为什么 curl 不能识别自签名 SSL 证书? [英] Why won't curl recognise a self-signed SSL certificate?
问题描述
我将 PEM 文件复制到/usr/local/share/ca-certificates/并运行 update-ca-certificates,我验证生成的证书现在包含在/etc/ssl/certs/ca-certificates 中.crt 是 curl-config --ca 打印的文件.我还验证了 openssl s_client -connect example.com:443 打印的证书与我的 PEM 文件相同.但我继续收到错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败"消息.即使我按照 http://curl.haxx.se 中所述使用 curl 的 --cacert 选项,也会发生这种情况/docs/sslcerts.html 告诉它使用什么证书.
I copied the PEM file into /usr/local/share/ca-certificates/ and ran update-ca-certificates, and I verified that the resulting certificate is now included in /etc/ssl/certs/ca-certificates.crt which is the file printed by curl-config --ca. I also verified that the certificate printed by openssl s_client -connect example.com:443 was identical to my PEM file. And yet I continue to get the "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" message. This happens even if I use curl's --cacert option as described at http://curl.haxx.se/docs/sslcerts.html to tell it what certificate to use.
如果我使用 curl -k 完全禁用证书验证,它会起作用,但我不想这样做,因为我正在尝试编写一个应该正确测试 SSL 的测试工具.
It works if I disable certificate verification altogether with curl -k, but I don't want to do that because I'm trying to write a test harness that's supposed to test the SSL properly.
如果我在 lynx 中访问相同的 URL,它工作正常,如果有任何 SSL 错误,它通常会抱怨.但是我不能只将 Lynx 用于这个测试工具,除非我能找到某种方法让 Tornado 的 AsyncHTTPClient 使用 Lynx 而不是 libcurl.安装自签名证书满足 Lynx 但不满足 curl 似乎没有任何意义.
It works fine if I access the same URL in lynx, which normally complains if there are any SSL errors. But I can't just use Lynx for this test harness, unless I can find some way of making Tornado's AsyncHTTPClient use Lynx instead of libcurl. And it doesn't seem to make any sense that installing the self-signed certificate satisfies Lynx but not curl.
我在 Vagrant 驱动的 VirtualBox 中使用 Ubuntu 12.04 LTS;它有 curl 7.22.0.SSL终止代理是在同一台机器上运行的nginx/1.3.13,域名通过/etc/hosts中的一个条目指向127.0.0.1.
I'm using Ubuntu 12.04 LTS in a Vagrant-powered VirtualBox; it has curl 7.22.0. The SSL terminating proxy is nginx/1.3.13 running on the same machine, and the domain name is pointed to 127.0.0.1 by an entry in /etc/hosts.
关于可能是什么问题的任何线索?谢谢.
Any clues on what might be the problem? Thanks.
推荐答案
如果我们使用 cURL
检索未使用 CA签名证书,出现如下问题:
If we use cURL
to retrieve a HTTPS
site that is not using a CA-signed certificate, the following problem occurs:
curl https://example.selfip.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
虽然我们可以使用 -k
选项简单地解决这个问题,但有一个更安全和持久的解决方案,即:
While we can simply overcome this using the -k
option, there's a safer and lasting solution, i.e.:
步骤 1
确定您的 OpenSSL
安装使用哪个目录.
openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
第 2 步
切换到该目录并列出目录内容.您应该会看到一个名为 certs
的目录.
cd /usr/lib/ssl && ls -al
第 3 步
切换到那个目录.
Step 3
Change to that directory.
cd certs
列出目录内容.您应该从符号链接中看到证书实际上存储在 /usr/share/ca-certificates
中.
List the directory contents. You should see from the symlinks that the certificates are actually stored in /usr/share/ca-certificates
.
第 4 步
切换到 /usr/share/ca-certificates
目录并在那里添加您的自签名证书,(例如:your.cert.name.crt)
步骤 5
切换到 /etc
目录并编辑文件 ca-certificates.conf
.
root@ubuntu:# cd /etc
root@ubuntu:# nano ca-certificates.conf
将 your.cert.name.crt
添加到文件 (ca-certificates.conf
) 中并保存.
Add your.cert.name.crt
to the file (ca-certificates.conf
) and save it.
最后一步:
执行程序update-ca-certificates –fresh
.
注意:您可能希望在执行命令之前备份 /etc/ssl/certs
.
root@ubuntu:# update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs....done.
Running hooks in /etc/ca-certificates/update.d....done.
在您的目标 HTTPS 站点上使用 curl 进行测试,它现在应该可以工作了.
Test with curl on your target HTTPS site and it should work now.
这篇关于为什么 curl 不能识别自签名 SSL 证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!