当以 root 身份使用 cURL 时,一切正常:
$ sudo curl -vvv https://test.example.org/ > /dev/null
* Connected to test.example.org (1.2.3.4) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=test.example.org,O=organization,L=location,ST=state,C=country
* start date: Okt 26 06:58:41 2015 GMT
* expire date: Okt 24 06:58:41 2020 GMT
* common name: test.example.org
* issuer: [email protected],CN=example.org,O=organization,L=location,ST=state,C=country
作为普通用户,它不会:
$ curl -vvv https://test.example.org/ > /dev/null
* Connected to test.example.org (1.2.3.4) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=test.example.org,O=organization,L=location,ST=state,C=country
* start date: Okt 26 06:58:41 2015 GMT
* expire date: Okt 24 06:58:41 2020 GMT
* common name: test.example.org
* issuer: [email protected],CN=example.org,O=organization,L=location,ST=state,C=country
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
* Closing connection 0
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
wget 也按预期工作并且 openssl 连接没有错误:
$ openssl s_client -connect test.example.org:443 -servername test.example.org -showcerts < /dev/null
...
Verify return code: 0 (ok)
我正在使用 Fedora 22,通过将 CA 证书复制到 /etc/pki/ca-trust/source/anchors/ 然后运行 update-ca-trust(均以 root 身份)来导入 CA 证书。
将CA文件导入Firefox和Chrome后,网站加载也没有任何错误。
服务器运行的是apache 2.4,vhost文件中有以下选项:
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/pki/certs/test.exmple.org.crt
SSLCertificateKeyFile /etc/pki/private/test.exmple.org.key
SSLCACertificateFile /etc/pki/certs/exmple.org.crt
不确定这是服务器配置问题还是 curl 问题。如果这个问题更适合其他社区,我很抱歉。
有任何想法吗?