C ++ Curl无法使用SSL_CTX_FUNCTION的LetsEncrypt pem文件进行连接

Question

我有一台服务器，该服务器具有从LetsEncrypt安装的SSL证书。我有以下文件，当前标记为import urllib2 def download_file(download_url): response = urllib2.urlopen(download_url) f = open("the_downloaded_file.pdf", 'wb') f.write(response.read()) f.close() download_file("some url to pdf here") ：

• cert.pem
• privkey.pem
• fullchain.pem
• chain.pem

我指定证书的代码部分是：

live

还有我使用的curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1); curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "PEM"); curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, *sslctx); ：

sslctx-function

但是，当我尝试通过https连接到服务器时，curl会向我返回错误：static CURLcode sslctx(CURL *curl, void *sslctx, void *parm) { X509_STORE *store; X509 *cert = NULL; BIO *bio; const char *mypem = // ANY PEM FILE CONTENTS HERE? "-----BEGIN CERTIFICATE-----\n" "XXXXXX WHICH PEM FILE? XXXX\n" "-----END CERTIFICATE-----"; bio = BIO_new_mem_buf(mypem, -1); PEM_read_bio_X509(bio, &cert, 0, NULL); if (cert == NULL) { cout << "Failed reading SSL-certificate" << endl; Exit(false); } store = SSL_CTX_get_cert_store((SSL_CTX *)sslctx); if (X509_STORE_add_cert(store, cert) == 0) { cout << "Error adding SSL-certificate" << endl; Exit(false); } X509_free(cert); BIO_free(bio); return CURLE_OK; }

我不知道我需要哪个LetsEncrypt生成Peer certificate cannot be authenticated with given CA certificates文件，以确保可以验证对等体...

如果我禁用PEM，则请求成功，但是不安全，对于应用程序来说是不可接受的

一些其他信息 CURLOPT_SSL_VERIFYPEER中的内容是：

/etc/letsencrypt/options-ssl-apache.conf

# This file contains important security parameters. If you modify this file # manually, Certbot will be unable to automatically provide future security # updates. Instead, Certbot will print and log an error message with a path to # the up-to-date file that you will need to refer to when manually updating # this file. SSLEngine on # Intermediate configuration, tweak to your needs SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-$ SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire # Add vhost name to log entries: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common #CustomLog /var/log/apache2/access.log vhost_combined #LogLevel warn #ErrorLog /var/log/apache2/error.log # Always ensure Cookies have "Secure" set (JAH 2012/1) #Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*;)?(.*)) "$1; Secure$3$4" 的内容包含：

/etc/apache2/sites-enabled/{site}-le-ssl.conf