最近,我开始在使用 SSL curl 时遇到问题(它给出证书错误)。软件包是最新的。尝试执行“update-ca-certificates --fresh”,但没有成功。
# curl https://github.com/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
# ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 233394 may 3 14:20 /etc/ssl/certs/ca-certificates.crt
# apt-get install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20170717~16.04.1).
0 upgraded, 0 newly installed, 0 to remove and 30 not upgraded.
# sudo update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
148 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
updates of cacerts keystore disabled.
Updating Mono key store
Linux Cert Store Sync - version 4.2.1.0
Synchronize local certs with certs from local Linux trust store.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
I already trust 149, your new list has 148
Import process completed.
Done
done.
# curl https://github.com/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
# ls -l /etc/ssl/certs/ | wc -l
452
$ ls -l /etc/ssl/certs/ | head
total 708
lrwxrwxrwx 1 root root 26 may 3 14:30 00673b5b.0 -> thawte_Primary_Root_CA.pem
lrwxrwxrwx 1 root root 45 may 3 14:30 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem
lrwxrwxrwx 1 root root 23 may 3 14:30 02756ea4.0 -> Certplus_Root_CA_G1.pem
lrwxrwxrwx 1 root root 31 may 3 14:30 02b73561.0 -> Comodo_Secure_Services_root.pem
lrwxrwxrwx 1 root root 36 may 3 14:30 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem
lrwxrwxrwx 1 root root 25 may 3 14:30 034868d6.0 -> Swisscom_Root_EV_CA_2.pem
lrwxrwxrwx 1 root root 41 may 3 14:30 04f60c28.0 -> USERTrust_ECC_Certification_Authority.pem
lrwxrwxrwx 1 root root 40 may 3 14:30 052e396b.0 -> AddTrust_Qualified_Certificates_Root.pem
lrwxrwxrwx 1 root root 27 may 3 14:30 062cdee6.0 -> GlobalSign_Root_CA_-_R3.pe
大多数网站都会发生这种情况,但并非所有网站
$ curl https://yahoo.com
redirect$
$ curl https://google.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
所有东西的版本:
$ curl --version
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
$ openssl version
OpenSSL 1.0.2g 1 Mar 2016
答案1
原来是我的雇主使用一款名为 Netskope 的软件进行中间人攻击。由于证书安装在主机(Windows)上,而我使用的是 VirtualBox 中的 Ubuntu,因此许多域开始出现故障。
解决方案是
- 删除 netskope(但我不能或不应该)
- 在虚拟机内使用 VPN
- 在 Ubuntu VM 上安装假证书