为什么curl无法识别自签名SSL证书? [英] Why won't curl recognise a self-signed SSL certificate?

问题描述

我将PEM文件复制到/usr/local/share/ca-certificates/中，并运行update-ca-certificates，并验证了所生成的证书现在已包含在/etc/ssl/certs/ca-certificates中. crt是curl-config --ca打印的文件.我还验证了openssl s_client -connect example.com:443打印的证书与我的PEM文件相同.但我仍然收到错误:14090086:SSL例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败"消息.即使我使用 http://curl.haxx.se中所述的curl的--cacert选项，也会发生这种情况/docs/sslcerts.html 告诉它要使用的证书.

I copied the PEM file into /usr/local/share/ca-certificates/ and ran update-ca-certificates, and I verified that the resulting certificate is now included in /etc/ssl/certs/ca-certificates.crt which is the file printed by curl-config --ca. I also verified that the certificate printed by openssl s_client -connect example.com:443 was identical to my PEM file. And yet I continue to get the "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" message. This happens even if I use curl's --cacert option as described at http://curl.haxx.se/docs/sslcerts.html to tell it what certificate to use.

如果我完全与curl -k一起禁用了证书验证，那么它可以工作，但是我不想这样做，因为我正在尝试编写一个应该正确测试SSL的测试工具.

It works if I disable certificate verification altogether with curl -k, but I don't want to do that because I'm trying to write a test harness that's supposed to test the SSL properly.

如果我在lynx中访问相同的URL，效果很好，通常会抱怨是否有SSL错误.但是我不能仅将Lynx用于此测试工具，除非可以找到使Tornado的AsyncHTTPClient使用Lynx而不是libcurl的某种方式.而且，安装自签名证书可以满足Lynx的要求，但不能满足要求.

It works fine if I access the same URL in lynx, which normally complains if there are any SSL errors. But I can't just use Lynx for this test harness, unless I can find some way of making Tornado's AsyncHTTPClient use Lynx instead of libcurl. And it doesn't seem to make any sense that installing the self-signed certificate satisfies Lynx but not curl.

我在由Vagrant提供支持的VirtualBox中使用Ubuntu 12.04 LTS；它具有curl 7.22.0. SSL终止代理是在同一台计算机上运行的nginx/1.3.13，/etc/hosts中的条目将域名指向127.0.0.1.

I'm using Ubuntu 12.04 LTS in a Vagrant-powered VirtualBox; it has curl 7.22.0. The SSL terminating proxy is nginx/1.3.13 running on the same machine, and the domain name is pointed to 127.0.0.1 by an entry in /etc/hosts.

关于什么可能是问题的任何线索?谢谢.

Any clues on what might be the problem? Thanks.

推荐答案

如果我们使用 cURL 来检索未使用HTTPS网站. aspx"rel =" noreferrer> CA签名的证书，会发生以下问题:

If we use cURL to retrieve a HTTPS site that is not using a CA-signed certificate, the following problem occurs:

curl https://example.selfip.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

虽然我们可以简单地使用-k选项克服此问题，但有一个更安全，更持久的解决方案，即:

While we can simply overcome this using the -k option, there's a safer and lasting solution, i.e.:

第1步
确定您的OpenSSL安装使用哪个目录.

Step 1
Identify which directory your OpenSSL installation uses.

openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

第2步
转到该目录并列出目录内容.您应该看到一个名为certs的目录.

Step 2
Change to that directory and list the directory contents. You should see a directory called certs.

cd /usr/lib/ssl && ls -al

第3步
转到该目录.

Step 3
Change to that directory.

cd certs

列出目录内容.您应该从符号链接中看到证书实际上存储在/usr/share/ca-certificates中.

List the directory contents. You should see from the symlinks that the certificates are actually stored in /usr/share/ca-certificates.

第4步
转到/usr/share/ca-certificates目录，并在其中添加自签名证书(例如:your.cert.name.crt)

Step 4
Change to /usr/share/ca-certificates directory and add you self-signed certificate there, (ex: your.cert.name.crt)

第5步
转到/etc目录并编辑文件ca-certificates.conf.

Step 5
Change to /etc directory and edit the file ca-certificates.conf.

root@ubuntu:# cd /etc
root@ubuntu:# nano ca-certificates.conf

将your.cert.name.crt添加到文件(ca-certificates.conf)并保存.

Add your.cert.name.crt to the file (ca-certificates.conf) and save it.

最后一步:

执行程序update-ca-certificates –fresh.
注意:您可能想在执行命令之前备份/etc/ssl/certs.

Execute the program update-ca-certificates –fresh.
Note: You might like to backup /etc/ssl/certs before executing the command.

root@ubuntu:# update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...done.
Updating certificates in /etc/ssl/certs....done.
Running hooks in /etc/ca-certificates/update.d....done.

在目标HTTPS站点上使用curl测试，它现在应该可以正常工作.

Test with curl on your target HTTPS site and it should work now.

来源

这篇关于为什么curl无法识别自签名SSL证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！