Curl: (77) Problem with the SSL CA cert (path? access rights?)

PodarcisMuralis · July 19, 2023, 9:29am

Hi,

I use a shell script to send curl to elasticsearch. But I got this error:

curl: (77) Problem with the SSL CA cert (path? access rights?)

My curl is like:

RESPONSE=$(curl -v -s -w "%{http_code}" -o /dev/null -XDELETE -u "${USERNAME}:${PASSWORD}" --cacert "${CACERT_PATH}" "${ELASTICSEARCH_URL}/${INDEX}")

CACERT_PATH= /etc/certs/mycert.cer
ELASTICSEARCH_URL="https://HOST:9200"

When I disable certificate usage with -k or --insecure, it works perfect.
The script and elasticsearch are on the same Linux server.

The problem should be either user rights or certificate itself. Because it works without certificate check.

Thanks.

stephenb · July 19, 2023, 2:22pm

That needs to be a CA perhaps that is just the normal cert

Can you run just run curl with the -v and show the output

PodarcisMuralis · July 20, 2023, 6:30am

[user]$ ./shellscript.sh
START -----> shell script
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to MYHOST port 9200 (#0)
*   Trying IP...
* Connected to MYHOST (IP) port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Closing connection 0
curl: (77) Problem with the SSL CA cert (path? access rights?)

stephenb · July 20, 2023, 1:18pm

Again, looks to me like you're using a normal cert not a CA..
Did you create those certs yourself?

Did you check the path information on the file?

That looks odd too.

You should try running the curl manually outside your script

Also you should look up some of the openssl commands and just check the cert something like this

openssl x509 -in /etc/certs/mycert.cer -text -noout

PodarcisMuralis · August 10, 2023, 7:39am

Finally I found out the reason.

I used .cer certificate but it did not work.
I converted it to .pem file beginning with "BEGIN CERTIFICATE" and ending with "END CERTIFICATE".
It also did not work.

I used the same pem but added at the beginning the bag attributes.

Bag Attributes
localKeyID: ...
subject=...
issuer=...
subject=...
issuer=...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=...
issuer=...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

and it worked fine.

system · September 7, 2023, 7:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Fundamental of securing elastic search \|why self signed certificate is failing while querying using curl Elasticsearch elastic-stack-security	2	381	September 18, 2020
Difficulty Making a REST API Call to ElasticSearch Elasticsearch elastic-stack-security , docker	4	927	October 3, 2023
cURL request not working with CA certificate on Windows Elasticsearch elastic-stack-security	10	27586	April 28, 2022
Curl: (60) SSL certificate problem: self signed certificate in certificate chain Elasticsearch docker	18	13848	January 4, 2024
Unable to connect to elastic search with certificates Elasticsearch docker	1	213	December 28, 2023

Curl: (77) Problem with the SSL CA cert (path? access rights?)

Related topics