在 Ubuntu 12.04 上为 Perl 5.14.2 LWP 安装新的 ca 证书 [英] Installing a new ca certificate for Perl 5.14.2 LWP on Ubuntu 12.04
问题描述
我在尝试使用 LWP 连接到特定 https 网站时遇到以下错误:
I am getting the following error trying to connect to a specific https website using LWP:
LWP::Protocol::https::Socket: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/local/share/perl/5.14.2/LWP/Protocol/http.pm line 51.
我尝试使用 wget 并得到:
I tried with wget and got:
ERROR: cannot verify [domain]'s certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=********':
Unable to locally verify the issuer's authority.
我搜索了一下,发现我可能必须安装 Godaddy root ca 证书.我想出了如何做到这一点(下载证书,放入/usr/share/ca-certificates 并运行 update-ca-certificates).过程中也学会了openssl s_client的使用.
I googled around and discovered that I probably had to install the godaddy root ca cert. I figured out how to do that (download certificates, put in /usr/share/ca-certificates and run update-ca-certificates). I also learnt how to use openssl s_client in the process.
现在证书已安装,wget 工作,但 LWP 仍然失败并出现相同的错误,openssl s_client 也是如此:
Now that the certificate is installed, wget works, but LWP still fails with the same error and so does openssl s_client:
# openssl s_client -connect [domain]:443
CONNECTED(00000003)
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=21:unable to verify the first certificate
verify return:1
我不知道下一步该去哪里进行这项工作.有什么建议吗?
I have no idea where to go next to get this working. Any suggestions?
已解决这是一个简单的脚本,描述了在 mikew 的建议之后的工作:
SOLVED Here is a simple script that describes what worked after mikew's suggestion:
#!/usr/bin/perl
use LWP::UserAgent;
$URL="[domain]";
my $ua = LWP::UserAgent->new(ssl_opts => { SSL_ca_path=>'/etc/ssl/certs'});
my $response = $ua->get($URL);
推荐答案
要获得更具体的答案,我们需要知道您是如何实例化 LWP 对象的.
For a more specific answer, we'd need to know how you are instantiating your LWP object.
但您可能需要了解的是 LWP 构造函数中 ssl_opts 的 SSL_ca_file 和 SSL_ca_path 选项.如果没有这些集合中的任何一个,它将假定 Mozilla_CA 是用于验证网站的 CA.
But what you probably need to know about is the SSL_ca_file and SSL_ca_path options for ssl_opts in the LWP constructor. Without one of these set, it assumes the Mozilla_CA is the CA to to use to verify websites.
参见 LWP::Protocol::https和 LWP::UserAgent、ssl_opts 构造函数选项.
See LWP::Protocol::https
And LWP::UserAgent, ssl_opts constructor option.
如果您使用的是 lwp-download 之类的东西,而不是自己实际实例化 LWP::UserAgent 对象,那么您需要设置 PERL_LWP_SSL_CA_FILE 环境变量以指向您的证书颁发机构或设置 PERL_LWP_SSL_CA_PATH 到您的 CA 路径.您也可以只设置这些而不是传递给 ssl_opts.
If you are using something like lwp-download and not actually instantiating the LWP::UserAgent object yourself, then you need to set the PERL_LWP_SSL_CA_FILE environment variable to point to your certificate authority or set PERL_LWP_SSL_CA_PATH to your CA path. You can just set these instead of passing in to ssl_opts as well.
如果你不是特别担心做这些验证,喜欢危险的生活,你可以设置 verify_hostname =>; 或将 ssl_opts 为 0PERL_LWP_VERIFY_HOSTNAME 环境变量设置为 0.
If you aren't particularly worried about doing all this verification and like to live dangerously, you can set verify_hostname => 0 for ssl_opts or set PERL_LWP_VERIFY_HOSTNAME environment variable to 0.
如文档中所述,LWP 5.837 及更早版本默认关闭了 verify_hostname,而更高版本默认开启
And as noted in the documentation, LWP 5.837 and earlier had verify_hostname off by default, whereas later versions default to it being on
这篇关于在 Ubuntu 12.04 上为 Perl 5.14.2 LWP 安装新的 ca 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
