SSL 证书错误 [英] SSL certificate error
问题描述
我正在测试对本地节点服务器的 SSL 访问,在选项中使用密钥、ca、cert(自签名 w OpenSSL)
I am testing SSL access to a local node server with key,ca,cert in options ( self-signed w OpenSSL)
var server_options = {
key: fs.readFileSync('/etc/ssl/self-signed/server.key'),
ca: fs.readFileSync('/etc/ssl/self-signed/server.csr'),
cert: fs.readFileSync('/etc/ssl/self-signed/server.crt')
};
尝试访问它:
curl -v --user 1234567890:abcdefghijklmnopqrstuvwxyz --data "grant_type=password&username=yves&password=123456789" https://macMini.local:8000/oauth/token
使用 curl 时出现以下错误:
using curl I get the following error:
curl: (60) SSL 证书问题,验证 CA 证书是否正常.细节:错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
我从 http://curl.haxx.se/ca/cacert 下载了 ca 证书.pem 并将它们添加到我的 curl-ca-bundle-new.crt 文件中,正如一些与 curl 相关的帖子中所建议的那样......但没有办法
I downloaded the ca certificate from http://curl.haxx.se/ca/cacert.pem and add them to my curl-ca-bundle-new.crt file, as suggested in some posts related to curl... but no way
这是日志
- 关于connect()到macMini.local 8000端口(#0)
- 正在尝试 192.168.1.14...
- 已连接
- 连接到 macMini.local (192.168.1.14) 端口 8000 (#0)
- SSLv3、TLS 握手、客户端问候 (1):
- SSLv3、TLS 握手、服务器问候 (2):
- SSLv3、TLS 握手、CERT (11):
- SSLv3、TLS 警报、服务器问候 (2):
- SSL 证书问题,请验证 CA 证书是否正常.细节:错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败
- 关闭连接#0curl: (60) SSL 证书问题,验证 CA 证书是否正常.细节:错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书验证失败更多详情请见:http://curl.haxx.se/docs/sslcerts.html
我知道我可以绕过 Curl CA 检查,使用:
I know I can bypass the Curl CA checking, using:
curl -k -v --user 1234567890:abcdefghijklmnopqrstuvwxyz --data "grant_type=password&username=yves&password=123456789" https://macMini.local:8000/oauth/token
在这种情况下它运行良好,我可以看到:
in which case it's running fine, I can see:
SSL 证书验证结果:自签名证书 (18),继续.
SSL certificate verify result: self signed certificate (18), continuing anyway.
但是我想知道是否有任何方法可以解决此问题...
but I'd like to know if there is any way to solve this issue...
推荐答案
您应该将自签名证书添加到 CA 包中.否则,curl 无法知道它是可信的.
It's your self-signed certificate that you should add to your CA bundle. Otherwise, curl can't know it can be trusted.
这篇关于SSL 证书错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!