如何让 wget 信任我的自签名证书(不使用 --no-check-certificate)?

如何让 wget 信任我的自签名证书(不使用 --no-check-certificate)?
  • Ubuntu 12.04
  • OpenSSL 1.0.1 14
  • Wget 1.13.4

我的设置:

  • 创建我们自己的 CA(our_own_ca.crt
  • 生成由上述 CA 签名的证书(graphite.local.crt
  • 将该证书和 CA 证书合并到捆绑文件中

Nginx 配置:

ssl_certificate /etc/ssl/certs/graphite.local.crt;
ssl_certificate_key /etc/ssl/certs/graphite.local.key;
ssl_client_certificate /etc/ssl/certs/our_own_ca_chained.crt;

和:

our_own_ca_chained.crt = graphite.local.crt + own_own_ca.crt

要将此 CA 安装到受信任的存储中,根据/usr/share/doc/ca-certificates/README.Debian,我只需将其复制到/usr/local/share/ca-certificates/,然后运行update-ca-certificates​​。以下是输出:

Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d....
Warning: there was a problem reading the certificate file /etc/ssl/certs/our_own_ca.pem. Message:
  Extensions not allowed in v2 certificate
done.
done.

之后,我们会得到类似下面的内容/etc/ssl/certs

lrwxrwxrwx 1 root root   17 Mar 11 05:27 99ff557c.0 -> our_own_ca.pem
lrwxrwxrwx 1 root root   17 Mar 11 05:27 dc79b3f0.0 -> our_own_ca.pem
lrwxrwxrwx 1 root root   50 Mar 11 05:27 our_own_ca.pem -> /usr/local/share/ca-certificates/our_own_ca.crt

然后curl工作:

卷曲-Ihttps://graphite.local

HTTP/1.1 302 FOUND
Server: nginx
Date: Wed, 11 Mar 2015 05:30:30 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Vary: Cookie
Location: https://graphite.local/account/login?next=/
Strict-Transport-Security: max-age=15768000

wget不:

wget https://graphite.local
--2015-03-11 05:31:22--  https://graphite.local/
Resolving graphite.local (graphite.local)... 127.0.0.1
Connecting to graphite.local (graphite.local)|127.0.0.1|:443... connected.
ERROR: cannot verify graphite.local's certificate, issued by `xxx':
  Self-signed certificate encountered.
To connect to graphite.local insecurely, use `--no-check-certificate'.

我也尝试使用--ca-certificate但出现同样的错误。

我错过了什么?

答案1

我会尝试这个--ca-directory=directory选项:

wget --ca-directory=/etc/ssl/certs https://graphite.local

来自wget 手册

指定包含 PEM 格式的 CA 证书的目录。每个文件包含一个 CA 证书,文件名基于从证书派生的哈希值。这是通过使用 OpenSSL 提供的 c_rehash 实用程序处理证书目录来实现的。当安装了许多证书时,使用“--ca-directory”比“--ca-certificate”更有效,因为它允许 Wget 按需获取证书。

如果没有此选项,Wget 会在 OpenSSL 安装时选择的系统指定位置查找 CA 证书。

相关内容