curl "Peer's public key is invalid." unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

php ssl curl nss
Ivan picture Ivan · Dec 15, 2016 · Viewed 7.2k times · Source

I'm trying connect my PHP app to the server, which require auth by private key and does not have certs on public servers.

API location: https://b2b.postaonline.cz/

To acces the API from browser, I have installed these certs: http://www.postsignum.cz/certifikaty_autorit.html (PEM)

then I was able to connect with my .pfx cert, retrieved from PostSignum.

However, I'm unable to connect from Linux server, using curl. Ofc, I have searched and tested stuff several hours - like converting private to RSA and so on.

So current status is, that I have used received .pfx and extracted stuff like this:

 openssl pkcs12 -in certificate.pfx -out ca.pem -cacerts -nokeys
 openssl pkcs12 -in certificate.pfx -out client.pem -clcerts -nokeys
 openssl pkcs12 -in certificate.pfx -out key.pem -nocerts

After, I've used curl to connect:

$ curl -v  --key ./key.pem --cacert ./ca.pem --cert ./client.pem https://b2b.postaonline.cz/
*   Trying 193.150.24.113...
* Connected to b2b.postaonline.cz (193.150.24.113) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: ./ca.pem
  CApath: none
* unable to load client key: -8178 (SEC_ERROR_BAD_KEY)
* NSS error -8178 (SEC_ERROR_BAD_KEY)
* Peer's public key is invalid.
* Closing connection 0
curl: (58) unable to load client key: -8178 (SEC_ERROR_BAD_KEY)

This is something I'm getting with all the variations.

Notes: when I have loaded my certificate.pfx to the browser, connection was still insecure. So I have downloaded following from PostSignum cert site and loaded them into the browser

Postsignum Root QCA 2
Postsignum Public CA 2

just after that I was able to connect from browser.

I think this is something, I need to do also in the curl, but I have no idea how. With the ca.pem and client.pem, which are extracted just from certificate.pfx - I think curl is running into the same trouble as browaser was before additional Authoritiy certs was loaded. Any idea how to use that ?

Thank you.

Answer

Ivan picture Ivan · Feb 27, 2017

There were 2 issues combined, now fixed - thanks to strace.

  1. I have to supply RSA private key, as mentioned in other posts
  2. When using a local private key file with passphrase, we can't supply it as ./key:pass, but by using --pass {phrase} option

Related questions

PHP Curl (with NSS) is probably using SSLv3 instead of TLS when connecting to https

I'm using curl library (with NSS) in PHP to connect to my other server. Everything was fine until last week, when the destination server stoped supporting SSLv3 due to poodle vulnerability (CloudFlare by the way). Now, I'm trying to make …

Read More
How to add ciphers to curl in php?

I am trying to use php curl to connect to a site, but get the error "no common encryption algorithm". Further investigation, and I think this has something to do with NSS? I've discovered that from the command line, I …

Read More
HTTPS and SSL3_GET_SERVER_CERTIFICATE:certificate verify failed, CA is OK

I am using XAMPP for development. Recently I upgraded my installation of xampp from an old version to 1.7.3. Now when I curl HTTPS enabled sites I get the following exception Fatal error: Uncaught exception 'RequestCore_Exception' with message 'cURL resource: …

Read More