我无法使用 https 连接到某些网站。wget 和 curl 抱怨无法验证证书。我推测这是因为我的 NAS 上缺少根证书。例如:
ReadyNAS:~# wget https://pypi.python.org/
--2016-04-12 20:08:51-- https://pypi.python.org/
Resolving pypi.python.org... 23.235.43.223
Connecting to pypi.python.org|23.235.43.223|:443... connected.
ERROR: cannot verify pypi.python.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA':
Unable to locally verify the issuer's authority.
ERROR: certificate common name `www.python.org' doesn't match requested host name `pypi.python.org'.
To connect to pypi.python.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
我已经手动编译并更新了 curl 和 wget 到相当新的版本(GNU Wget 1.11.4;libcurl/7.45.0 GnuTLS/3.3.18 zlib/1.2.3.3),但无济于事。
背景故事:我的 NAS 上的 Linux 发行版相当老旧(Debian Sid,Linux 2.6.37.6)。用于更新 SSL 存储的常规命令似乎不起作用。
我如何找到这些连接问题的原因并解决它们?
答案1
有两个错误:
ERROR: cannot verify pypi.python.org's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA': Unable to locally verify the issuer's authority.
这意味着 DigiCert CA 不在 OS 信任库中。您应该能够通过下载 CA crt(即从 Firefox)然后添加它来添加它:
cp digicert.crt /usr/local/share/ca-certificates/digicert.crt
update-ca-certificates
(我不太确定这些命令但是应该也适用于旧的 Debian...)
ERROR: certificate common name `www.python.org' doesn't match requested host name `pypi.python.org'.
这意味着证书不是为域名 pypi.python.org 颁发的,但是,使用 Firefox 检查证书时,我可以看到 pypi.python.org 已列入证书中。也许这是由于缺少 CA 而导致的误报,请尝试提前修复它。
[nostalgic]噢,好老的 2.6 内核 :D[/nostalgic]