certctl, self-signed certificates and localhost with nginx, fetch and curl
Date: Sun, 22 Oct 2023 15:16:40 UTC
I'm experimenting with certctl(8) to see if I can get curl and
the browser to accept a self-signed certificate, and if I need a
local CA as well for this:
```
$ sudo openssl req -newkey rsa:2048 \
-keyout /usr/local/etc/ssl/keys/localhost.key \
-x509 -days 365 -nodes -subj '/CN=localhost' \
-out /usr/local/etc/ssl/certs/localhost.crt
...
$ sudo certctl -v trust /usr/local/etc/ssl/certs/localhost.crt
$ sudo certctl -v rehash
...
Reading ca-root-nss.crt
Adding cd8c0d63.1 to trust store
Scanning /usr/local/etc/ssl/certs for certificates...
Reading localhost.crt
Adding ce275665.0 to trust store
$ certctl -v list |grep ce275665
ce275665.0 subject=CN = localhost
### failures
$ fetch https://localhost/
Certificate verification failed for /CN=localhost
002061F61F310000:error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/statem/statem_clnt.c:1890:
fetch: https://localhost/: Authentication error
$ curl https://localhost/
curl: (60) SSL certificate problem: self-signed certificate
### success
$ curl --cacert /usr/local/etc/ssl/certs/localhost.crt https://localhost/
<html>
...
```
Any idea what I'm doing wrong here? Do I need a proper CA and not
just a local cert?
BTW nginx config used:
```
# /usr/local/etc/nginx/nginx.conf
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/etc/ssl/certs/localhost.crt;
ssl_certificate_key /usr/local/etc/ssl/keys/localhost.key;
location / {
root /usr/local/www/nginx;
index index.html index.htm;
}
}
}
```
A+
Dave