Bug 696783

Summary: CA certificate cannot be specified by nickname [documentation bug]
Product: [Fedora] Fedora Reporter: Chandrasekar Kannan <ckannan>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: benl, kdudka, paul
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: curl-7.29.0-1.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 905066 (view as bug list) Environment:
Last Closed: 2013-02-06 14:39:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 905066    

Description Chandrasekar Kannan 2011-04-14 19:59:53 UTC 
Trying to use curl with NSS to do client authentication against a cert-controlled webpage.

[ckannan@localhost test]$ echo $SSL_DIR
/home/ckannan/curl/test

[ckannan@localhost test]$ ls *.db
cert8.db  key3.db  secmod.db
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ certutil -L -d .

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

testnick                                                     P,,  
OCSP Administrator of Instance pki-ocsp's pkisilentdomain ID u,u,u
TKS Administrator of Instance pki-tks's pkisilentdomain ID   u,u,u
mach1.idm.lab.bos.redhat.com                                 ,,   
VeriSign Class 3 Extended Validation SSL CA                  ,,   
wiki.idm.lab.bos.redhat.com                                  ,,   
GeoTrust SSL CA                                              ,,   
mach1.idm.lab.bos.redhat.com #2                              ,,   
Certificate Authority - pkisilentdomain                      CT,C,C
CA Administrator of Instance pki-ca's pkisilentdomain ID     u,u,u
KRA Administrator of Instance pki-kra's pkisilentdomain ID   u,u,u
RA Administrator's pkisilentdomain ID                        u,u,u
TPS Administrator's pkisilentdomain ID                       u,u,u
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ 
[ckannan@localhost test]$ curl -v  --cert "CA Administrator of Instance pki-ca's pkisilentdomain ID" --cacert "Certificate Authority - pkisilentdomain" --data-urlencode "xmlOutput=true" --data-urlencode "reqCompleted=true" --data-urlencode "reqType=enrollment" --data-urlencode "maxCount=20" "https://mach1.idm.lab.bos.redhat.com:9443/ca/agent/ca/queryReq"
* About to connect() to mach1.idm.lab.bos.redhat.com port 9443 (#0)
*   Trying 10.16.96.53... connected
* Connected to mach1.idm.lab.bos.redhat.com (10.16.96.53) port 9443 (#0)
* Initializing NSS with certpath: /home/ckannan/curl/test
* NSS error -5978
* Closing connection #0
* Problem with the SSL CA cert (path? access rights?)
curl: (77) Problem with the SSL CA cert (path? access rights?)
[ckannan@localhost test]$
Comment 1 Kamil Dudka 2011-04-14 20:41:27 UTC 
You cannot specify a CA certificate by nickname.
Comment 2 Kamil Dudka 2013-01-28 13:36:46 UTC 
upstream commit:

https://github.com/bagder/curl/commit/11dde6ac
Comment 3 Kamil Dudka 2013-02-06 14:39:53 UTC 
fixed in curl-7.29.0-1.fc19