2

I have following bash script that checks the existence of a given SSL client certificate in Apache.

#!/bin/bash
cert=$1
echo | openssl s_client -connect localhost:443 | grep -q $cert > /dev/null 2>&1
if [ $? -eq 0 ]; then
  echo $cert "client cert already exist"
else
  #Create a new client cert in Apache
fi

Even though I am sending stdout and stderr of openssl command to /dev/null, the command is still showing the following error to the console!

depth=3 C = OM, O = ORG, OU = For Staging, CN = ROOT CA - 1 verify error:num=19:self signed certificate in certificate chain verify return:0 /C=om/O=o/CN=MY_CERT DONE

peterh
  • 11,875
  • 18
  • 85
  • 108
Ishtiaque Daudpota
  • 23
  • 1
  • 4
  • Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the CA certificate in the appropriate trust store. In OpenSSL's case, load it via `SSL_CTX_load_verify_locations` or `SSL_load_verify_locations`. – jww Nov 08 '17 at 13:55
  • Thanks for the answer. But my requirement is that how can I send that error into /dev/null. – Ishtiaque Daudpota Nov 09 '17 at 10:41

1 Answers1

4

The problem is that you're not actually sending openssl's stderr to /dev/null, but grep's.

To send openssl's stderr to /dev/null you need to put the redirection into the same part of the pipe as the openssl invocation. And as you're using grep -q you don't need any I/O redirection on grep.

This shoud do it:

echo | openssl s_client -connect localhost:443 2>/dev/null | grep -q $cert
fholzer
  • 340
  • 3
  • 13