ubuntu上curl请求R3 https失败问题

当使用curl或者git请求一个使用R3证书加密的https站点时,会出现如下错误:

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

原因在于证书链的依赖关系为:R3 -> ISRG Root X1 -> DST Root CA X3

其中的两个根证书在ubuntu的/etc/ssl/certs/目录下均可以找到:

$ ls /etc/ssl/certs/ | grep X1
ISRG_Root_X1.pem
$ ls /etc/ssl/certs/ | grep X3
DST_Root_CA_X3.pem

遗憾的是DST Root CA X3在2021年的9月30号已过期,所以要解决以上问题,我们需要确保客户端信任ISRG Root X1,并且移除过期的DST Root CA X3即可。

编辑信息证书配置:

sudo vim /etc/ca-certificates.conf

找到DST Root CA X3证书,并用感叹号取消掉:

!mozilla/DST_Root_CA_X3.crt

保存后运行:

sudo update-ca-certificates

即会显示有一个证书已移除。

然后就会发现curl和git工具都好用了。

发表于 02月01日 22:30   评论:0   阅读:270  



回到顶部

首页 | 关于我 | 关于本站 | 站内留言 | rss
python logo   django logo   tornado logo