root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt
* About to connect() to {abc} port 21 (#0)
*   Trying {abc}...
* Connected to {abc} ({abc}) port 21 (#0)
< 220-Cerberus FTP Server - Home Edition
< 220-This is the UNLICENSED Home Edition and may be used for home, personal use only
< 220-Welcome to Cerberus FTP Server
< 220 Created by Cerberus, LLC
> AUTH SSL
< 234 Authentication method accepted
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

当前回答

我本想评论Yuvik的回答,但我缺乏足够的声誉点。

当您将.crt文件导入到/usr/share/local/ca-certificates时,需要使用正确的格式。其中一些已经在前面提到过,但是还没有人提到只需要一个新的行字符,也没有人收集过清单,所以我想在这里提供一个清单。

The certificate needs to end in .crt. From Ubuntu's man page: Certificates must have a .crt extension in order to be included by update-ca-certificates Certificate files in /usr/local/share/ca-certificates can only contain one certificate Certificate files must end in a newline. update-ca-certificates will appear to work if each row contains, for example, a carriage return + a newline (as is standard in Windows), but once the certificate is appended to /etc/ssl/ca-certificates.crt, it still will not work. This specific requirement bit me as we're loading certificates from an external source.

其他回答

有这个问题,但新版本没有解决。/etc/certs有根证书,浏览器说一切正常。经过一些测试后,我从ssllabs.com得到警告,我的链是不完整的(实际上这是旧证书链,而不是新证书链)。在纠正了证书链之后,一切都很好,即使是curl。

由于conda环境,一些系统可能存在此问题。如果你安装了conda,那么禁用它可以解决你的问题。在我的情况下,当我停用conda时,这个curl-SSL错误得到了解决。在ubuntu或MacOS上试试这个命令

conda deactivate

在windows上-如果你想从cmd运行

> curl -X GET "https://some.place"

下载cacert。pem从 https://curl.haxx.se/docs/caextract.html

永久设置环境变量:

CURL_CA_BUNDLE = C:\somefolder\cacert.pem

并通过重新打开任何您想要的cmd窗口来重新加载环境 使用旋度;如果安装了Chocolatey,您可以使用:

refreshenv

现在再试一次

故障原因: https://laracasts.com/discuss/channels/general-discussion/curl-error-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate/replies/95548

没有一个答案提到,可能是连接到内部vpn的角色,我以前遇到过这个问题,并要求在专用网络上

根据cURL文档,您还可以将证书传递给cURL命令:

获取可以验证远程服务器的CA证书并使用 适当的选项指出此CA证书进行验证时 连接。对于libcurl黑客:curl_easy_setopt(curl, CURLOPT_CAPATH capath); 使用curl命令行工具:——cacert[文件]


例如:

curl --cacert mycertificate.cer -v https://www.stackoverflow.com