I use restic 0.16.0 and restic-rest-server 0.12.1 behind nignx.
I have setup nginx so it requires a client certificate as such:
curl --cert client.pem --key client.key https://restic.local/home
works.
However this fail:
restic --tls-client-cert client.pem -r rest:https://restic.local/home snapshots
Fatal: parse TLS client cert or key: tls: failed to find any PEM data in key input
My cert.pem looks like:
Bag Attributes
localKeyID: 5B B4 B1 EE 1F DF 5F D8 43 E0 D2 9E 37 3D 3F F8 C9 B3 99 CC
subject=/C=FR/ST=France...
issuer=/ST=France...
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 5B B4 B1 EE 1F DF 5F D8 43 E0 D2 9E 37 3D 3F F8 C9 B3 99 CC
Key Attributes: <No Attributes>
I generate it through:
#!/usr/bin/env bash
set -xeuo pipefail
if [ $# -ne 2 ];
then
echo "Usage: $0 SERVICE USER"
exit 2
fi
SERVICE=$1
USER=$2
CRT_DIR=client/generated/$SERVICE/$USER
CA_DIR=client/generated/$SERVICE/ca
REQ_DIR=client/requests
COMMON_NAME="${USER} client cert for ${SERVICE} ($(date --utc +"%Y-%m-%dT%H:%M:%SZ"))"
mkdir -p "$CRT_DIR"
# Create a new certificate
openssl req \
-new \
-nodes \
-newkey rsa:4096 \
-config "$CRT_DIR/client.conf" \
-keyout "$CRT_DIR/client.key" \
-out "$CRT_DIR/client.csr"
# Sign it with our CA
openssl ca \
-config "$CA_DIR/ca.conf" \
-cert "$CA_DIR/ca.crt" \
-keyfile "$CA_DIR/ca.key" \
-out "$CRT_DIR/client.crt" \
-infiles "$CRT_DIR/client.csr"
# Export client key
openssl pkcs12 \
-export \
-clcerts \
-in "$CRT_DIR/client.crt" \
-inkey "$CRT_DIR/client.key" \
-out "$CRT_DIR/client.p12"
openssl pkcs12 \
-clcerts \
-in "$CRT_DIR/client.p12" \
-out "$CRT_DIR/client.pem"
echo "Browser key: $PWD/$CRT_DIR/client.p12"
echo "PEM key: $PWD/$CRT_DIR/client.pem"
What am I missing?
Thanks.