一个客户端因“证书已过期”而失败,而其他客户端则工作正常

tag-icon tag-icon debian ssl certificates
一个客户端因“证书已过期”而失败,而其他客户端则工作正常

我有两台机器。一台运行 Fedora (30),另一台运行 Debian (buster)。

当我curl https://www.ultimate-guitar.com/在 Fedora 机器上运行时,我得到了预期的响应。然而,当我在 Debian 机器上运行相同的命令时,我得到了一个curl: (60) SSL certificate problem: certificate has expired.

在 Debian 上使用 -v 标志:

$ curl -v https://www.ultimate-guitar.com/
*   Trying 205.185.216.42...
* TCP_NODELAY set
* Connected to www.ultimate-guitar.com (205.185.216.42) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

在那台 Debian 机器上,除了 vim 和 docker 之外,我几乎没有安装(手动)任何软件包。

我在想也许我的 openssl 包或其他任何东西需要更新,所以我运行了apt updateand apt upgrade,但问题并没有消失......

顺便说一句,我可以从 Debian 机器访问其他站点,没有任何问题。例如:(curl https://ultimate-guitar.com/没有www.)工作正常。

我发现的另一件有趣的事情是使用检查证书时出现警告这个网站

在此输入图像描述

我不知道这意味着什么。我的意思是,看到我的 Fedora 机器没有证书问题,我无法理解它。

任何帮助将不胜感激。

答案1

我设法通过注释掉 AddTrust 证书来解决这个问题。

我只是简单地改变了

mozilla/AddTrust_External_Root.crt

!mozilla/AddTrust_External_Root.crt

/etc/ca-certificates.conf

然后就跑了update-ca-certificates

如果update-ca-certificates不可用,您可能需要安装该ca-certificates软件包:

apt-get update && apt-get install ca-certificates

相关内容