curl 无法在 Ubuntu 上获取本地证书

curl 无法在 Ubuntu 上获取本地证书

我使用的是 Ubuntu 14.04 64 位和 Unity 桌面。它已完全更新,包含最新版本的 ca 证书和最新可用的 Firefox 版本。

有一天,我试图从 Harper 的网站下载一些东西,发现 curl 正在抱怨证书。

如果我执行这个cli:

curl -v https://harpers.org/wp-content/themes/harpers/images/logoBlack.png

我得到以下输出:

  * Hostname was NOT found in DNS cache
  *   Trying 54.243.234.21...
  * Connected to harpers.org (54.243.234.21) port 443 (#0)
  * successfully set certificate verify locations:
  *   CAfile: none
    CApath: /etc/ssl/certs
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS alert, Server hello (2):
  * SSL certificate problem: unable to get local issuer certificate
  * Closing connection 0
  curl: (60) SSL certificate problem: unable to get local issuer certificate

这很愚蠢,因为 Harper 的证书是由 DigiCert 颁发的,并且 Firefox 附带该证书。

证书截图

所以我手动执行了这个操作只是为了看看它是否有效:

  cd /tmp/
  wget https://www.digicert.com/CACerts/DigiCertGlobalRootCA.crt
  openssl x509 -in DigiCertGlobalRootCA.crt -inform DER -out DigiCertGlobalRootCA.pem -outform PEM

  wget https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt
  openssl x509 -in DigiCertSHA2SecureServerCA.crt -inform DER -out DigiCertSHA2SecureServerCA.pem -outform PEM

  cat DigiCertGlobalRootCA.pem >> DigiCertGlobalRootCASHA2SecureServerCA.pem
  cat DigiCertSHA2SecureServerCA.pem >> DigiCertGlobalRootCASHA2SecureServerCA.pem

  curl -v --cacert DigiCertGlobalRootCASHA2SecureServerCA.pem \
       https://harpers.org/wp-content/themes/harpers/images/logoBlack.png \
       -o logoBlack.png 2> down.log

并得到这个:

  * Connected to harpers.org (54.243.234.21) port 443 (#0)
  * successfully set certificate verify locations:
  *   CAfile: DigiCertGlobalRootCASHA2SecureServerCA.pem
    CApath: /etc/ssl/certs
  * SSLv3, TLS handshake, Client hello (1):
  } [data not shown]
  * SSLv3, TLS handshake, Server hello (2):
  { [data not shown]
  * SSLv3, TLS handshake, CERT (11):
  { [data not shown]
  * SSLv3, TLS handshake, Server key exchange (12):
  { [data not shown]
  * SSLv3, TLS handshake, Server finished (14):
  { [data not shown]
  * SSLv3, TLS handshake, Client key exchange (16):
  } [data not shown]
  * SSLv3, TLS change cipher, Client hello (1):
  } [data not shown]
  * SSLv3, TLS handshake, Finished (20):
  } [data not shown]
  * SSLv3, TLS change cipher, Client hello (1):
  { [data not shown]
  * SSLv3, TLS handshake, Finished (20):
  { [data not shown]
  * SSL connection using ECDHE-RSA-AES256-GCM-SHA384
  * Server certificate:
  *      subject: C=US; ST=New York; L=New York; O=Harper's Magazine Foundation; CN=*.harpers.org
  *      start date: 2016-01-11 00:00:00 GMT
  *      expire date: 2019-01-15 12:00:00 GMT
  *      subjectAltName: harpers.org matched
  *      issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
  *      SSL certificate verify ok.
  > GET /wp-content/themes/harpers/images/logoBlack.png HTTP/1.1
  > User-Agent: curl/7.35.0
  > Host: harpers.org
  > Accept: */*
  > 
  < HTTP/1.1 200 OK
  < Date: Mon, 29 May 2017 20:20:38 GMT
  * Server Apache/2.4.18 (Ubuntu) is not blacklisted
  < Server: Apache/2.4.18 (Ubuntu)
  < Last-Modified: Fri, 14 Dec 2012 10:10:30 GMT
  < ETag: "24d7-4d0cd3dc47180"
  < Accept-Ranges: bytes
  < Content-Length: 9431
  < Content-Type: image/png
  < 
  { [data not shown]

  100  9431  100  9431    0     0  12707      0 --:--:-- --:--:-- --:--:-- 12710
  * Connection #0 to host harpers.org left intact

有什么建议么?

答案1

这解决了问题

wget -P '/tmp/' -nv 'https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt'
openssl x509 -in '/tmp/DigiCertSHA2SecureServerCA.crt' -inform DER \
             -out '/tmp/DigiCertSHA2SecureServerCA.pem' -outform PEM
sudo cp -uv '/tmp/DigiCertSHA2SecureServerCA.pem' '/etc/ssl/certs'
sudo c_rehash

相关内容