root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt
* About to connect() to {abc} port 21 (#0)
*   Trying {abc}...
* Connected to {abc} ({abc}) port 21 (#0)
< 220-Cerberus FTP Server - Home Edition
< 220-This is the UNLICENSED Home Edition and may be used for home, personal use only
< 220-Welcome to Cerberus FTP Server
< 220 Created by Cerberus, LLC
> AUTH SSL
< 234 Authentication method accepted
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

当前回答

在所有的ca中,我对Digicert有这个问题。我创建了一个数字文件。Pem文件,只是中间和根粘贴到一个文件。

curl https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
curl https://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt.pem

curl -v https://mydigisite.com/sign_on --cacert DigiCertCA.pem
...
*  subjectAltName: host "mydigisite.com" matched cert's "mydigisite.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET /users/sign_in HTTP/1.1
> Host: mydigisite.com
> User-Agent: curl/7.65.1
> Accept: */*
...

Eorekan有答案,但只有我和另一个人对他的答案进行了投票。

其他回答

是的,您还需要添加一个CA证书。在Node.js中添加一个代码片段以获得更清晰的视图。

var fs = require(fs)
var path = require('path')
var https = require('https')
var port = process.env.PORT || 8080;
var app = express();

https.createServer({
key: fs.readFileSync(path.join(__dirname, './path to your private key/privkey.pem')),
cert: fs.readFileSync(path.join(__dirname, './path to your certificate/cert.pem')),
ca: fs.readFileSync(path.join(__dirname, './path to your CA file/chain.pem'))}, app).listen(port)

它失败了,因为cURL无法验证服务器提供的证书。

有两个选项可以让它工作:

使用带-k选项的cURL,允许cURL建立不安全的连接,即cURL不验证证书。 将根CA(签署服务器证书的CA)添加到/etc/ssl/certs/ca-certificates.crt

您应该使用选项2,因为它是确保您连接到安全FTP服务器的选项。

在所有的ca中,我对Digicert有这个问题。我创建了一个数字文件。Pem文件,只是中间和根粘贴到一个文件。

curl https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
curl https://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt.pem

curl -v https://mydigisite.com/sign_on --cacert DigiCertCA.pem
...
*  subjectAltName: host "mydigisite.com" matched cert's "mydigisite.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET /users/sign_in HTTP/1.1
> Host: mydigisite.com
> User-Agent: curl/7.65.1
> Accept: */*
...

Eorekan有答案,但只有我和另一个人对他的答案进行了投票。

我的情况不同。我在防火墙后面托管一个网站。错误是由pfSense引起的。

Network layout: |Web Server 10.x.x.x| <-> |pfSense 49.x.x.x| <-> |Open Internet|

多亏了这个答案,我意外地找到了原因。


当我从广域网访问我的网站时,一切都很好。

然而,当从局域网内访问站点时(例如,当Wordpress向其自己的服务器发出curl请求时,尽管使用WAN IP 49.x.x.x),它被提供pfSense登录页面。

我将证书标识为pfSense webConfigurator自签名证书。难怪curl抛出一个错误。

原因:发生的事情是curl正在使用站点的WAN IP地址49.x.x.x。但是,在web服务器的上下文中,广域网IP是防火墙。

调试:我发现我正在获得pfSense证书。

解决方案:在托管该站点的服务器上,将其自己的域名指向127.0.0.1

通过应用该解决方案,web服务器正确地处理了curl的请求,并且没有转发到防火墙,防火墙通过发送登录页面进行响应。

尝试在Ubuntu中重新安装curl,并使用sudo update-ca-certificates—fresh更新我的CA证书