cURL request not working with CA certificate on Windows

Hi,

The following command works fine on macOS, but I am unable to get it to work on Windows 10.

curl --cacert config\certs\http_ca.crt -u elastic https://localhost:9200

This happens after starting up a fresh cluster on version 8.1.0 (extracted from the zip file).

The command fails with the following error.

C:\Users\myuser\Desktop\elasticsearch-8.1.0>curl --cacert config\certs\http_ca.crt -u elastic https://localhost:9200
curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Using either --insecure or -k works, but that is not the ideal approach.

I followed the instructions within the documentation, so I presume that this approach should work. I am not very proficient with TLS certificates, so perhaps I am missing something?

Thanks!

Take a look at this post there may be a typo in the docs.

Perhaps try this depending on where you're running the command from, but the service are not in the config directory. They're in the certs directory.

curl --cacert certs\http_ca.crt -u elastic https://localhost:9200

The typo is about something else(deb/rpm installation instructions) it doesn’t apply in this case. Also, the docs have been already fixed by now !

@Andy0708 the problem here is that your windows installation has no internet connectivity and curl can’t look up CRLs . Try curl with —ssl-no-revoke

3 Likes

@stephenb Thanks! The path is actually correct when using a zip file setup. :slightly_smiling_face:

@ikakavas Hmm, I tried both on a separate physical Windows machine (and got the above error) and on a Parallels VM (on Mac). The latter gives me the following error.

curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

Both have Internet access in general (including through curl). I also tried disabling the Windows firewall, but it made no difference.

I couldn't find any trace of that option anywhere (including in the man page). Maybe it has been replace by --insecure and -k? Otherwise I must be missing something. :slightly_smiling_face:

I thought this was a windows curl option :confused: maybe I’m mistaken. Can you try --ssl-revoke-best-effort? this should be available in recent curl versions

1 Like

Turns out ssl-no-revoke was there after all. Sorry, my bad. Using it does produce the error in my previous post, though.

Anyway, I am not actually going to use Elasticsearch on Windows since I am a Mac user. I am just producing some YouTube content and wanted to cover Windows as well. So if the command should work in general and this is somehow related to my particular setup, I am fine with leaving it at that. :wink:

Some of us actually need this to work on Windows.

I tried this on Mac and it worked perfectly. But when I tried it on Windows, I got the following errors:

Please don't paste screenshots of text.

They are not searchable, they are not accessible by vision impaired readers, they are hard to read on mobile devices and ultimately they make it far less likely that anyone will be able to provide you with the assistance you are after.

It looks like your first attempt connected correctly and you just entered the incorrect password for the elastic user.
Try it again, and double check the password.

Same problem here

curl --cacert config/certs/http_ca.crt -X GET https://localhost:9200
returns the error:

curl: (60) schannel: CertGetCertificateChain trust error CERT_TRUST_REVOCATION_STATUS_UNKNOWN
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

if we use --insecure it ignores the problem and I can get a valid results

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.