CURL未正确应用CA证书文件
陈醉在线wx 发布于 2023-02-06 13:06我无法通过https://testintegrations.pentanasolutions.com/iTestDriveService验证SSL证书.它在我的网络浏览器中工作正常.证书由DigiCert签署,我认为可能没有包含在我的linux盒子上.
为了尝试解决这个问题,我从AllCA.pem文件中的Windows机器中提取了CA证书(可以在这个要点中看到并告诉curl使用它.sql验证仍然失败.然后我尝试通过以下方式提取DigiCert根证书从浏览器中查看证书链并仅使用curl这个证书.它仍然不验证证书.这是DigiCert.pem文件.
-----BEGIN CERTIFICATE----- MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm +9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3 hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2 Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep +OkuE6N36B9K -----END CERTIFICATE-----
我正在运行的特定curl命令是:
卷曲-G https://testintegrations.pentanasolutions.com/iTestDriveService --cacert DigiCert.pem -v
哪个产生这个输出:
* About to connect() to testintegrations.pentanasolutions.com port 443 (#0) * Trying 203.25.42.36... connected * Connected to testintegrations.pentanasolutions.com (203.25.42.36) port 443 (#0) * successfully set certificate verify locations: * CAfile: /Volumes/C/Users/caleb/Desktop/DigiCert2.cer CApath: none * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection #0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
不安全的选项不是一个选项,所以我需要找到一种方法来正确验证证书.
任何人都可以解释为什么这不起作用?
作为一种理智检查我试过:
卷曲-G https://www.google.com.au --cacert DigiCert.pem -v
哪个工作,我觉得非常奇怪,因为该DigiCert.pem文件不包括谷歌证书签署的根证书.这让我想知道curl是否甚至使用我的ca文件.
-
我已成功导出与Firefox成功连接的证书,且序列号不匹配.另外,我得到以下验证链:
DigiCert High Assurance EV Root CA(您的DigiCert.pem)
DigiCert高保证CA-3
*.pentasolutions.com
浏览器最初只知道第一个证书,因为它是内置的.因此,网站不仅要传递最后一个证书(#3),还要传递其间的所有CA(#2)以使验证成为可能.但该网站仅发送#3并省略了链#2.在这种情况下,如果浏览器从之前与其他主机的连接中了解这些中间CA,则只能进行验证.因此,如果我使用新的Firefox配置文件,由于缺少中间证书,验证也会因Firefox而失败.
遗憾的是,忘记在Web服务器中配置证书链是一个非常常见的错误,因为如果浏览器不记得先前连接的中间证书,则验证失败.
2023-02-06 13:09 回答
会丶有那么一天
京公网安备 11010802041100号