我正在尝试对第三方服务器进行验证。他们为我提供了一个p12文件,该文件已安装在浏览器中。使用浏览器时,我从服务器得到响应。从linux终端执行cUrl时,出现握手错误。
我将.p12提取到密钥和证书,然后运行以下命令:
curl --key client.key --cert client.crt -X GET -v https://x.x.x.x:xxxx/folder/endpoint
并获得以下答复:
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying x.x.x.x...
* TCP_NODELAY set
* Connected to x.x.x.x (x.x.x.x) port xxxx (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
我是否需要在某处添加自签名证书?我觉得我想念什么。如前所述,它可以从导入证书的浏览器工作,因此我确定其证书没有问题。我知道我缺少什么。
谢谢
答案 0 :(得分:0)
您的错误消息是:
无法获得本地发行者证书
这意味着curl无法从信任库中找到颁发者的证书(签署服务器证书的CA):
/etc/ssl/certs/ca-certificates.crt
您要做的就是下载CA证书并将其添加到信任存储中。
答案 1 :(得分:0)
是的,如果您下载了curl命令或自签名证书(在我的情况下),则需要在curl命令中添加--cacert选项
curl --key client.key --cert client.crt --cacert bundle.pem -X GET -v https://x.x.x.x:xxxx/folder/endpoint。
bundle.pem具有server.crt和rootCA.crt。
cat server.crt rootCA.crt >> bundle.pem