我使用的是 Ubuntu 14.04 64 位和 Unity 桌面。它已完全更新,包含最新版本的 ca 证书和最新可用的 Firefox 版本。
有一天,我试图从 Harper 的网站下载一些东西,发现 curl 正在抱怨证书。
如果我执行这个cli:
curl -v https://harpers.org/wp-content/themes/harpers/images/logoBlack.png
我得到以下输出:
* Hostname was NOT found in DNS cache
* Trying 54.243.234.21...
* Connected to harpers.org (54.243.234.21) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
这很愚蠢,因为 Harper 的证书是由 DigiCert 颁发的,并且 Firefox 附带该证书。
所以我手动执行了这个操作只是为了看看它是否有效:
cd /tmp/
wget https://www.digicert.com/CACerts/DigiCertGlobalRootCA.crt
openssl x509 -in DigiCertGlobalRootCA.crt -inform DER -out DigiCertGlobalRootCA.pem -outform PEM
wget https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt
openssl x509 -in DigiCertSHA2SecureServerCA.crt -inform DER -out DigiCertSHA2SecureServerCA.pem -outform PEM
cat DigiCertGlobalRootCA.pem >> DigiCertGlobalRootCASHA2SecureServerCA.pem
cat DigiCertSHA2SecureServerCA.pem >> DigiCertGlobalRootCASHA2SecureServerCA.pem
curl -v --cacert DigiCertGlobalRootCASHA2SecureServerCA.pem \
https://harpers.org/wp-content/themes/harpers/images/logoBlack.png \
-o logoBlack.png 2> down.log
并得到这个:
* Connected to harpers.org (54.243.234.21) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: DigiCertGlobalRootCASHA2SecureServerCA.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=US; ST=New York; L=New York; O=Harper's Magazine Foundation; CN=*.harpers.org
* start date: 2016-01-11 00:00:00 GMT
* expire date: 2019-01-15 12:00:00 GMT
* subjectAltName: harpers.org matched
* issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
* SSL certificate verify ok.
> GET /wp-content/themes/harpers/images/logoBlack.png HTTP/1.1
> User-Agent: curl/7.35.0
> Host: harpers.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 29 May 2017 20:20:38 GMT
* Server Apache/2.4.18 (Ubuntu) is not blacklisted
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Fri, 14 Dec 2012 10:10:30 GMT
< ETag: "24d7-4d0cd3dc47180"
< Accept-Ranges: bytes
< Content-Length: 9431
< Content-Type: image/png
<
{ [data not shown]
100 9431 100 9431 0 0 12707 0 --:--:-- --:--:-- --:--:-- 12710
* Connection #0 to host harpers.org left intact
有什么建议么?
答案1
这解决了问题
wget -P '/tmp/' -nv 'https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt'
openssl x509 -in '/tmp/DigiCertSHA2SecureServerCA.crt' -inform DER \
-out '/tmp/DigiCertSHA2SecureServerCA.pem' -outform PEM
sudo cp -uv '/tmp/DigiCertSHA2SecureServerCA.pem' '/etc/ssl/certs'
sudo c_rehash