我对curl和https有疑问。我必须在每次请求时指定cacert,有人可以告诉我该怎么办?我使用debian jessie。
$ curl -XGET --cacert /etc/ssl/certs/ca-certificates.crt 'https://www.google.com'
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://www.google.fr/?gfe_rd=cr&ei=M69TWfebI4P_8AeJ1KPACA">here</A>.
</BODY></HTML>
当我没有指定cacert:
$ curl -XGET 'https://www.google.com' -v
* Rebuilt URL to: https://www.google.com/
* Hostname was NOT found in DNS cache
* Trying 216.58.204.132...
* Connected to www.google.com (216.58.204.132) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server hello (2):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, CERT (11):
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Client hello (1):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
当然,我不想忽视认证,我想解决这个问题。
我的卷曲版本:
$ curl --version
curl 7.38.0 (x86_64-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.2k zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP
答案 0 :(得分:1)
从-v输出看起来它正在到达正确的文件夹但无法获得证书
* successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs
尝试执行此操作以更新当前的CA列表。
cd /etc/ssl/certs
sudo wget http://curl.haxx.se/ca/cacert.pem
我认为curl会查看.pem文件而不是.crt文件。另请参阅此帖子https://serverfault.com/questions/151157/ubuntu-10-04-curl-how-do-i-fix-update-the-ca-bundle