我们尝试这样做:
curl -v --cacert cert.pem https://example.com/path.asmx
在 ubuntu 上它正常工作,我们得到:
successfully set certificate verify locations:
* CAfile: cert.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
在 almalinux8 上失败:
* successfully set certificate verify locations:
* CAfile: cert.pem
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
这可能是什么原因?
谢谢
答案1
* successfully set certificate verify locations: * CAfile: cert.pem CApath: /etc/ssl/certs
由于cert.pem
两次调用时 可能相同,因此差异可能在于/etc/ssl/certs
。我假设cert.pem
实际上不包含服务器证书使用的受信任的根 CA,但它在/etc/ssl/certs
一台机器内,而不在另一台机器上。
目前还不清楚为什么 CA 在一台机器上,而在另一台机器上却不存在,可能是由于机器的设置不同造成的。
* TLSv1.3 (IN), TLS handshake, Request CERT (13): * TLSv1.3 (IN), TLS handshake, Certificate (11):
服务器在此处要求提供客户端证书。这表明您的 参数--cacert cert.pem
可能并非旨在提供受信任的根证书,而是服务器所需的客户端证书。但对于这种情况,应该使用--cert
和。--key
答案2
TLS Alert, unknown CA
意味着证书颁发机构(颁发证书的机构)在 Almalinux 机器上不被视为权威机构。这与发行版不同无关。问题只是颁发证书的人在 Ubuntu 机器上是众所周知的和具有权威性的,但在 Almalinux 机器上不被视为权威机构。也许要做的就是找到另一个 CA,一个 Almalinux 机器知道并信任的 CA。