Curl无法验证Verisign发行的通配符SSL证书 [英] Curl cannot verify wildcard SSL certificate issued by Verisign
问题描述
我有一个脚本,需要使用cURL来安全地连接到foo.bar.com网站,该网站由* .bar.com的通配SSL证书覆盖.
I have a script that needs to use cURL to securely connect to a web site, foo.bar.com that is covered by a wildcard SSL certificate for *.bar.com.
通配符证书由Verisign颁发,所有浏览器都信任它,没有任何问题.但是,我无法使PHP/cURL进行连接(至少在不禁用证书验证的情况下如此).
The wildcard certificate is issued by Verisign, and all browsers trust it without any problem. However, I cannot get PHP / cURL to connect (at least not without disabling certificate verification).
仅出于隔离问题的目的,我尝试仅使用命令行cURL(版本7.21.1)进行连接.我从Mozilla下载了更新的CA捆绑软件(保存为cacert.pem),然后运行:
Just for the sake of isolating the problem, I tried to connect using just command-line cURL (version 7.21.1). I downloaded an updated CA bundle from Mozilla (saved as cacert.pem), and then ran:
curl --cacert /path/to/cacert.pem "https://foo.bar.com"
结果是:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
我一直在谷歌搜索,并逐篇阅读有关此错误的文章,但似乎一无所获.
I've been Googling and reading post after post about this error, but can't seem to get anywhere.
如果我尝试使用任何普通的非通配符证书域,它似乎都可以正常工作,因此它似乎已本地化到此特定的通配符证书问题.我什至手动导出了信任链中的所有证书,并将它们手动添加到cacert.pem文件中(只是为了查看CA软件包是否丢失了某些内容),仍然没有.
If I try any normal, non-wildcard-certificate domain, it seems to work just fine, so it seems localized to this particular wildcard certificate issue. I've even manually exported all the certificates in the trust chain and manually added them into the cacert.pem file (just to see if the CA bundle was missing something), and still nothing.
最终,我想让它在PHP cURL中工作,但是我认为,如果可以确定命令行cURL的问题,该解决方案也可能适用于PHP脚本.
Ultimately, I want to get this working in PHP cURL, but I figure if I can determine the problem with command-line cURL, the solution will probably apply to the PHP script, as well.
推荐答案
问题可能不是卷曲,而是由于缺少链证书而导致的信任链不完整.桌面浏览器的问题较少,因为桌面浏览器在访问其他站点时会缓存此类证书,而某些浏览器甚至会下载丢失的证书.
The problem is probably not curl but an incomplete trust chain because of missing chain certificates. Desktop browsers have less problems with this because they cache such certificates when visiting other sites and some browsers even download missing certificates.
转到 SSLLabs 并检查站点.注意链问题".
Header over to SSLLabs and check the site. Look out for "Chain Issues".
如果我的回答是错误的,请添加相关的URL以及您使用的curl的版本,以便您可以仔细查看.
If my answer is wrong please add the relevant URL and also the version of curl you use, so that one can have a closer look.
这篇关于Curl无法验证Verisign发行的通配符SSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
