I'm trying to load a file through cURL on OSX 10.9 The following command works fine when done from my user account, but fails when done through PHP (user _www)
curl https://test.test.com:8443 -sslv3 --cert /Users/[my account]/Sites/sandbox/certificate.p12:password --cert-type P12
The error I'm getting is:
* SSL: Can't load the certificate "/Users/[my account]/Sites/sandbox/certificate.p12" and its private key: OSStatus -61
It's a Write permissions error; Not a publisher, but _www has read & write permissions on the folder.
The call works fine from both my own account and _www when using the common name of the certificate (that I added to my system keychain manually)
curl https://test.test.com:8443 -sslv3 --cert [the common name]
I would like to have it working with the p12 file so I can use the same code on the production server as I do on my development machine. Using the normal php cURL library is not an option because it doesn't support the --cert argument yet (it seems to use the older --cafile, which is not supported in OSX 10.9)
Finally figured out the solution :-)
First you need to compile your own curl using OpenSSL (default is using Secure Transport) and PHP using this curl (default is using system curl).
Compile and install via Homebrew:
brew install curl --with-openssl
brew install php56 --with-homebrew-curl
Then send curl request using PEM format certificates as in Linux (P12 format is supported only by OS X curl, which is compiled with Secure Transport ).
For example, use HTTPful to send client auth request:
Request::get('https://127.0.0.1:12345/ping')->authenticateWithCert(
'client-auth.crt',
'client-auth.key'
);
About the -61 error, I guess it is because PHP in Apache (which is running under _www) doesn't have the permission to access the keychain. Secure Transport will first import P12 certificate into the login keychain (which causes this error) and then sign request from it (which would prompt and ask for permission).
I tried to run Apache under my account but still encountered this issue. It might be related to different environment variables.