Im working with WebService, and I still cannot authenticate peer certificates. I am using libCurl for the C language, this is the output:
Cannot post, Err: Peer certificate cannot be authenticated with CA certificates
So, I tried to test the connection using the openssl command:
openssl s_client -connect homnfce.sefaz.am.gov.br:443 -cert cert.pem -key nfcek.pem
Then:
Verify return code: 20 (unable to get local issuer certificate)
Next, I looked at the server certificates and noticed that they have a certificate chain. So I downloaded them and added using keytool:
keytool -import -trustcacerts -file cert1.cer -alias mykey
keytool -import -trustcacerts -file cert2.cer -alias mykey2
keytool -import -trustcacerts -file cert3.cer -alias mykey3
Even with these changes, I still cannot authenticate peer certificates.
I think this may indicate an error when setting up CURLOPT, heres an excerpt from the code:
if (curl_easy_setopt(curl, CURLOPT_POST, 1) != CURLE_OK) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_POST, 1) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_URL, "https://homnfce.sefaz.am.gov.br/nfce-services-nac/services/NfeStatusServico2?wsdl") != CURLE_OK) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_URL) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_PORT, 443) != CURLE_OK) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_PORT, 443) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_SSLCERT, "cert.pem") != CURLE_OK) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_SSLCERT) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_SSLKEY, "nfcek.pem") != CURLE_OK) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_SSLKEY) failed");
return -1;
}
sprintf(szCertPath, "%s","/home/CAcerts/");
if (curl_easy_setopt(curl, CURLOPT_CAPATH, szCertPath) != CURLE_OK) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, iLen) != CURLE_OK) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_SSLCERTPASSWD, szMyPw) != CURLE_OK ) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_TIMEOUT) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_READDATA, pfChk) != CURLE_OK ) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_WRITEDATA, pfAnswer) != CURLE_OK ) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_WRITEDATA) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_TIMEOUT, iOnlineServerTimeout) != CURLE_OK ) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_TIMEOUT) failed");
return -1;
}
if (curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1) != CURLE_OK) {
if ( DEBUG_DETAILS ) vTrace("curl_easy_setopt(curl, CURLOPT_NOSIGNAL, 1) failed");
return __LINE__;
}
if ( (res = curl_easy_perform(curl)) != CURLE_OK ){
if ( DEBUG_DETAILS ) vTraceStr("iNFCE_CurlReq(): Cannot Perform Post, Err: %s\n", (char *)curl_easy_strerror(res));
return -1;
}
- - , (CURLOPT_SSL_VERIFYPEER = 0).
? ?