即使安装了捆绑包也无法获得本地发行者证书 [英] unable to get local issuer certificate even with bundle installed
问题描述
我知道已经在这里问过类似的问题,但是我认为我的问题有所不同.我正在尝试向适当的SSL网站(它不是自签名的)提出一个curl请求.我可以轻松设置选项,甚至可以将CA证书捆绑导入正确的位置.我希望一切都很好,但我仍然可以得到:
I know something similar to this has already been asked around here but I think my problem is different. I'm trying to make a curl request to a propper SSL website (its not self-signed). I can set the options easily and even imported the CA certificate bundle to the right place. All fine and good I would hope but I'm still getting :
SSL certificate problem: unable to get local issuer certificate
我在这里和Google周围转了一圈,似乎无法解决问题.这是我的卷曲设置:
I've looked around here and on google and can't seem to solve the issue. Here's my curl setup:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,2);
//curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_AUTOREFERER, true);
curl_setopt($ch, CURLOPT_VERBOSE, true);
curl_setopt($ch, CURLOPT_CERTINFO, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, getcwd()."/cookie_jar");
curl_setopt($ch, CURLOPT_HEADER, true);
$result = curl_exec($ch);
Edit2:这是请求的详细输出:
Here's the verbose output as requested:
* Adding handle: conn: 0x3472770
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x3472770) send_pipe: 1, recv_pipe: 0
* About to connect() to www.caixagest.pt port 443 (#0)
* Trying 195.234.134.196...
* Connected to www.caixagest.pt (195.234.134.196) port 443 (#0)
* error setting certificate verify locations:
CAfile: C:\Winginx\ssl\certs\ca-bundle-old.crt
CApath: none
* Closing connection 0
error setting certificate verify locations:
CAfile: C:\Winginx\ssl\certs\ca-bundle-old.crt
CApath: none
推荐答案
如果没有URL,curl版本和编译选项以及CA软件包的内容,很难说,但是最常见的情况是:
It's hard to say without having the URL, the curl version and compile options and the contents of your CA bundle but the most common cases are:
- 服务器忘记包含重要的链证书.使用 SSLLabs 进行分析时,请查找链问题"和额外下载".
- curl的OpenSSL后端具有不同的信任路径.有关详细信息,请参见 https://stackoverflow.com/a/30068150/3081018 .
- 不支持SNI的旧curl版本,因此服务器发送了错误的证书.
- Server forgot to include important chain certificates. Look ot for "chain issues" and "extra download" when doing the analysis with SSLLabs.
- Different trust path with the OpenSSL backend of curl. See https://stackoverflow.com/a/30068150/3081018 for details.
- Old curl version which does not support SNI, so server sends the wrong certificate.
可能会从您那里获得更多信息,以提供更详细的帮助.
More detailed help might be available with more information from you.
这篇关于即使安装了捆绑包也无法获得本地发行者证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
