curl “Peer 的公钥无效。” 无法加载客户端密钥:-8178 (SEC_ERROR_BAD_KEY)
[英]curl “Peer's public key is invalid.” unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
问题描述
I'm trying connect my PHP app to the server, which require auth by private key and does not have certs on public servers.
我正在尝试将我的 PHP 应用程序连接到服务器,这需要通过私钥进行身份验证并且在公共服务器上没有证书。
API location: https://b2b.postaonline.cz/ API 位置: https : //b2b.postaonline.cz/
To acces the API from browser, I have installed these certs: http://www.postsignum.cz/certifikaty_autorit.html (PEM)为了从浏览器访问 API,我安装了这些证书: http : //www.postsignum.cz/certifikaty_autorit.html (PEM)
then I was able to connect with my .pfx cert, retrieved from PostSignum.然后我能够连接到我的 .pfx 证书,从 PostSignum 检索。
However, I'm unable to connect from Linux server, using curl.但是,我无法使用 curl 从 Linux 服务器连接。 Ofc, I have searched and tested stuff several hours - like converting private to RSA and so on. Ofc,我已经搜索和测试了几个小时 - 比如将私有转换为 RSA 等等。
So current status is, that I have used received .pfx and extracted stuff like this:所以目前的状态是,我已经使用了收到的 .pfx 并提取了这样的东西:
openssl pkcs12 -in certificate.pfx -out ca.pem -cacerts -nokeys
openssl pkcs12 -in certificate.pfx -out client.pem -clcerts -nokeys
openssl pkcs12 -in certificate.pfx -out key.pem -nocerts
After, I've used curl to connect:之后,我使用 curl 连接:
$ curl -v --key ./key.pem --cacert ./ca.pem --cert ./client.pem https://b2b.postaonline.cz/
* Trying 193.150.24.113...
* Connected to b2b.postaonline.cz (193.150.24.113) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: ./ca.pem
CApath: none
* unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
* NSS error -8178 (SEC_ERROR_BAD_KEY)
* Peer's public key is invalid.
* Closing connection 0
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
This is something I'm getting with all the variations.这是我在所有变化中得到的东西。
Notes: when I have loaded my certificate.pfx to the browser, connection was still insecure.注意:当我将certificate.pfx 加载到浏览器时,连接仍然不安全。 So I have downloaded following from PostSignum cert site and loaded them into the browser所以我从 PostSignum 证书站点下载了以下内容并将它们加载到浏览器中
Postsignum Root QCA 2
Postsignum Public CA 2
just after that I was able to connect from browser.在那之后,我能够从浏览器连接。
I think this is something, I need to do also in the curl, but I have no idea how.我认为这是一些东西,我也需要在卷曲中做,但我不知道如何做。 With the ca.pem and client.pem, which are extracted just from certificate.pfx - I think curl is running into the same trouble as browaser was before additional Authoritiy certs was loaded.使用仅从 certificate.pfx 中提取的 ca.pem 和 client.pem - 我认为 curl 遇到了与加载其他授权证书之前浏览器相同的问题。 Any idea how to use that ?知道如何使用它吗?
Thank you.谢谢你。
1 个解决方案
解决方案1
1 已采纳 2017-02-27 18:05:25
There were 2 issues combined, now fixed - thanks to strace.合并了 2 个问题,现在已修复 - 感谢 strace。
- I have to supply RSA private key, as mentioned in other posts我必须提供 RSA 私钥,如其他帖子中所述
- When using a local private key file with passphrase, we can't supply it as
./key:pass, but by using--pass {phrase}option当使用带有密码的本地私钥文件时,我们不能将其提供为./key:pass,而是使用--pass {phrase}选项
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.