Using cURL with Conjur Certificates & the API

I thought that by using curl -k I could avoid having to provide a certificate when using a self-signed certificate like in the Conjur Quick Start. This was incorrect. curl -k doesn’t avoid TLS entirely, it just bypasses validation. So, in a case where you’re running Conjur in a self-signed scenario, you’ll still need to provide the --cacert flag with curl.

curl --cacert /path/to/conjur_account.pem ...

Hopefully this helps someone else eliminate research in the future.

5 Likes

Also if you do not have the self-signed conjur_account.pem file on your local machine you can create it with the following command:
openssl s_client --showcerts --connect <CONJUR_HOST_NAME>:443 < /dev/null 2> /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > "/path/to/conjur_account.pem"

3 Likes