cURL：CURLOPT_CAPATH包含正确的证书，但是不起作用 [英] cURL: CURLOPT_CAPATH contains correct cert but doesn't work

问题描述

以下脚本可用于 PHP 5.6.23 ：

$options = [
    CURLOPT_POST => 1,
    CURLOPT_URL => 'https://uat.dwolla.com/oauth/rest/offsitegateway/checkouts',
    CURLOPT_RETURNTRANSFER => 1,
    CURLOPT_POSTFIELDS => json_encode(['name'=>'value']),
    CURLOPT_HTTPHEADER => ['Content-Type: application/json'],
    CURLOPT_SSL_VERIFYPEER => true,
    CURLOPT_CAINFO => '/path/to/certs/GoDaddyRootCertificateAuthority-G2.crt',
];
$ch = curl_init();

curl_setopt_array($ch, $options);
if( ! $result = curl_exec($ch)) $err = curl_error($ch);
else $err = null;

curl_close($ch);

if($err) echo $err;
else print_r(json_decode($result,true));

我从Dwolla的付款API得到了预期的响应。为了使脚本更具动态性，我尝试将其更改为指向托管我希望cURL信任的证书的目录。因此我将最后一个选项（ CURLOPT_CAINFO ）更改为：

I get the expected response from Dwolla's payment API. To make my script more dynamic, I tried to change it to refer to the directory that hosts the certs I want cURL to trust. So I changed the last option (CURLOPT_CAINFO) to:

CURLOPT_CAPATH => '/path/to/certs'

这会破坏脚本，但未建立连接；错误是：

This breaks the script however and no connection is made; the error is:

SSL证书问题：无法获取本地发行者证书

SSL certificate problem: unable to get local issuer certificate

我知道目录是正确的，并且证书文件有效，因为原始脚本引用了该目录中的证书。我希望 cURL 扫描目录中的文件并找到所需的证书，但这没有发生。为什么会这样？

I know the directory is correct and the cert file is valid since the original script refers to the cert in that same directory. I expected cURL to scan the files in the directory and find the cert it needs but this isn't happening. Why is this?

推荐答案

如果仅将CApath指向某个目录并将证书放入此目录，则该目录不起作用。为了高效地查找正确的CA证书，此目录中的文件需要具有源自证书主题的名称。例如，您可能会在 / etc / ssl / certs 中找到以下内容：

It does not work if you just point CApath to some directory and put the certificates into this directory. To make the finding of the correct CA certificate efficient the files in this directory need to have names derived from the subject of the certificate. For example you'll might find the following in /etc/ssl/certs:

   ff783690.0 -> UTN_USERFirst_Hardware_Root_CA.pem
   ff588423.0 -> ComSign_CA.pem
   ...

此处文件名基于证书的哈希值主题并指向真实证书。有关如何创建必要文件名的信息，请参见如何计算CA使用的哈希值
。

Here the filenames are based on the hashes of the certificate's subject and point to the real certificate. For information on how to create the necessary filename see How to calculate the hash value used by CA file names .

另请参见 openssl验证手册页：

-CApath目录

受信任证书的目录。证书的名称格式应为：hash.0或具有此格式的符号链接（ hash是哈希的证书主题名称：请参阅x509实用程序的-hash选项）。在Unix下，c_rehash脚本将自动创建指向证书目录的符号链接。

-CApath directory
A directory of trusted certificates. The certificates should have names of the form: hash.0 or have symbolic links to them of this form ("hash" is the hashed certificate subject name: see the -hash option of the x509 utility). Under Unix the c_rehash script will automatically create symbolic links to a directory of certificates.

这篇关于cURL：CURLOPT_CAPATH包含正确的证书，但是不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！