curl：（60）SSL证书：无法获取本地颁发者证书 [英] curl: (60) SSL certificate : unable to get local issuer certificate

问题描述

  root @ sclrdev：/ home / sclr / certs / FreshCerts＃curl --ftp-ssl --verbose ftp：// {abc} / -u trup：trup --cacert /etc/ssl/certs/ca-certificates.crt 
 *关于连接（）到{abc}端口21（＃0）
 *尝试{abc} ... 
 *连接到{abc}（{abc}）端口21（＃0）
< 220-Cerberus FTP服务器 - 家庭版
< 220  - 这是UNLICENSED Home Edition，可以用于家庭，个人使用
< 220  - 欢迎来到Cerberus FTP服务器
< 220创建者Cerberus，LLC 
> AUTH SSL 
< 234验证方法已接受
 *成功设置证书验证位置：
 * CAfile：/etc/ssl/certs/ca-certificates.crt 
 CApath：/ etc / ssl / certs 
 * SSLv3，TLS握手，客户端问候（1）：
 * SSLv3，TLS握手，服务器问候（2）：
 * SSLv3，TLS握手，CERT（11）：
 * SSLv3， TLS警报，服务器问候（2）：
 * SSL证书问题：无法获取本地颁发者证书
 *关闭连接0 
 curl：（60）SSL证书问题：无法获取本地颁发者证书
更多详细信息：http://curl.haxx.se/docs/sslcerts.html 
 
 curl默认执行SSL证书验证，使用捆绑
证书颁发机构（CA）公钥（CA证书）。如果默认的
 bundle文件不足，您可以使用--cacert选项指定一个备用文件
。 
如果此HTTPS服务器使用由
表示的CA签名的证书，则证书验证可能失败，原因是证书存在
问题（可能已过期，或者名称可能
与网址中的域名不匹配）。 
如果要禁用curl对证书的验证，请使用
 -k（或--insecure）选项。 
  

解决方案

关于SSL证书问题：无法获取本地发行者证书错误。显然这适用于发送CURL请求的系统（没有接收请求的服务器）

1）从 https://curl.haxx.se/ca/cacert.pem

2）将以下行添加到php.ini（如果这是共享托管，您不能访问php.ini然后你可以添加到.user.ini在public_html）

curl.cainfo = / path / to / downloaded / cacert.pem

<默认情况下，FastCGI进程将每隔300秒解析新文件（如果需要，您可以通过添加几个文件来更改频率，如这里所建议的 https://ss88.uk/blog/fast-cgi-and-user-ini-files-the-new-htaccess / ）

root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt
* About to connect() to {abc} port 21 (#0)
*   Trying {abc}...
* Connected to {abc} ({abc}) port 21 (#0)
< 220-Cerberus FTP Server - Home Edition
< 220-This is the UNLICENSED Home Edition and may be used for home, personal use only
< 220-Welcome to Cerberus FTP Server
< 220 Created by Cerberus, LLC
> AUTH SSL
< 234 Authentication method accepted
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

解决方案

Relating to 'SSL certificate problem: unable to get local issuer certificate' error. Rather obviously this applies to the system sending the CURL request (and no the server receiving the request)

1) Download the latest cacert.pem from https://curl.haxx.se/ca/cacert.pem

2) Add the following line to php.ini (if this is shared hosting and you don't have access to php.ini then you could add this to .user.ini in public_html)

curl.cainfo=/path/to/downloaded/cacert.pem

3) By default the FastCGI process will parse new files every 300 seconds (if required you can change the frequency by adding a couple of files as suggested here https://ss88.uk/blog/fast-cgi-and-user-ini-files-the-new-htaccess/)

这篇关于curl：（60）SSL证书：无法获取本地颁发者证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！