Unable to run curl command in 'insecure' mode

Question

I am trying to run curl command from Gitlab Pipeline to perform a post call on a Host.

Here is the sample curl

curl -X -k POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer <token>" \
    -d '{ "key": "foo", "value": "bar" }' \
    "https://<host url>"

Please Note I am already trying to run in insecure mode using -k.

Still I am getting below error.

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

If I run this in Postman, disabling SSL verification from settings, it works as expected.

There is no certificate for this host and its in the internal network.

How do I make this curl work ? Why is -k not working here ?

Answer 1

Use --insecure flag instead of -k and run the cURL command. For eg:

curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <token>" \
-d '{ "key": "foo", "value": "bar" }' \
"https://<host url>" --insecure

Answer 2

This probably isn't important to you anymore, but I ran into the same issue and I want to leave an answer for anyone who might be dealing with this problem. When I discussed this with a coworker and mentioned I was trying to use --insecure, this is the response they gave me:

that only ignores from the client side. the server is still expecting to authenticate the client using the client certs. so basically you turned it off on one end. but not the other

After further consideration, we were able to solve the issue by additionally specifying the cert file and the key with --cert and --key. So, in your example, you might have something like:

curl -X -k POST \
    --cert /etc/gitlab/keys/gitlab.cert
    --key /etc/gitlab/keys/gitlab.key
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer <token>" \
    -d '{ "key": "foo", "value": "bar" }' \
    "https://<host url>"

I hope this helps someone if they run into an issue like this. I wouldn't have considered the insecure flag not applying to the server side before my coworker brought it up.