我注意到我们使用cURL的链接检查程序越来越频繁地验证SSL证书.我试图深究这一点.
例如,https://www.bgetem.de/在我的Windows 7机器上的每个浏览器(IE 11,Firefox,Opera,Chrome)上打开都很好,但是我的CentOS 6和Ubuntu 16.04上的cURL(和wget)无法验证证书.
这是cURL来自CentOS的详细输出(版本卷号7.19.7(x86_64-redhat-linux-gnu)libcurl / 7.19.7 NSS / 3.27.1 zlib / 1.2.3 libidn / 1.18 libssh2 / 1.4.2)
* About to connect() to www.bgetem.de port 443 (#0) * Trying 193.104.3.166... connected * Connected to www.bgetem.de (193.104.3.166) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Peer's certificate issuer is not recognized: 'CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB' * NSS error -8179 * Closing connection #0 * Peer certificate cannot be authenticated with known CA certificates
和Ubuntu(版本卷7.47.0(x86_64-pc-linux-gnu)libcurl / 7.47.0 GnuTLS / 3.4.10 zlib / 1.2.8 libidn / 1.32 librtmp / 2.3):
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt * found 695 certificates in /etc/ssl/certs * ALPN,offering http/1.1 * SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384 * server certificate verification Failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none * Closing connection 0 curl: (60) server certificate verification Failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
知道问题是什么以及如何解决它?
解决方法
正如错误消息已经解释:服务器证书无法使用CAfile中的已知CA证书进行身份验证:/etc/pki/tls/certs/ca-bundle.crt(因为服务器证书由系统未知的CA颁发).
这种消息的两个相当常见的原因:
>证书确实由未知CA(例如内部CA)签名.
>证书使用来自其中一个知名CA的中间CA证书进行签名,并且远程服务器配置错误,因为它不包含作为其响应的CA链的中间CA证书.
感谢您提供域名:允许我们test the SSL server并确认:CA链不完整:
作为该服务器的管理员,您可以/应该修复链文件以防止证书路径中的那些“额外下载”部分.
如果您不是该服务器的管理员并希望修复该客户端:download that intermediate certificate您自己和add it to the local trust store.
