На чтение 3 мин Опубликовано 12.02.2020
Я хотел бы использовать команду curl, чтобы игнорировать предупреждение о сертификатах SSL.
Ведь мы можем получить ошибку подобную этой:
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
Есть ли в команде curl опция –no-check-certificate ,как например, у команды wget в Linux или Unix-подобной системе?
Вам нужно просто передать параметр -k или –insecure команде curl.
Эта опция явно позволяет curl выполнять «небезопасные» SSL-соединения и передачи данных.
Все SSL-соединения пытаются сделать безопасную передачу данных с помощью пакета сертификатов CA, установленного по умолчанию.
Содержание
- Есть ли у curl опция -no-check-certificate, как например, у команд wget на Linux?
- cURL | Как игнорировать предупреждения сертификата SSL
- Как применить изменения для всех HTTPS-соединений
- Как установть доверенный CA для curl
Есть ли у curl опция -no-check-certificate, как например, у команд wget на Linux?
Следующий синтаксис позволяет команде curl работать с «небезопасными» или «недоверенными» сертификатами SSL:
curl -k url curl --insecure url curl --insecure [options] url curl --insecure -I url
cURL | Как игнорировать предупреждения сертификата SSL
В этом примере отключена проверка сертификата для команды curl:
curl --insecure -I https://202.54.1.2/
или
curl -k -O https://202.54.1.2/file.tar.gz
Без опции -k или –insecure вы получите сообщение об ошибке следующего содержания:
curl: (60) SSL certificate problem: Invalid certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
Вот один полезный пример, где вы сможете получить файл или просмотреть информацию заголовка с удаленного хоста без использования имени домена SNI с поддержкой SSL:
curl -O --insecure --header 'Host: www.example.com' -I https://207.5.1.10/file.html ### или ### curl -k --header 'Host: www.example.com' -I https://207.5.1.10/file.html
Как применить изменения для всех HTTPS-соединений
Вы можете добавить опцию insecure в ваш файл $HOME/.curlrc:
$ vi $HOME/.curlrc
Сохраните и закройте файл.
Однако я не рекомендую отключать проверки SSL для всех соединений по умолчанию из соображений безопасности.
Как установть доверенный CA для curl
Можно попробовать следующую команду для самоподписанных сертификатов SSL / TLS:
curl --cacert /pth/to/my/ca.pem https://url
curl --header 'Host: www.cyberciti.biz' --cacert /pth/to/my/ca.pem https://207.5.1.10/nixcraft.tar.gz
Пожалуйста, не спамьте и никого не оскорбляйте.
Это поле для комментариев, а не спамбокс.
Рекламные ссылки не индексируются!
Hello i want to use an API for a website but there an error with my curl command.
I want to disable SSL certificate verification.
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Zach Smith
8,34813 gold badges58 silver badges130 bronze badges
asked Feb 27, 2018 at 15:41
2
Simply add the -k switch somewhere before the url.
Disclaimer: Use this at your own risk.
man curl | less +/--insecure
-k, —insecure
(TLS) By default, every SSL connection curl makes is verified to be secure. This option allows curl to proceed and operate
even for server connections otherwise considered insecure.The server connection is verified by making sure the server’s certificate contains the right name and verifies successfully
using the cert store.See this online resource for further details:
https://curl.haxx.se/docs/sslcerts.htmlSee also —proxy-insecure and —cacert
answered Feb 27, 2018 at 15:46
Gilles QuénotGilles Quénot
172k40 gold badges224 silver badges222 bronze badges
4
Introduction
If you need to make curl ignore certificate errors, make sure you know the consequences of insecure SSL connections and transfers.
You should only practice skipping certificate checks for development purposes.
In this tutorial, you learn how to make curl ignore certificate errors.
The basic syntax for ignoring certificate errors with the curl command is:
curl --insecure [URL]Alternatively, you can use:
curl -k [URL]
A website is insecure if it has an expired, misconfigured, or no SSL certificate ensuring a safe connection. When you try to use curl to connect to such a website, the output responds with an error.
Note: The --insecure (-k) options is similar to the wget --no-check-certificate command used to avoid certificate authorities checking for a server certificate. To see how wget skips certificate checks, refer to the guide How To Use Wget Command With Examples.
For instance, if you run the command:
curl myawesomewebsite.comThe output should display the content of the URL. However, since this website has an invalid SSL certificate, it shows an error as in the example below.
curl: (60) SSL: no alternative certificate subject name matches target host name 'unixtutorial.test'This means “peer certificate cannot be authenticated with known CA certificates.”
To bypass this constraint, you can use the --insecure (or -k) option allowing insecure server connections when using SSL. Therefore, you would run:
curl -k myawesomewebsite.comConclusion
After reading this article, you should know how to make curl ignore certificate errors. Although this is done simply by adding the -k option, do not instruct curl to ignore SSL errors unless required for development purposes.
Don’t miss out on our other curl guides such as how to set or change user agent with curl and how to send a delete request with curl.
I am developing and I need to access https://localhost. I know the certificate will not match. I just want curl to ignore that. Currently it gives me the following error message:
curl: (51) SSL peer certificate or SSH remote key was not OK
Is it possible to tell curl to perform the access anyway?
asked Jan 16, 2013 at 23:09
1
Yeah, you can do that. From curl --help or man curl:
-k, --insecure(SSL) This option explicitly allows curl to perform «insecure» SSL
connections and transfers. All SSL connections are attempted to be
made secure by using the CA certificate bundle installed by default.
This makes all connections considered «insecure» fail unless -k,
—insecure is used.See this online resource for further details:
http://curl.haxx.se/docs/sslcerts.html
answered Jan 16, 2013 at 23:11
7
curl -k or curl --insecure does NOT fix this particular error condition:
curl: (51) SSL peer certificate
answered Jun 28, 2014 at 21:04
user228425user228425
2112 silver badges2 bronze badges
1
If you truly want to disable curl SSL verification, by default, for ALL use cases, you can do as suggested in this Unix stack exchange answer:
$ echo insecure >> ~/.curlrc
Now should you do this? No, as this is avoiding security checks you should have in place… but if you really really want to do this, caveat emptor!
answered Jul 22, 2020 at 20:15
Brad ParksBrad Parks
71313 silver badges20 bronze badges
Curl is a tool that allows data transfer between servers using SSL certificates for secure communication. SSL certificate errors may occur while using curl, and it may be necessary to ignore these errors if the website is known to be authentic and the errors are only warnings. It’s important to note that ignoring fatal SSL errors could compromise your data transfer security.
This write-up will elaborate on the methods to ignore or hide the curl SSL certificate errors using the following timeline:
- What are the Reasons for SSL Certificate Errors?
- How to Ignore Curl SSL Certificate Errors?
- Solution 1: Ignore Curl SSL Certificate Errors for a Specific URL
- Ignore Curl SSL Certificate Errors Permanently (Testing Environment)
- Solution 2: Update the CA Certificates
Let’s discuss the reason for SSL certificate errors first.
What are the Reasons for SSL Certificate Errors?
Several SSL certificate errors can be encountered while working with SSH in Linux, mostly, these errors are just warnings, but in some cases, these errors can be fatal. For instance, the curl command with the URL below shows the error “SSL certificate problem: certificate has expired”:
$ curl https://expired.badssl.com
The common reason for the curl SSL certificate errors are as follows:
- There may be browser connectivity issues.
- The SSL certificate is not correct/expired.
- The SSL certificate might have corrupt or improper data.
- The CA Certificates do not contain correct or expired SSL certificates.
- The user is trying to contact a blocked webpage, or a firewall is blocking it.
Let’s check out the methods to ignore/hide these SSL certificate errors.
There are multiple ways to ignore the curl SSL certificate errors. In contrast, the most common way to ignore SSL certificates errors can be seen using the curl command manual:
The official manual of the curl command shows that two options, “-k” and “–insecure”, can be used with the curl command to ignore the SSL certificate errors. So, the basic syntax of the curl commands that will ignore the SSL certificate errors are given below:
$ curl -k [url] $ curl --insecure [url]
Solution 1: Ignore Curl SSL Certificate Errors for a Specific URL
We can ignore the SSL certificate for a specific URL by utilizing the curl command “k” and “–insecure” options. Let’s use it to ignore the errors for a specific URL as shown below:
$ curl -k https://expired.badssl.com
The error-free output shows that it has ignored all the SSL certificate errors.
Similarly, we can use the “–ignore” option to ignore or hide the SSL certificate errors as performed below:
$ curl --insecure https://expired.badssl.com
The output ignores the SSL errors.
Ignore Curl SSL Certificate Errors Permanently (Testing Environment)
We can permanently ignore the SSL certificate errors by adding the insecure keyword to the curl command system configuration file “~/.curlrc”. To ignore the SSL certificate errors permanently, simply run the below echo command to append the “insecure” to the curlrc file:
$ echo "insecure" >> ~/.curlrc
The SSL certificate errors will be permanently ignored now.
Note: This error is preferable for testing or working environments where security is not critical. Otherwise, this method is not recommended due to ignoring all the security reasons.
Solution 2: Update the CA Certificates
The other reason for the SSL certificate error is not having the updated SSL certificate in CA Certificates. Most times, the SSL certificates are changed but are not updated to the system CA certificates which causes the SSL certificates error. This error can be removed by simply updating the CA certificates by running the following command:
$ sudo update-ca-certificates
That’s how curl ignores SSL certificate errors.
Conclusion
The SSL certificates provide security for online communication in Linux that can show errors in case there is a mismatch between the client and remote server’s SSL certificate. We can ignore the curl SSL certificate errors by using the “k” or “ignore” options with the curl command. Moreover, we can update the CA certificates to update the latest SSL keys that can cause SSL certificate errors.