How to trust self-signed certificate in cURL command line?
Try -k:
curl -k https://yourhost/
It should "accept" self-signed certificates
Following these steps should solve your issue:
- Download and save the self-signed certificate:
echo quit | openssl s_client -showcerts -servername "${API_HOST}" -connect "${API_HOST}":443 > cacert.pem - Tell the
curlclient about it:curl --cacert cacert.pem --location --silent https://${API_HOST}
Also one could use wget and ignore certificates with: wget --no-check-certificate https://${API_HOST}
I had this issue, exact same problem and error messages, but I used GNUTLS's certtool to generate my cert rather than openssl.
My problem was that I had not made my self signed cert a CA. It was only configured to act as a web server cert. Which is all I wanted to do with it and I wasn't going to use it as a CA to sign other certs.
But when you want to add a cert into the trust chain as the Issuer of other certs, that cert must be a CA, or it's rejected by openssl!
With certtool -i < mycert.crt, one needs to see this:
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): TRUE
Try adding -addext basicConstraints=critical,CA:TRUE,pathlen:1 to your openssl command or modifying your cnf file to the same effect.
Or, use certtool, it's much easier for one-off cert generation:
certtool -p --outfile localhost.key
certtool -s --load-privkey localhost.key --outfile localhost.crt
And then answer the prompts to supply the cert's CN and so on. And say yes when asked if it's for a certificate authority!