请帮我理解为什么我无法通过https成功地使用curl访问此URL:
我正在使用Ubuntu 12.04.5,curl 7.22.0,libcurl 7.22.0和OpenSSL 1.0.1-4ubuntu5.25。
$ curl -v https://www.onevanilla.com/
* About to connect() to www.onevanilla.com port 443 (#0)
* Trying 199.83.128.4... connected
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
所以我尝试手动获取证书:
$ openssl s_client -connect www.onevanilla.com:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/www.onevanilla.com.pem
之后:
$ curl -v --cacert /tmp/www.onevanilla.com.pem https://www.onevanilla.com
但是我得到了相同的结果:
* About to connect() to www.onevanilla.com port 443 (#0)
* Trying 199.83.128.4... connected
* successfully set certificate verify locations:
* CAfile: /tmp/www.onevanilla.com.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
* Closing connection #0
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
我可以使用openssl验证证书:
$ openssl s_client -host www.onevanilla.com -port 443 -CApath /etc/ssl/certs
并且这会返回 验证返回代码:0(ok)
我也运行了sudo update-ca-certificates --fresh
以确保,但没有成功。
所以在我看来证书是有效的(未过期,主机名与CN匹配),但我永远无法使用curl获得成功响应(除非当然我使用-k
或--insecure
选项)。请有人解释一下吗?