root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt
* About to connect() to {abc} port 21 (#0)
* Trying {abc}...
* Connected to {abc} ({abc}) port 21 (#0)
< 220-Cerberus FTP Server - Home Edition
< 220-This is the UNLICENSED Home Edition and may be used for home, personal use only
< 220-Welcome to Cerberus FTP Server
< 220 Created by Cerberus, LLC
> AUTH SSL
< 234 Authentication method accepted
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
当前回答
我也遇到过这个问题。我读了这篇文章,大部分答案都很有信息量,但对我来说太复杂了。我在社交话题上没有经验,所以这个答案适合像我这样的人。
在我的例子中,发生这个错误是因为我没有在应用程序中使用的证书旁边包含中间证书和根证书。
以下是我从SSL证书供应商那里得到的信息:
- abc.crt
- abc.pem
- abc-bunde.crt
在abc。CRT文件,只有一个证书:
-----BEGIN CERTIFICATE-----
/*certificate content here*/
-----END CERTIFICATE-----
如果我以这种格式提供它,浏览器将不会显示任何错误(Firefox),但我会得到curl:(60) SSL证书:无法获得本地颁发者证书错误时,我做curl请求。
要修复此错误,请检查abc-bunde。crt文件。你很可能会看到这样的东西:
-----BEGIN CERTIFICATE-----
/*additional certificate content here*/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
/*other certificate content here*/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
/*different certificate content here*/
-----END CERTIFICATE-----
这些是您的中级证书和根证书。发生错误是因为您提供给应用程序的SSL证书中缺少它们。
要修复此错误,请以以下格式合并这两个文件的内容:
-----BEGIN CERTIFICATE-----
/*certificate content here*/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
/*additional certificate content here*/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
/*other certificate content here*/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
/*different certificate content here*/
-----END CERTIFICATE-----
请注意,证书之间、文件的末尾或开头没有空格。一旦您向应用程序提供了这个组合证书,您的问题就会得到解决。
其他回答
对我来说,简单地安装证书有帮助:
sudo apt-get install ca-certificates
简单的解决方案: 在~ /。Sdkman /etc/config, change sdkman_insecure_ssl=true
步骤: 纳米~ / .sdkman / etc /配置 将sdkman_insecure_ssl=false修改为sdkman_insecure_ssl=true 保存并退出
这可以帮助你控制暴饮暴食:
$client = new Client(env('API_HOST'));
$client->setSslVerification(false);
测试在guzzle/guzzle 3.*
特别对于Windows用户,使用curl-7.57.0-win64-mingw或类似版本。
这有点晚了,现有的答案是正确的。但我还是得费点劲才能让它在我的Windows电脑上运行,不过这个过程其实相当简单。所以,分享一步一步的过程。
这个错误基本上意味着,curl无法验证目标URI的证书。如果您信任证书的颁发者(CA),则可以将其添加到受信任证书列表。
为此,浏览URI(例如在Chrome上)并遵循步骤
Right click on the secure padlock icon Click on certificate, it'll open a window with the certificate details Go to 'Certification Path' tab Click the ROOT certificate Click View Certificate, it'll open another certificate window Go to Details tab Click Copy to File, it'll open the export wizard Click Next Select 'Base-64 encoded X.509 (.CER)' Click Next Give a friendly name e.g. 'MyDomainX.cer' (browse to desired directory) Click Next Click Finish, it'll save the certificate file Now open this .cer file and copy the contents (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) Now go to the directory where curl.exe is saved e.g. C:\SomeFolder\curl-7.57.0-win64-mingw\bin Open the curl-ca-bundle.crt file with a text editor Append the copied certificate text to the end of the file. Save
现在,您的命令应该在curl中正常执行。
关于“SSL证书问题:无法获得本地颁发者证书”错误。需要注意的是,这适用于发送CURL请求的系统,而不是接收请求的服务器。
Download the latest cacert.pem from https://curl.se/ca/cacert.pem Add the '--cacert /path/to/cacert.pem' option to the curl command to tell curl where the local Certificate Authority file is. (or) Create or add to a '.curlrc' file the line: cacert = /path/to/cacert.pem See 'man curl', the section about the '-K, --config <file>' section for information about where curl looks for this file. (or if using php) Add the following line to php.ini: (if this is shared hosting and you don't have access to php.ini then you could add this to .user.ini in public_html).
卷毛。cainfo = " - path / to / downloaded cacert pem。”
请确保将路径用双引号括起来!!
默认情况下,FastCGI进程将每300秒解析一次新文件(如果需要,您可以通过添加几个文件来改变频率https://ss88.uk/blog/fast-cgi-and-user-ini-files-the-new-htaccess/)。
推荐文章
- 证书验证失败:无法获得本地颁发者证书
- 当使用pip3安装包时,“Python中的ssl模块不可用”
- 如何在PHP中捕获cURL错误
- CFNetwork SSLHandshake iOS 9失败
- 加载资源:net::ERR_INSECURE_RESPONSE失败
- 无法在Windows上从/usr/local/ssl/openssl.cnf加载配置信息
- 在Bash中将输出赋给变量
- HTTPS和SSL3_GET_SERVER_CERTIFICATE:证书验证失败,CA is OK
- c#忽略证书错误?
- 如何允许本地主机上的Apache使用HTTPS ?
- 如何在Node.js内进行远程REST调用?旋度吗?
- 配置Git接受特定https远程的特定自签名服务器证书
- CMake无法找到OpenSSL库
- 如何为已安装的Ubuntu LAMP堆栈启用cURL ?
- 从PKCS12文件中提取公钥/私钥,供以后在SSH-PK-Authentication中使用
