当使用curl或者git请求一个使用R3证书加密的https站点时,会出现如下错误:
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
原因在于证书链的依赖关系为:R3 -> ISRG Root X1 -> DST Root CA X3
其中的两个根证书在ubuntu的/etc/ssl/certs/目录下均可以找到:
$ ls /etc/ssl/certs/ | grep X1
ISRG_Root_X1.pem
$ ls /etc/ssl/certs/ | grep X3
DST_Root_CA_X3.pem
遗憾的是DST Root CA X3在2021年的9月30号已过期,所以要解决以上问题,我们需要确保客户端信任ISRG Root X1,并且移除过期的DST Root CA X3即可。
编辑信息证书配置:
sudo vim /etc/ca-certificates.conf
找到DST Root CA X3证书,并用感叹号取消掉:
!mozilla/DST_Root_CA_X3.crt
保存后运行:
sudo update-ca-certificates
即会显示有一个证书已移除。
然后就会发现curl和git工具都好用了。