curl 出现 SSL 证书错误

最近，我开始在使用 SSL curl 时遇到问题（它给出证书错误）。软件包是最新的。尝试执行“update-ca-certificates --fresh”，但没有成功。

# curl https://github.com/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
# ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 233394 may  3 14:20 /etc/ssl/certs/ca-certificates.crt
# apt-get install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20170717~16.04.1).
0 upgraded, 0 newly installed, 0 to remove and 30 not upgraded.
# sudo update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
148 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

updates of cacerts keystore disabled.
Updating Mono key store
Linux Cert Store Sync - version 4.2.1.0
Synchronize local certs with certs from local Linux trust store.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.

I already trust 149, your new list has 148
Import process completed.
Done
done.
# curl https://github.com/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
# ls -l /etc/ssl/certs/ | wc -l    
452


$ ls -l /etc/ssl/certs/ | head
total 708
lrwxrwxrwx 1 root root     26 may  3 14:30 00673b5b.0 -> thawte_Primary_Root_CA.pem
lrwxrwxrwx 1 root root     45 may  3 14:30 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem
lrwxrwxrwx 1 root root     23 may  3 14:30 02756ea4.0 -> Certplus_Root_CA_G1.pem
lrwxrwxrwx 1 root root     31 may  3 14:30 02b73561.0 -> Comodo_Secure_Services_root.pem
lrwxrwxrwx 1 root root     36 may  3 14:30 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem
lrwxrwxrwx 1 root root     25 may  3 14:30 034868d6.0 -> Swisscom_Root_EV_CA_2.pem
lrwxrwxrwx 1 root root     41 may  3 14:30 04f60c28.0 -> USERTrust_ECC_Certification_Authority.pem
lrwxrwxrwx 1 root root     40 may  3 14:30 052e396b.0 -> AddTrust_Qualified_Certificates_Root.pem
lrwxrwxrwx 1 root root     27 may  3 14:30 062cdee6.0 -> GlobalSign_Root_CA_-_R3.pe

大多数网站都会发生这种情况，但并非所有网站

$ curl https://yahoo.com    
redirect$ 
$ curl https://google.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

所有东西的版本：

$ curl --version
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
$ openssl version
OpenSSL 1.0.2g  1 Mar 2016