root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt
* About to connect() to {abc} port 21 (#0)
* Trying {abc}...
* Connected to {abc} ({abc}) port 21 (#0)
< 220-Cerberus FTP Server - Home Edition
< 220-This is the UNLICENSED Home Edition and may be used for home, personal use only
< 220-Welcome to Cerberus FTP Server
< 220 Created by Cerberus, LLC
> AUTH SSL
< 234 Authentication method accepted
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
当前回答
我的情况不同。我在防火墙后面托管一个网站。错误是由pfSense引起的。
Network layout: |Web Server 10.x.x.x| <-> |pfSense 49.x.x.x| <-> |Open Internet|
多亏了这个答案,我意外地找到了原因。
当我从广域网访问我的网站时,一切都很好。
然而,当从局域网内访问站点时(例如,当Wordpress向其自己的服务器发出curl请求时,尽管使用WAN IP 49.x.x.x),它被提供pfSense登录页面。
我将证书标识为pfSense webConfigurator自签名证书。难怪curl抛出一个错误。
原因:发生的事情是curl正在使用站点的WAN IP地址49.x.x.x。但是,在web服务器的上下文中,广域网IP是防火墙。
调试:我发现我正在获得pfSense证书。
解决方案:在托管该站点的服务器上,将其自己的域名指向127.0.0.1
通过应用该解决方案,web服务器正确地处理了curl的请求,并且没有转发到防火墙,防火墙通过发送登录页面进行响应。
其他回答
我本想评论Yuvik的回答,但我缺乏足够的声誉点。
当您将.crt文件导入到/usr/share/local/ca-certificates时,需要使用正确的格式。其中一些已经在前面提到过,但是还没有人提到只需要一个新的行字符,也没有人收集过清单,所以我想在这里提供一个清单。
The certificate needs to end in .crt. From Ubuntu's man page: Certificates must have a .crt extension in order to be included by update-ca-certificates Certificate files in /usr/local/share/ca-certificates can only contain one certificate Certificate files must end in a newline. update-ca-certificates will appear to work if each row contains, for example, a carriage return + a newline (as is standard in Windows), but once the certificate is appended to /etc/ssl/ca-certificates.crt, it still will not work. This specific requirement bit me as we're loading certificates from an external source.
到目前为止,我看到这个问题在公司网络中发生,有两个原因,其中一个或两个都可能发生在你的情况中:
由于网络代理的工作方式,它们有自己的SSL证书,从而改变了curl看到的证书。许多或大多数企业网络强制您使用这些代理。 在客户端电脑上运行的一些防病毒程序也类似于HTTPS代理,这样它们就可以扫描你的网络流量。您的防病毒程序可能有禁用此功能的选项(假设您的管理员允许)。
作为旁注,上面的第2条可能会让您对被扫描的本应安全的TLS通信感到不安。这就是你的公司世界。
在所有的ca中,我对Digicert有这个问题。我创建了一个数字文件。Pem文件,只是中间和根粘贴到一个文件。
curl https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
curl https://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt.pem
curl -v https://mydigisite.com/sign_on --cacert DigiCertCA.pem
...
* subjectAltName: host "mydigisite.com" matched cert's "mydigisite.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
* SSL certificate verify ok.
> GET /users/sign_in HTTP/1.1
> Host: mydigisite.com
> User-Agent: curl/7.65.1
> Accept: */*
...
Eorekan有答案,但只有我和另一个人对他的答案进行了投票。
是的,您还需要添加一个CA证书。在Node.js中添加一个代码片段以获得更清晰的视图。
var fs = require(fs)
var path = require('path')
var https = require('https')
var port = process.env.PORT || 8080;
var app = express();
https.createServer({
key: fs.readFileSync(path.join(__dirname, './path to your private key/privkey.pem')),
cert: fs.readFileSync(path.join(__dirname, './path to your certificate/cert.pem')),
ca: fs.readFileSync(path.join(__dirname, './path to your CA file/chain.pem'))}, app).listen(port)
这是ssh证书存储问题。请先从目标CA网站下载有效的证书pem文件,再构建软链接文件指示ssl信任证书。
openssl x509 -hash -noout -in DigiCert_Global_Root_G3.pem
您将得到dd8e9d41
使用散列号构建solf链接,并以.0(点- 0)作为文件后缀
DD8E9D41.0
然后再试一次。
推荐文章
- HTTPS和SSL3_GET_SERVER_CERTIFICATE:证书验证失败,CA is OK
- c#忽略证书错误?
- 如何允许本地主机上的Apache使用HTTPS ?
- 如何在Node.js内进行远程REST调用?旋度吗?
- 配置Git接受特定https远程的特定自签名服务器证书
- CMake无法找到OpenSSL库
- 如何为已安装的Ubuntu LAMP堆栈启用cURL ?
- 从PKCS12文件中提取公钥/私钥,供以后在SSH-PK-Authentication中使用
- PHP获取网站URL协议- http vs https
- 为什么cURL返回错误“(23)Failed writing body”?
- 如何POST JSON数据与PHP卷曲?
- 使用curl在PHP中获取HTTP代码
- SSL握手警告:unrecognized_name错误,因为升级到Java 1.7.0
- SSL证书错误:无法获得本地颁发者证书
- "ERROR:root:code for hash md5 was not found"当使用任何hg mercurial命令时
