Login/Register
curl: (58) Unable to load client key -8178
Asked Answered
curlsslclient-server
D

2

27

I am facing an SSL issue with the curlcommand. I want to reach an URL using my SSL client certificate and private key.

This is my command:

$ curl -k -v "https://myurl.com/" --cert ./certificate.pem --key ./private.key

* About to connect() to xx.xx.xx.xx port 23444 (#0)
*   Trying xx.xx.xx.xx... connected
* Connected to xx.xx.xx.xx (xx.xx.xx.xx) port 23444 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* Unable to load client key -8178.
* NSS error -8178
* Closing connection #0
curl: (58) Unable to load client key -8178.

The key is password protected, curl is not asking me to enter the password, which is very strange. Even if I pass the password with --pass, I still get the same error.

It seems that the argument --key is not considered, because If I replaced with foo.key, which doesn't exist on my filesystem, I still get the same error.

However, If use:

$ wget --certificate=./certificate.pem --private-key=private.key "https://myurl.com/" --no-check-certificate

I am able to reach my URL.

Do you have any idea?

Debunk answered 7/1, 2014 at 10:27 Comment(2)
Permission issue on what?Debunk
a workaround is to import your certificate in NSS database, like here: #15774306 I searched for another solution before you, but haven't found it. If you do, please post itDimple
D
31

I've gone through the same problem, and found a solution finally, maybe it can help you.

The failure was due to the private key in PKCS#8 format:

  • a PKCS#8 private key starts with -----BEGIN ENCRYPTED PRIVATE KEY----- header
    or
    -----BEGIN PRIVATE KEY----- header

    With this key curl + openssl will works, but curl + nss + libnsspem.so wouldn't.

  • with a RSA private key which starts with
    -----BEGIN RSA PRIVATE KEY----- header

    both curl + openssl and curl + nss + libnsspem.so will work.

So use this command

openssl pkcs8 -in path/to/your/pkcs8/key -out path/to/rsa/key

to convert the PKCS#8 key to traditional RSA key.

Diversification answered 19/3, 2014 at 10:34 Comment(8)
Thank you for your answer. It may work in theory, I can't use this because in my use case I am not allowed to generate a new key for each key in my database, even temporary etc... Finally I had to use wget instead... I just posted it to know the answer and to share it with people facing the same issue ;-)Debunk
For completeness, the correct parameters for curl are then: --cert ./certificate.pem --key ./newkey.pem where newkey.pem is the new RSA copy of the key created wuth openssl.Thankyou
I have the same issue, but I dont WANT to store an unencrypted key file. Isn't there a way that CURL can prompt me for the password and use the encrypted key?Innkeeper
@Innkeeper Just add a passphrase to the RSA private key: openssl rsa -des3 -in your.key -out your.encrypted.key. -des3 means encryption algorithm, you can use others, such as aes128, aes192.Diversification
@Diversification I did - and It always give me the -8178 error reading the key - never prompts my for the password. I verified PEM formats, and tried a few different algoritms. ONLY works for unencrypted key.Innkeeper
@Diversification I just had same problem and openssl rsa -des3 -in your.key -out your.encrypted.key worked for me - now curl works again and key is still encrypted.Hope
@Diversification I tried your advice and apparently the nss variant of curl on Centos accepts only keys that are unencrypted or encrypted via -des3. No other ciphers are accepted (Centos 7.4).Chlorenchyma
Apparently this is a known bug, reported in 2016. nss-pem does not support keys that use encryption other than des. -- bugzilla.redhat.com/show_bug.cgi?id=1369251Chlorenchyma
N
4

If your certificate has a passphrase you should add it after the certificate name:

curl -k -v "https://myurl.com/" --cert ./certificate.pem:passphrase --key ./private.key
Notary answered 26/7, 2016 at 12:38 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.