Date: Sun, 22 Oct 2023 15:16:40 +0000 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: certctl, self-signed certificates and localhost with nginx, fetch and curl Message-ID: <ef9d7775-80c0-4dd0-9668-79e92473b626@app.fastmail.com>
next in thread | raw e-mail | index | archive | help
I'm experimenting with certctl(8) to see if I can get curl and the browser to accept a self-signed certificate, and if I need a local CA as well for this: ``` $ sudo openssl req -newkey rsa:2048 \ -keyout /usr/local/etc/ssl/keys/localhost.key \ -x509 -days 365 -nodes -subj '/CN=localhost' \ -out /usr/local/etc/ssl/certs/localhost.crt ... $ sudo certctl -v trust /usr/local/etc/ssl/certs/localhost.crt $ sudo certctl -v rehash ... Reading ca-root-nss.crt Adding cd8c0d63.1 to trust store Scanning /usr/local/etc/ssl/certs for certificates... Reading localhost.crt Adding ce275665.0 to trust store $ certctl -v list |grep ce275665 ce275665.0 subject=CN = localhost ### failures $ fetch https://localhost/ Certificate verification failed for /CN=localhost 002061F61F310000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890: fetch: https://localhost/: Authentication error $ curl https://localhost/ curl: (60) SSL certificate problem: self-signed certificate ### success $ curl --cacert /usr/local/etc/ssl/certs/localhost.crt https://localhost/ <html> ... ``` Any idea what I'm doing wrong here? Do I need a proper CA and not just a local cert? BTW nginx config used: ``` # /usr/local/etc/nginx/nginx.conf events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; server { listen 443 ssl; server_name localhost; ssl_certificate /usr/local/etc/ssl/certs/localhost.crt; ssl_certificate_key /usr/local/etc/ssl/keys/localhost.key; location / { root /usr/local/www/nginx; index index.html index.htm; } } } ``` A+ Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ef9d7775-80c0-4dd0-9668-79e92473b626>