cURL a local GO server using a self signed certificate

Question

So i have a simple GO server running on port 8080 using a self-signed certificate that i created with the following command:

openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out local.crt -keyout local.key

When creating it i set the fields to these values:
As you can see i skipped everything but the fully qualified host name which i set to go-auth

I started my go server using the local.key and local.crt files successfully.

I tried cURLing it like:

➜  certs git:(master) ✗ curl --proxy-cacert local.crt https://go-auth/
curl: (6) Could not resolve host: go-auth

➜  certs git:(master) ✗ curl --proxy-cacert local.crt https://localhost:8080/
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

After that i tried to get the certs from the running server and saving it to the cacert.pem file and tried again:

➜  certs git:(master) ✗ echo quit | openssl s_client -showcerts -servername go-auth -connect localhost:8080 > cacert.pem
depth=0 CN = go-auth
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = go-auth
verify return:1
DONE

➜  certs git:(master) ✗ curl --cacert cacert.pem https://go-auth/
curl: (6) Could not resolve host: go-auth

➜  certs git:(master) ✗ curl --proxy-cacert cacert.pem https://go-auth/
curl: (6) Could not resolve host: go-auth

At this point i don't know, i was trying to follow the answer to this question: Use self signed certificate with cURL? but did not get the desired result.

"Could not resolve host" is a DNS error, not a certificate related one. You need to first make sure your `go-auth` name resolves properly on your system, using `/etc/hosts` for example or equivalent. But this is offtopic here as not related to programming. — Patrick Mevzek, Jan 17 '20 at 16:42
try this `curl --cacert cacert.pem https://localhost:8080/`, `--proxy-cacert` is used for `HTTPS` proxies — Gaurav Dhiman, Jan 17 '20 at 16:48
Try to disable curl's certificate validation with flag `--insecure`. You can take a look at `mkcert` tool from https://github.com/FiloSottile/mkcert to generate a local CA and a certificate for local development. — Giulio Micheloni, Jan 17 '20 at 16:58
Based on the curls you have, you're running this on localhost. Your host name is not `go-auth`. Even if you use the correct certificate with curl, it will fail because the host name is not go-auth, so you have to curl it using localhost, with curl -k to disable certificate validation. — Burak Serdar, Jan 17 '20 at 17:08

alessiosavi · Answer 1 · 2021-03-06T13:43:06.437

You can use the -k parameter in order to skip the certificate validation.

Your command have to be similar to the following one:

curl -vk https://localhost:8080/

-v enable some debug information
-k disable the certificate validation

If you want to enable the certificate validation, you have two way:

Add and trust the certificate to your current CA list
By this way, you are going to "accept" your self signed certificate as a valid one, and you will be able to call the service (from your machine, obviously) using any type of HTTP client (Java, Go, cURL etc etc).
Use the --cacert parameter of the cURL command in order to specify the path related to the certificate to use in order to authenticate to the service.

Okay, i got it to work this time, but is there no way to avoid using --insecure to attack my local server? — Ricardo Alonzo, Jan 17 '20 at 19:34

cURL a local GO server using a self signed certificate

1 Answers1