[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] Issue with TOMCAT SSL server wget
From: |
brad bruggemann |
Subject: |
Re: [Bug-wget] Issue with TOMCAT SSL server wget |
Date: |
Thu, 9 Jun 2011 12:56:54 -0400 |
Problem fixed:
1) Convert server cert
openssl x509 -inform DER -outform PEM -in servercert.crt -out servercert.pem
2) Break out user cert and key from container
openssl pkcs12 -nocerts -in user.p12 -out userkey.pem
openssl pkcs12 -nokeys -in user.p12 -out usercert.pem
3) wget it
wget --private-key=userkey.pem --certificate=usercert.pem
--ca-certificate=servercert.pem https://IP_ADDRESS:PORT/file.txt
On Wed, Jun 8, 2011 at 11:44 AM, brad bruggemann <
address@hidden> wrote:
> I wasn't aware that after I converted the cert that i needed to place the
> converted cert into the keystore. Here's what I've now done to add the cert.
>
> Server Side:
>
> 1. Generate a new keypair for wget
> # keytool -genkeypair -alias wget -keystore /keys/wget.p12 -storetype
> pkcs12 -keyalg RSA -dname "CN=wget,OU=test,O=test,L=city,S=South
> Carolina,C=US" -keypass XXXX -storepass XXXX -validity 365
>
> 2. Create certifcate for wget
> # keytool -export -alias wget -file /keys/wget.cer -keystore /keys/wget.12
> -storetype pkcs12 -storepass XXXX -validity 365
>
> 3. Add wget to keystore
> # keytool -import -keystore /keys/keystore.jks -alias wget -file
> /keys/wget.cer -v -trustcacerts -noprompt -storepass XXXX
>
> 3. Send remote box wget cert
> # scp /keys/wget.cer address@hidden:/tmp/wget.cer
>
> Client Side:
>
> 4. Try wget
> wget --secure-protocol=TLSv1 --certificate-type=DER
> --certificate=/tmp/wget.cer --password=XXXX
> https://IP_ADDRESS:1234/file.txt <https://ip_address:1234/file.txt> -o
> /tmp/file.txt
>
> output gives me an openssl error of:
>
>
> OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate
>
>
>
>
>
>
> On Wed, Jun 8, 2011 at 8:01 AM, Giuseppe Scrivano <address@hidden>wrote:
>
>> please keep the mailing list CC'ed in your replies.
>>
>> It seems the server doesn't accept the client certificate. Are you sure
>> the cert.pem certificate is included in keystore.jks?
>>
>> Giuseppe
>>
>>
>>
>> brad bruggemann <address@hidden> writes:
>>
>> > Giuseppe,
>> >
>> > There's a correction to my original post. The output that I get when I
>> > run the original command (with secure-protocol) is:
>> >
>> > OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>> > certificate
>> >
>> > When I run it without secure-protocol i get:
>> >
>> > OpenSSL: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert
>> > unexpected message
>> >
>> > On Wed, Jun 8, 2011 at 7:08 AM, Giuseppe Scrivano <address@hidden>
>> > wrote:
>> >
>> > brad bruggemann <address@hidden> writes:
>> >
>> > > Use wget to grab file:
>> > > wget --secure-protocol=TLSv1 --certificate-type=PEM
>> > --certificate=/
>> > > path.to/cert.pem --password=XXXX
>> > https://IP_ADDRESS:1234/file.txt -o
>> > > /tmp/file.txt
>> >
>> >
>> > what does happen if you don't specify --secure-protocol?
>> >
>> > Cheers,
>> > Giuseppe
>> >
>>
>
>