22

I am using the curl terminal and while issuing the following command :-

curl --anyauth --user admin:admin "https://localhost:8000/LATEST/search?q=caesar"

I am getting below alert :-

curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

Please suggest. I have installed curl in Windows and also downloaded the .pem file and placed it in the same folder.

Mads Hansen
  • 63,927
  • 12
  • 112
  • 147
Aviator
  • 543
  • 1
  • 4
  • 10
  • 2
    curl supports many different SSL/TLS stacks, but your error message indicates the one you are using uses schannel, which uses as its truststore the Windows certificate store. Make sure the root cert for your server's cert chain is **imported to the TrustedRoot section** (not some other section) **of the Windows certstore _for your userid_** (not some other userid, because for example Windows treats LocalService and NetworkService accounts as different from the/a interactive-user account). – dave_thompson_085 May 08 '20 at 13:43
  • Can you please explain a bit more ? where do i need to do the changes ? – Aviator May 08 '20 at 16:42
  • 2
    Option A: rename the cert file to end with .cer or .crt and doubleclick it then click 'Install'; choose CurrentUser then PlaceIn:TrustedRootCAs and confirm. Option B below 10: in control panel open InternetOptions; or in IE Tools / Internet Options; or (even in 10) start inetcpl.cpl; choose Content / Certificates / TrustedRootCAs then click Import, select your file, and confirm. Option C: start mmc and File/AddSnapin Certificates for MyUser and OK; or run certmgr.msc; rightclick TrustedRootCAs, AllTasks / Import, select your file, and confirm. – dave_thompson_085 May 10 '20 at 14:49

2 Answers2

41

If your server has a self-signed cert, then by default curl doesn't know that it can trust that the server is who it says it is, and doesn't want to talk.

You can either:

  • import the cert into your trust store (best and most secure)
  • apply the -k or --insecure switch to ignore and continue. This may be fine for local development.
  • use a real cert, signed by a trusted CA
Mads Hansen
  • 63,927
  • 12
  • 112
  • 147
1

For local dev and a quick solution, run this line
set_config( config( ssl_verifypeer = 0L ) )
before
httr::GET(....)

but as suggested it's still preferable to use a real cert.

Zeus
  • 1,496
  • 2
  • 24
  • 53