Ошибка сертификата SSL с curl
Недавно у меня начались проблемы с использованием curl с SSL (это дает ошибку). Пакеты актуальны. Попытка выполнить "update-ca-сертификаты --fresh" без успеха.
# curl https://github.com/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
# ls -l /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 233394 may 3 14:20 /etc/ssl/certs/ca-certificates.crt
# apt-get install ca-certificates
Reading package lists... Done
Building dependency tree
Reading state information... Done
ca-certificates is already the newest version (20170717~16.04.1).
0 upgraded, 0 newly installed, 0 to remove and 30 not upgraded.
# sudo update-ca-certificates --fresh
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
148 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
updates of cacerts keystore disabled.
Updating Mono key store
Linux Cert Store Sync - version 4.2.1.0
Synchronize local certs with certs from local Linux trust store.
Copyright 2002, 2003 Motus Technologies. Copyright 2004-2008 Novell. BSD licensed.
I already trust 149, your new list has 148
Import process completed.
Done
done.
# curl https://github.com/
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
# ls -l /etc/ssl/certs/ | wc -l
452
$ ls -l /etc/ssl/certs/ | head
total 708
lrwxrwxrwx 1 root root 26 may 3 14:30 00673b5b.0 -> thawte_Primary_Root_CA.pem
lrwxrwxrwx 1 root root 45 may 3 14:30 02265526.0 -> Entrust_Root_Certification_Authority_-_G2.pem
lrwxrwxrwx 1 root root 23 may 3 14:30 02756ea4.0 -> Certplus_Root_CA_G1.pem
lrwxrwxrwx 1 root root 31 may 3 14:30 02b73561.0 -> Comodo_Secure_Services_root.pem
lrwxrwxrwx 1 root root 36 may 3 14:30 03179a64.0 -> Staat_der_Nederlanden_EV_Root_CA.pem
lrwxrwxrwx 1 root root 25 may 3 14:30 034868d6.0 -> Swisscom_Root_EV_CA_2.pem
lrwxrwxrwx 1 root root 41 may 3 14:30 04f60c28.0 -> USERTrust_ECC_Certification_Authority.pem
lrwxrwxrwx 1 root root 40 may 3 14:30 052e396b.0 -> AddTrust_Qualified_Certificates_Root.pem
lrwxrwxrwx 1 root root 27 may 3 14:30 062cdee6.0 -> GlobalSign_Root_CA_-_R3.pe
Это происходит с большинством сайтов, но не со всеми
$ curl https://yahoo.com
redirect$
$ curl https://google.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Версии всего:
$ curl --version
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS"
$ openssl version
OpenSSL 1.0.2g 1 Mar 2016
1
задан J Placeholder
3 May 2018 в 17:53
поделиться
1 ответ
В выпущенном это был мой работодатель, делающий человека в середине с программным обеспечением под названием Netskope. Поскольку сертификат был установлен на хосте (Windows), и я использовал Ubuntu в VirtualBox, много доменов, запущенных к неудавшемуся.
Решение также
- удалите netskope (но я не могу, или не был должен),
- используйте VPN в VM
- установите поддельный сертификат на VM Ubuntu
1
ответ дан J Placeholder
7 December 2019 в 15:20
поделиться