3

I am trying to connect to a server using curl; this server requires a .p12 certificate file and a passphrase. This has not been a problem in the few weeks I have been running my program. However, after my update to High Sierra, I now get LibreSSL errors. My colleagues running Windows 7 and 10 don't have this issue, either:

In Terminal:

$ curl -k https://server_metadata_link --cert certificate.p12 --pass “password”

curl: (58) could not load PEM client certificate, LibreSSL error error:0906D06C:PEM routines:PEM_read_bio:no start line, (no key found, wrong pass phrase, or wrong file format?)

In R:

> set_config(config(ssl_verifyhost = 0L, ssl_verifypeer = 0L))

> set_config(config(sslcert = certificate.p12, keypasswd = password))

> GET("https://server_metadata_link")

Error in curl::curl_fetch_memory(url, handle = handle) : could not load PEM client certificate, LibreSSL error error:0906D06C:PEM routines:PEM_read_bio:no start line, (no key found, wrong pass phrase, or wrong file format?)

I would prefer not to backtrack to Sierra, as I have a colleague with a new Mac who is stuck in High Sierra. I don't think there is an error with the certificates, as like I said, this worked fine before the upgrade to High Sierra. After researching this issue, I think it may have something to do with Mac's move from OpenSSL to LibreSSL in High Sierra. I don't know what effect that might have on the back end, but it could explain why only my colleague and I have the error, while another colleague with Sierra does not.

Another issue may be that my version of curl is 7.54.0 (as is my colleague's with High Sierra), while the latest is 7.58.0. I don't know if this could also be causing a problem, but as a separate issue I'm not sure how to force my Mac to use the most recent version of curl; since it's included in the Mac, Homebrew won't let me install the latest version.

The only other note I have is that if I change the R config from "sslcert = certificate.p12" to "sslkey = certificate.p12" or the Terminal command from "--cert certificate.p12" to "--key certificate.p12" I get a normal 403 error saying I couldn't connect to the server.

Any help would be appreciated, and please let me know if there is any other information I should provide. Thanks in advance.

jww
  • 83,594
  • 69
  • 338
  • 732
Margaret S.
  • 31
  • 3
  • The server can't require a p12 file; it can't see client files at all. It requires a cert and key that you have _in_ a p12 file. Both OpenSSL and LibreSSL builds of curl should reject a p12, but https://daniel.haxx.se/blog/tag/securetransport/ says at least some Apple builds use SecureTransport which per the manpage does use p12. Since OpenSSL and LibreSSL want PEM, you can use (either of) them to convert PKCS12 to PEM; there are dozens if not hundreds of Qs already on that. – dave_thompson_085 Feb 15 '18 at 23:18
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Feb 16 '18 at 00:36
  • @jww I don't understand, how is this not a relevant question? There are dozens of similar questions (some even with the same error) on this site as well, they just aren't quite what I'm looking for. Any specific issues with my question would be helpful so I know what to post in the future. – Margaret S. Feb 16 '18 at 14:48
  • @dave_thompson_085 right, the server doesn't require p12, but there's an issue with key/pem format files on Mac, I think. Thanks for the resources, I will look into that. Hopefully this can help! – Margaret S. Feb 16 '18 at 14:49

1 Answers1

3

Homebrew will let you install the latest version of homebrew, but it is keg-only since OSX provides an older version of curl:

$ brew install curl
==> Downloading https://homebrew.bintray.com/bottles/curl-7.58.0.high_sierra.bottle.tar.gz
Already downloaded: /Users/kyle.varga/Library/Caches/Homebrew/curl-7.58.0.high_sierra.bottle.tar.gz
==> Pouring curl-7.58.0.high_sierra.bottle.tar.gz
==> Caveats
This formula is keg-only, which means it was not symlinked into /usr/local,
because macOS already provides this software and installing another version in
parallel can cause all kinds of trouble.

If you need to have this software first in your PATH run:
  echo 'export PATH="/usr/local/opt/curl/bin:$PATH"' >> ~/.zshrc

You need to run the export command for it to run. After updating $PATH, you should get

$ which -a curl
/usr/local/opt/curl/bin/curl
/usr/bin/curl

After doing this, when running curl with a p12 file, it asks for me to unlock OSX keychain and resolves the could not load PEM client certificate error.

Kyle Varga
  • 71
  • 1
  • 6