SSL: curl works, httpie fails

0

I am running on Ubuntu 16.04.4 LTS. I have the following versions:

root@e816b85d954d:/# http --debug
HTTPie 0.9.9
Requests 2.9.1
Pygments 2.1
Python 2.7.12 (default, Dec  4 2017, 14:50:18) 
[GCC 5.4.0 20160609]
/usr/bin/python
Linux 4.4.0-116-generic

root@e816b85d954d:/# curl --version
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

curl is working fine:

$ curl https://mysite

But httpie is failing:

root@e816b85d954d:/# http https://mysite

http: error: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590) while doing GET request to URL: https://mysite

Why could this be the case?

dangonfast

Posted 2018-03-19T12:17:50.173

Reputation: 1 878

Answers

0

The error message is pretty straight-forward. It's telling you that the web server contains a SSL certificate which has some problem (most probably because it's self-signed, it's expired etc.).

You should be able to stop checking the certificate validity with the --verify option:

--verify VERIFY

Set to "yes" to check the host's SSL certificate. You can also pass the path to a CA_BUNDLE file for private certs. You can also set the REQUESTS_CA_BUNDLE environment variable.

So, setting --verify no shall be enough.

# http --verify no https://...
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:794: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
[...]

It's always best recommended to use a valid SSL certificate, though.

nKn

Posted 2018-03-19T12:17:50.173

Reputation: 4 960

curl is checking the certificate. It is https, and reports no errors. – dangonfast – 2018-03-19T12:28:04.750

I do not want to stop the verification: I want verification to also work for httpie – dangonfast – 2018-03-19T12:28:46.770

It is indeed self-signed. I did not mention it because it is not really relevant (since the CA root is installed system-wide, and curl uses it) – dangonfast – 2018-03-19T12:29:52.647

Then httpie might not be using the root CA... I can't find a piece of documentation defining where are root CAs taken, though. However, I found this: https://github.com/jakubroztocil/httpie/issues/576

– nKn – 2018-03-19T12:33:16.700

Asked: 2018-03-19T12:17:50.173

Viewed: 662 times

Active: 2018-03-19T12:34:10.000