind both of you to fix this. Importing someone elses cert will cause problems for you later on when that cert expires. You now have to manage certs that do not belong to you. Escalate with the partner or vendor until they fix their cert installation.

Have them test their site:

Testing via Web UI

Qualys

SSL Shopper

From command prompt

TestSSL This requires only openssl and bash. This is useful for vips/end-points that are not open to the entire internet, such as staging sites.

Just git clone https://github.com/drwetter/testssl.sh.git then use testssh.sh to validate a https service.

After the SSL Site is correct

Now you need to ensure your CA certs in your operating system of your servers is up to date. The method of updating these varies with OS distribution and will be left to your sysadmins to research.

Importing Certs

Once you have verified that your partner site is set up correctly; meaning, it validates correctly in Qualys, SSL Shopper and TestSSL.sh, then

Copy the cert to /etc/pki/ca-trust/source/anchors/ import and validate it.

cp /path/to/bad_partner_cert.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust enable
update-ca-trust extract
openssl verify /etc/pki/ca-trust/source/anchors/bad_partner_cert.pem

Again, this should be a last resort and very temporary, as you are now managing a cert that does not belong to you.

Aaron
  • 2,859
  • 2
  • 12
  • 30
0

The --cert option is for specifying your own certificate (client certificate). But it fails to verify the servers certificate. To specify this certificate use either --cacert or --capath, depending on how you have the servers certificate/CA (see documentation of curl). Note that you usually don't have a private key for the servers certificate, so only the certificate w/o the key should be given.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • I tried using both --cacert and --capath with the certificates I got using openssl, however I still get the same error. – Ixio Jun 30 '15 at 15:35
  • Then you are using the wrong certificates. Hard to tell what you are really doing without knowing which certificates you use and which site you are trying to access. – Steffen Ullrich Jun 30 '15 at 17:05
  • Sorry I can't get too specific. However a general question is shouldn't the certificate I need to add be available through openssl? – Ixio Jul 01 '15 at 08:28
  • Yes, you should be able to see the certificate sent by the server with `openssl s_client` and you might add this. But make sure that the subject in the certificate matches the name in the URL. `s_client` will not check this but curl will and complain if it does not match, although not with "unable to get local issuer certificate". BTW, the usual way is not to trust the certificate itself but the CA which signed the certificate. – Steffen Ullrich Jul 01 '15 at 09:40
  • The partner in question added a Gandi CA to their server (at least that's what they tell me) and it now works. If you update your answer to include that possibility I'll validate it, thanks for having tried to help. – Ixio Jul 23 '15 at 09:05