Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 22 Oct 2023 15:16:40 +0000
From:      "Dave Cottlehuber" <dch@skunkwerks.at>
To:        freebsd-questions <freebsd-questions@freebsd.org>
Subject:   certctl, self-signed certificates and localhost with nginx, fetch and curl
Message-ID:  <ef9d7775-80c0-4dd0-9668-79e92473b626@app.fastmail.com>
next in thread | raw e-mail | index | archive | help 
I'm experimenting with certctl(8) to see if I can get curl and
the browser to accept a self-signed certificate, and if I need a
local CA as well for this:

```
$ sudo openssl req -newkey rsa:2048 \
  -keyout /usr/local/etc/ssl/keys/localhost.key \
  -x509 -days 365 -nodes -subj '/CN=localhost' \
  -out /usr/local/etc/ssl/certs/localhost.crt
...

$ sudo certctl -v trust /usr/local/etc/ssl/certs/localhost.crt
$ sudo certctl -v rehash
...
Reading ca-root-nss.crt
Adding cd8c0d63.1 to trust store
Scanning /usr/local/etc/ssl/certs for certificates...
Reading localhost.crt
Adding ce275665.0 to trust store

$ certctl -v list |grep ce275665
ce275665.0      subject=CN = localhost

### failures
$ fetch https://localhost/
Certificate verification failed for /CN=localhost
002061F61F310000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
fetch: https://localhost/: Authentication error

$ curl  https://localhost/
curl: (60) SSL certificate problem: self-signed certificate

### success
$ curl --cacert /usr/local/etc/ssl/certs/localhost.crt  https://localhost/
<html>
... 
```

Any idea what I'm doing wrong here? Do I need a proper CA and not
just a local cert?

BTW nginx config used:

```
# /usr/local/etc/nginx/nginx.conf
events {
  worker_connections  1024;
}

http {
  include mime.types;
  default_type application/octet-stream;

  server {
    listen 443 ssl;
    server_name localhost;
    ssl_certificate /usr/local/etc/ssl/certs/localhost.crt;
    ssl_certificate_key /usr/local/etc/ssl/keys/localhost.key;

    location / {
      root /usr/local/www/nginx;
      index index.html index.htm;
    }
  }
}
```

A+
Dave

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ef9d7775-80c0-4dd0-9668-79e92473b626>