在我们公司,他们强制执行网络代理,该代理会中断 SSL 连接并用其自己的伪造证书替换证书。 (准确地说,它使用由公司证书签名的代理证书。)
因此,为了从 https URL 下载,我必须让我的系统信任该假证书(或禁用证书检查)。
因此,我将代理证书和公司证书都添加到 和/etc/ssl/certs/ca-bundle.crt中/etc/ssl/certs/ca-certificates.crt。 (两者都链接到同一个文件。)
现在使用下载wget工作正常,但是使用下载curl不起作用,因为curl无法验证证书:
* Rebuilt URL to: https://company.net/
* Hostname was NOT found in DNS cache
* Trying 172.18.111.111...
* Connected to 172.18.111.111 (172.18.111.111) port 3128 (#0)
* Establish HTTP proxy tunnel to company.net:443
> CONNECT company.net:443 HTTP/1.1
> Host: company.net:443
> User-Agent: curl/7.39.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
<
* Proxy replied OK to CONNECT request
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
可能出了什么问题?如何进一步调试?
答案1
您需要告诉 nix 有关证书的信息,如下所示:
security.pki.certificates = [''cert strings go here in PEM format''];
IE:
security.pki.certificates = [
''
-----BEGIN CERTIFICATE-----
<CUT>
-----END CERTIFICATE-----
''
];
如果您愿意,您可以添加其中的许多内容。这会将包含的证书添加到系统证书存储中,然后curl应该使用它们而无需任何额外的命令行参数。