1

Request to a single specific https endpoint fails on one of my servers with "NSS: client certificate not found (nickname not specified)" error from PHP CURL.

When I ran the same query from the command line with verbose option I got the same error, but after that I also got a valid response (after the error in the same CURL request).

Then I've enabled verbose option for my PHP CURL request and displayed it for testing like this:

$error = curl_error($curl);

if ($error) {
        echo "cURL Error #:" . $error;

        rewind($verbose);
        $verboseLog = htmlspecialchars(stream_get_contents($verbose));

        echo "<pre>";
        print_r($verboseLog);
} else {
  echo $response;
}

And got this as output:

cURL Error #:NSS: client certificate not found (nickname not specified)
* About to connect() to <address> port 8001 (#0)
*   Trying <ip>... * connected
* Connected to <address> (<ip>) port 8001 (#0)
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN=*.<address>m,O=XXX A.S.,OU=IT,L=Umraniye,ST=Istanbul,C=TR
*   start date: Jun 11 12:52:03 2015 GMT
*   expire date: Jun 09 14:16:13 2018 GMT
*   common name: *.<address>
*   issuer: CN=GlobalSign Organization Validation CA - SHA256 - G2,O=GlobalSign nv-sa,C=BE
> POST /<url_part> HTTP/1.1
Host: <address>:8001
Accept: */*
Accept-Encoding: deflate, gzip
authorization: Basic UlBlahBlahnJrcjEyMzQ1Ng==
cache-control: no-cache
content-type: application/json
postman-token: eeefe018-7cac-1706-7b6d-847800a7ad0f
Content-Length: 333

< HTTP/1.1 200 OK
< set-cookie: sap-usercontext=sap-client=100; path=/
< set-cookie: SAP_SESSIONID_CFP_100=ohZvfO5ZOwq_LTE76Zgz9L-C0NdhlRHngM0AF6R3IFY%3d; path=/
< content-type: application/json; charset=utf-8
< content-length: 1150
< cache-control: max-age=0
< sap-cache-control: +180 
< sap-isc-uagent: 0
< 
* Connection #0 to host <address> left intact
* Closing connection #0

So, CURL request finished with the error, but in verbose log we see that after the error valid response was also fetched.

Here's my questions:

  1. Is there any way to overcome this NSS issue as long as other different https endpoints work completely fine? Is it connected with endpoint's server configuration and can be resolved there?
  2. If the first item fails, is it possible not to throw CURL NSS error, but get the response instead? CURLOPT_FAILONERROR option does not help.

CURL was built with NSS:

curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Update:

The second item can be closed, because this error is really strange: curl_error returns the error, but curl_exec returns valid response at the same time.

Gino Pane
  • 4,740
  • 5
  • 31
  • 46
  • maybe look **[here](https://stackoverflow.com/questions/15773806/nss-client-certificate-not-found-nickname-not-specified)** to see if any of it is applicable to your situation. – YvesLeBorg Jul 05 '17 at 16:26
  • @YvesLeBorg No, it does not applicable, the problem is that I do not use any explicit certificates. – Gino Pane Jul 05 '17 at 16:31

1 Answers1

1

Try giving a absolute path to the certificate and add a "./" prefix. For example "./path-to-your-cert"

Sarbartha Rana
  • 31
  • 2