curl не может получить местный сертификат на Ubuntu
Я использую Ubuntu 14.04 64bit с рабочим столом Unity.
На днях я пытался загрузить что-то с сайта Harper и заметил, что завиток жалуется на сертификат.
]Если я выполню этот cli:
curl -v https://harpers.org/wp-content/themes/harpers/images/logoBlack.png
, я получаю следующий вывод:
* Hostname was NOT found in DNS cache
* Trying 54.243.234.21...
* Connected to harpers.org (54.243.234.21) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
Что глупо, так как сертификат Harper выдается DigiCert и Firefox поставляется с этот сертификат.
Итак, я сделал это вручную, чтобы посмотреть, работает ли он:
cd /tmp/
wget https://www.digicert.com/CACerts/DigiCertGlobalRootCA.crt
openssl x509 -in DigiCertGlobalRootCA.crt -inform DER -out DigiCertGlobalRootCA.pem -outform PEM
wget https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt
openssl x509 -in DigiCertSHA2SecureServerCA.crt -inform DER -out DigiCertSHA2SecureServerCA.pem -outform PEM
cat DigiCertGlobalRootCA.pem >> DigiCertGlobalRootCASHA2SecureServerCA.pem
cat DigiCertSHA2SecureServerCA.pem >> DigiCertGlobalRootCASHA2SecureServerCA.pem
curl -v --cacert DigiCertGlobalRootCASHA2SecureServerCA.pem \
https://harpers.org/wp-content/themes/harpers/images/logoBlack.png \
-o logoBlack.png 2> down.log
И получил это:
* Connected to harpers.org (54.243.234.21) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: DigiCertGlobalRootCASHA2SecureServerCA.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=US; ST=New York; L=New York; O=Harper's Magazine Foundation; CN=*.harpers.org
* start date: 2016-01-11 00:00:00 GMT
* expire date: 2019-01-15 12:00:00 GMT
* subjectAltName: harpers.org matched
* issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
* SSL certificate verify ok.
> GET /wp-content/themes/harpers/images/logoBlack.png HTTP/1.1
> User-Agent: curl/7.35.0
> Host: harpers.org
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Mon, 29 May 2017 20:20:38 GMT
* Server Apache/2.4.18 (Ubuntu) is not blacklisted
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Fri, 14 Dec 2012 10:10:30 GMT
< ETag: "24d7-4d0cd3dc47180"
< Accept-Ranges: bytes
< Content-Length: 9431
< Content-Type: image/png
<
{ [data not shown]
100 9431 100 9431 0 0 12707 0 --:--:-- --:--:-- --:--:-- 12710
* Connection #0 to host harpers.org left intact
Любые предложения?
0
задан Darko Miletic
29 May 2017 в 23:24
поделиться
3 ответа
Это решает задачу
wget -P /tmp/ -nv https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt
openssl x509 -in /tmp/DigiCertSHA2SecureServerCA.crt -inform DER \
-out /tmp/DigiCertSHA2SecureServerCA.pem -outform PEM
sudo cp -uv /tmp/DigiCertSHA2SecureServerCA.pem /etc/ssl/certs
sudo c_rehash
0
ответ дан Darko Miletic
22 May 2018 в 22:05
поделиться
Это решает задачу
wget -P /tmp/ -nv https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt
openssl x509 -in /tmp/DigiCertSHA2SecureServerCA.crt -inform DER \
-out /tmp/DigiCertSHA2SecureServerCA.pem -outform PEM
sudo cp -uv /tmp/DigiCertSHA2SecureServerCA.pem /etc/ssl/certs
sudo c_rehash
0
ответ дан Darko Miletic
18 July 2018 в 12:30
поделиться
Это решает задачу
wget -P /tmp/ -nv https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt
openssl x509 -in /tmp/DigiCertSHA2SecureServerCA.crt -inform DER \
-out /tmp/DigiCertSHA2SecureServerCA.pem -outform PEM
sudo cp -uv /tmp/DigiCertSHA2SecureServerCA.pem /etc/ssl/certs
sudo c_rehash
0
ответ дан Darko Miletic
24 July 2018 в 19:58
поделиться