SSL 证书错误 [英] SSL certificate error

问题描述

我正在测试对本地节点服务器的 SSL 访问，在选项中使用密钥、ca、cert(自签名 w OpenSSL)

I am testing SSL access to a local node server with key,ca,cert in options ( self-signed w OpenSSL)

var server_options = {
  key: fs.readFileSync('/etc/ssl/self-signed/server.key'),
  ca: fs.readFileSync('/etc/ssl/self-signed/server.csr'),
  cert: fs.readFileSync('/etc/ssl/self-signed/server.crt')
};

尝试访问它:

curl -v --user 1234567890:abcdefghijklmnopqrstuvwxyz --data "grant_type=password&username=yves&password=123456789" https://macMini.local:8000/oauth/token

使用 curl 时出现以下错误:

using curl I get the following error:

curl: (60) SSL 证书问题，验证 CA 证书是否正常.细节:错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

我从 http://curl.haxx.se/ca/cacert 下载了 ca 证书.pem 并将它们添加到我的 curl-ca-bundle-new.crt 文件中，正如一些与 curl 相关的帖子中所建议的那样......但没有办法

I downloaded the ca certificate from http://curl.haxx.se/ca/cacert.pem and add them to my curl-ca-bundle-new.crt file, as suggested in some posts related to curl... but no way

这是日志

• 关于connect()到macMini.local 8000端口(#0)
  
  
  • 正在尝试 192.168.1.14...
  • 已连接
  • 连接到 macMini.local (192.168.1.14) 端口 8000 (#0)
  • SSLv3、TLS 握手、客户端问候 (1):
  • SSLv3、TLS 握手、服务器问候 (2):
  • SSLv3、TLS 握手、CERT (11):
  • SSLv3、TLS 警报、服务器问候 (2):
  • SSL 证书问题，请验证 CA 证书是否正常.细节:错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败
  • 关闭连接#0curl: (60) SSL 证书问题，验证 CA 证书是否正常.细节:错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败更多详情请见:http://curl.haxx.se/docs/sslcerts.html

  我知道我可以绕过 Curl CA 检查，使用:

  I know I can bypass the Curl CA checking, using:

  curl -k -v --user 1234567890:abcdefghijklmnopqrstuvwxyz --data "grant_type=password&username=yves&password=123456789" https://macMini.local:8000/oauth/token
  

  在这种情况下它运行良好，我可以看到:

  in which case it's running fine, I can see:

  SSL 证书验证结果:自签名证书 (18)，继续.

  SSL certificate verify result: self signed certificate (18), continuing anyway.

  但是我想知道是否有任何方法可以解决此问题...

  but I'd like to know if there is any way to solve this issue...

  推荐答案

  您应该将自签名证书添加到 CA 包中.否则，curl 无法知道它是可信的.

  It's your self-signed certificate that you should add to your CA bundle. Otherwise, curl can't know it can be trusted.

  这篇关于SSL 证书错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！