按照看似标准的程序将证书添加到 Linux 信任中,并且似乎添加了证书:
$ sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt`
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
但是curl,wget拒绝连接到使用该证书的服务器,并出现以下错误:
verify error: Unable to get local issuer certificate
Unable to locally verify the issuer's authority
(如果使用 禁用验证,则可以连接curl -k,但这不是解决方案。)
证书本身是使用此命令创建的,用于在本地 Gitlab 实例(nginx)上启用 SSL:
$ openssl req -x509 -days 365 -newkey rsa:1024 -keyout bar.pem -nodes -out foo.crt -config openssl_conf
哪里openssl_conf:
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = XX
ST = XX
L = XXX
O = XXXX
OU = XXXX
CN = ...
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = XX.XX.X.X
答案1
问题似乎出在用于证书生成的 openssl 配置文件上(似乎尚未充分填充)。使用此新配置文件创建的证书已成功添加到信任存储中update-ca-certificates。基于这个帖子,这里的关键似乎是basicConstraints = CA:true。
[req]
days = 180
serial = 1
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[req_distinguished_name]
countryName = XX
stateOrProvinceName = XX
localityName = XX
organizationName = XXX
organizationalUnitName = XXX
commonName = new-cert
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
issuerAltName = issuer:copy
subjectAltName = @alt_names
[alt_names]
IP.1 = X.X.XX.XX
(相同的证书生成命令)
$ openssl req -x509 -days 365 -newkey rsa:1024 -keyout bar.pem -nodes -out foo.crt -config openssl_conf
(将证书添加到信任库的方法相同)
$ sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt`
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.