curl Patterns

curl patterns from real API troubleshooting and automation. Every entry has a date and context.

2026-03-12: Silent Mode with jq Pipeline

Problem: curl output includes progress bar and headers, making jq parsing fail.

Context: API scripting, ISE/Vault automation

The Fix:

# WRONG: progress bar breaks jq
curl https://api.example.com/data | jq '.results'

# RIGHT: silent mode
curl -s https://api.example.com/data | jq '.results'

# WITH error handling — -f fails on HTTP errors (4xx/5xx)
curl -sf https://api.example.com/data | jq '.results' || echo "API call failed"

Rule: Always use -s (silent) when piping to jq. Add -f (fail) to get non-zero exit on HTTP errors. -sf is the standard combo for scripted API calls.

Worklog: WRKLOG-2026-03-12

2026-03-19: Response Timing for API Performance

Problem: Need to measure API response times during ISE performance testing.

Context: ISE ERS performance benchmarking, comparing response times across policy set sizes

The Fix:

# Quick total time
curl -s -o /dev/null -w '%{time_total}\n' \
  -k -u "$ISE_API_USER:$ISE_API_PASS" \
  -H "Accept: application/json" \
  https://ise-01.inside.domusdigitalis.dev:9060/ers/config/endpoint
# Full timing breakdown
curl -s -o /dev/null -w 'dns: %{time_namelookup}\nconnect: %{time_connect}\ntls: %{time_appconnect}\ntotal: %{time_total}\n' \
  -k -u "$ISE_API_USER:$ISE_API_PASS" \
  -H "Accept: application/json" \
  https://ise-01.inside.domusdigitalis.dev:9060/ers/config/endpoint

Rule: -w format string gives precise timing. -o /dev/null discards body. Use for API performance baselines. time_appconnect minus time_connect isolates TLS negotiation cost.

Worklog: WRKLOG-2026-03-19

2026-03-30: mTLS Client Certificate Authentication

Problem: pxGrid and some enterprise APIs require mutual TLS (client cert + server cert verification).

Context: ISE pxGrid integration, mTLS API calls for session directory and profiler subscriptions

The Fix:

# mTLS requires three files
curl --cert /etc/ssl/certs/client.crt \
     --key /etc/ssl/private/client.key \
     --cacert /etc/ssl/certs/ca-chain.crt \
     https://ise-01.inside.domusdigitalis.dev:8910/pxgrid/control/AccountActivate
# Verify cert/key match BEFORE attempting mTLS
CERT_MOD=$(openssl x509 -in /etc/ssl/certs/client.crt -noout -modulus | md5sum | cut -d' ' -f1)
KEY_MOD=$(openssl rsa -in /etc/ssl/private/client.key -noout -modulus 2>/dev/null | md5sum | cut -d' ' -f1)
[ "$CERT_MOD" == "$KEY_MOD" ] && echo "MATCH" || echo "MISMATCH"

Rule: mTLS requires three files: --cert (client cert), --key (client private key), --cacert (CA chain). All three must match. Verify key/cert modulus match before debugging TLS handshake failures.

Worklog: WRKLOG-2026-03-30

Template for New Entries