Re: [Bug-wget] Issue with TOMCAT SSL server wget
I wasn't aware that after I converted the cert that i needed to place the converted cert into the keystore. Here's what I've now done to add the cert. Server Side: 1. Generate a new keypair for wget # keytool -genkeypair -alias wget -keystore /keys/wget.p12 -storetype pkcs12 -keyalg RSA -dname CN=wget,OU=test,O=test,L=city,S=South Carolina,C=US -keypass -storepass -validity 365 2. Create certifcate for wget # keytool -export -alias wget -file /keys/wget.cer -keystore /keys/wget.12 -storetype pkcs12 -storepass -validity 365 3. Add wget to keystore # keytool -import -keystore /keys/keystore.jks -alias wget -file /keys/wget.cer -v -trustcacerts -noprompt -storepass 3. Send remote box wget cert # scp /keys/wget.cer user@ip:/tmp/wget.cer Client Side: 4. Try wget wget --secure-protocol=TLSv1 --certificate-type=DER --certificate=/tmp/wget.cer --password= https://IP_ADDRESS:1234/file.txthttps://ip_address:1234/file.txt-o /tmp/file.txt output gives me an openssl error of: OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate On Wed, Jun 8, 2011 at 8:01 AM, Giuseppe Scrivano gscriv...@gnu.org wrote: please keep the mailing list CC'ed in your replies. It seems the server doesn't accept the client certificate. Are you sure the cert.pem certificate is included in keystore.jks? Giuseppe brad bruggemann bradley.bruggem...@gmail.com writes: Giuseppe, There's a correction to my original post. The output that I get when I run the original command (with secure-protocol) is: OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate When I run it without secure-protocol i get: OpenSSL: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message On Wed, Jun 8, 2011 at 7:08 AM, Giuseppe Scrivano gscriv...@gnu.org wrote: brad bruggemann bradley.bruggem...@gmail.com writes: Use wget to grab file: wget --secure-protocol=TLSv1 --certificate-type=PEM --certificate=/ path.to/cert.pem --password= https://IP_ADDRESS:1234/file.txt -o /tmp/file.txt what does happen if you don't specify --secure-protocol? Cheers, Giuseppe
Re: [Bug-wget] Issue with TOMCAT SSL server wget
Problem fixed: 1) Convert server cert openssl x509 -inform DER -outform PEM -in servercert.crt -out servercert.pem 2) Break out user cert and key from container openssl pkcs12 -nocerts -in user.p12 -out userkey.pem openssl pkcs12 -nokeys -in user.p12 -out usercert.pem 3) wget it wget --private-key=userkey.pem --certificate=usercert.pem --ca-certificate=servercert.pem https://IP_ADDRESS:PORT/file.txt On Wed, Jun 8, 2011 at 11:44 AM, brad bruggemann bradley.bruggem...@gmail.com wrote: I wasn't aware that after I converted the cert that i needed to place the converted cert into the keystore. Here's what I've now done to add the cert. Server Side: 1. Generate a new keypair for wget # keytool -genkeypair -alias wget -keystore /keys/wget.p12 -storetype pkcs12 -keyalg RSA -dname CN=wget,OU=test,O=test,L=city,S=South Carolina,C=US -keypass -storepass -validity 365 2. Create certifcate for wget # keytool -export -alias wget -file /keys/wget.cer -keystore /keys/wget.12 -storetype pkcs12 -storepass -validity 365 3. Add wget to keystore # keytool -import -keystore /keys/keystore.jks -alias wget -file /keys/wget.cer -v -trustcacerts -noprompt -storepass 3. Send remote box wget cert # scp /keys/wget.cer user@ip:/tmp/wget.cer Client Side: 4. Try wget wget --secure-protocol=TLSv1 --certificate-type=DER --certificate=/tmp/wget.cer --password= https://IP_ADDRESS:1234/file.txt https://ip_address:1234/file.txt -o /tmp/file.txt output gives me an openssl error of: OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate On Wed, Jun 8, 2011 at 8:01 AM, Giuseppe Scrivano gscriv...@gnu.orgwrote: please keep the mailing list CC'ed in your replies. It seems the server doesn't accept the client certificate. Are you sure the cert.pem certificate is included in keystore.jks? Giuseppe brad bruggemann bradley.bruggem...@gmail.com writes: Giuseppe, There's a correction to my original post. The output that I get when I run the original command (with secure-protocol) is: OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate When I run it without secure-protocol i get: OpenSSL: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message On Wed, Jun 8, 2011 at 7:08 AM, Giuseppe Scrivano gscriv...@gnu.org wrote: brad bruggemann bradley.bruggem...@gmail.com writes: Use wget to grab file: wget --secure-protocol=TLSv1 --certificate-type=PEM --certificate=/ path.to/cert.pem --password= https://IP_ADDRESS:1234/file.txt -o /tmp/file.txt what does happen if you don't specify --secure-protocol? Cheers, Giuseppe
Re: [Bug-wget] Issue with TOMCAT SSL server wget
please keep the mailing list CC'ed in your replies. It seems the server doesn't accept the client certificate. Are you sure the cert.pem certificate is included in keystore.jks? Giuseppe brad bruggemann bradley.bruggem...@gmail.com writes: Giuseppe, There's a correction to my original post. The output that I get when I run the original command (with secure-protocol) is: OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate When I run it without secure-protocol i get: OpenSSL: error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message On Wed, Jun 8, 2011 at 7:08 AM, Giuseppe Scrivano gscriv...@gnu.org wrote: brad bruggemann bradley.bruggem...@gmail.com writes: Use wget to grab file: wget --secure-protocol=TLSv1 --certificate-type=PEM --certificate=/ path.to/cert.pem --password= https://IP_ADDRESS:1234/file.txt -o /tmp/file.txt what does happen if you don't specify --secure-protocol? Cheers, Giuseppe