2
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 2118b878-46a8-3b9d-a911-8ac18a0b13cf' 'https://172.17.0.1:8243/V1.0.2/stock/getParam?age=123'

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

After I design an API on API MANAGER PLATFORM, I do the curl command and there is the above logs. How to resolve the cert?

Community
  • 1
  • 1
Mike
  • 419
  • 1
  • 6
  • 16
  • Hope to reply.. – Mike Dec 28 '16 at 07:27
  • You have to check your */etc/ssl/certs/ca-certificates.crt* file first, if exists and if you have read access. It's an issue about certificates, so check the server certificate and if you have a certification authority shared with the server cert. – Mario Santini Dec 28 '16 at 08:19
  • @Mario Santini . The cert can be readed. – Mike Dec 28 '16 at 09:20
  • as suggested by answer you have to verify the server certificate. Then if is a self signed, you have to provide this cert as a trusted certificate in your *curl* command. If is signed by a certification authority, import the proper certificate so your *curl* can accept the server certificate. – Mario Santini Dec 28 '16 at 10:32
  • I use the default configuration in api manager . How can I verify the certificat is a self signed cert or a certificat signed by a certification authority? – Mike Dec 29 '16 at 03:33
  • You could just read the certificate. You can use *openssl* to read it. Have a look yo the *issuer* field – Mario Santini Dec 29 '16 at 07:58

2 Answers2

1

You're probably having trouble with a self-signed certificate.

Get the certificate and use the argument --cacert <certfile> to authenticate with it.

To test your function and if you are absolutely certain that the certificate is OK, try -k to accept the invalid certificate. However, you must never, ever do this in production and/or if you are unsure that it is the certificate that you intended as it takes away the value of using SSL.

ti7
  • 16,375
  • 6
  • 40
  • 68
0

you can use "-k" option[1] in curl command to have insecure ssl connection.If you want to verify the server cert then you need to point the trust cert bundle to curl using optin "--cacert" [1]

curl -k -X GET --header 'Accept: application/json' --header 'Authorization: Bearer 2118b878-46a8-3b9d-a911-8ac18a0b13cf' 'https://172.17.0.1:8243/V1.0.2/stock/getParam?age=123'

[1] https://curl.haxx.se/docs/manpage.html

Jenananthan
  • 1,381
  • 2
  • 10
  • 20
  • If I use "-k" option[1] in curl . Then , how can I do on the API Console. I can not do the curl command. – Mike Dec 28 '16 at 08:05
  • if it is self signed cert , you need to import/allow the cert as trusted cert in browser. you can do it by hitting the gw url in browser and accept the cert https://172.17.0.1:8243. Thereafter you can invoke the api in api console – Jenananthan Dec 28 '16 at 12:22
  • I use the default configuration in api manager . How can I verify the certificat is a self signed cert or a certificat signed by a certification authority? – Mike Dec 29 '16 at 03:33
  • wso2 products uses self singed cert by default – Jenananthan Dec 29 '16 at 03:34
  • Then ,If I want to import/allow the cert as trusted cert in browser, First ,where is the default cert ? – Mike Dec 29 '16 at 05:12
  • or how can export the public key and I will put it in /etc/ssl/certs/ca-certificates.crt – Mike Dec 29 '16 at 05:55
  • Can we talk by E-mail ? It may be quick to check the problem. Mine is mikeenglish@163.com – Mike Dec 29 '16 at 06:11