无法在本地验证发行人的权限

无法在本地验证发行人的权限

我无法使用 wget 或 curl 打开任何 https URL:

$ wget https://www.python.org
--2015-04-27 17:17:33--  https://www.python.org/
Resolving www.python.org (www.python.org)... 103.245.222.223
Connecting to www.python.org (www.python.org)|103.245.222.223|:443... connected.
ERROR: cannot verify www.python.org's certificate, issued by "/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA":
  Unable to locally verify the issuer's authority.
To connect to www.python.org insecurely, use '--no-check-certificate'.

$ curl https://www.python.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

这是在 CentOS 5.5 上使用 wget 1.12 和curl 7.30.0。听起来我的本地证书存储有问题,但我不知道如何从这里继续。有任何想法吗?

更新:将 openssl 软件包从 0.9.8e-12.el5_4.6 升级到 0.9.8e-33.el5_11 后,现在出现了不同的错误:

$ wget https://pypi.python.org
--2015-04-28 10:27:35--  https://pypi.python.org/
Resolving pypi.python.org (pypi.python.org)... 103.245.222.223
Connecting to pypi.python.org (pypi.python.org)|103.245.222.223|:443... connected.
ERROR: certificate common name "www.python.org" doesn't match requested host name "pypi.python.org".
To connect to pypi.python.org insecurely, use '--no-check-certificate'.

答案1

我遇到了类似的错误https://excellmedia.dl.sourceforge.net/project/astyle/astyle/astyle%203.0.1/astyle_3.0.1_linux.tar.gz在 docker 镜像上(circleci/jdk8:0.1.1),

就我而言,升级 ca 证书解决了该问题:

sudo apt-get install ca-certificates

答案2

解决方案一:

openssl s_client -connect whateversite.com:443 -debug 

获取证书密钥并复制到/etc/ssl/certs.

$ wget https://www.python.org --ca-certificate=/etc/ssl/certsfile

如果你想采用不安全的方式,请尝试解决方案 2

解决方案2:

$ wget https://www.python.org --no-check-certificate

或使用Curl

$ curl https://www.python.org --insecure

答案3

问题是缺乏对服务器名称指示的支持。您至少需要 wget 1.14 或curl 7.18.1根据维基百科,你至少需要 OpenSSL 0.98f:

https://en.wikipedia.org/wiki/Server_Name_Inmination#Implementation

答案4

wget1.14 之前的版本不支持主题备用名称 (SAN)*。 PyPI 在其证书中使用 SAN 作为 CN 的替代品,而 wget 因不匹配而感到窒息。升级 wget 应该可以解决这个问题。

* 或可能是服务器名称指示 (SNI) - 我不确定哪一个适用于此处。

参考:

相关内容