Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
curl:(60)SSL证书问题:无法获取本地颁发者证书 root@sclrdev:/home/sclr/certs/FreshCerts#curl--ftp ssl--verbose ftp://{abc}/-u trup:trup--cacert/etc/ssl/certs/ca-certificates.crt *即将连接()到{abc}端口21(#0) *正在尝试{abc}。。。 *已连接到{abc}({abc})端口21(#0)_Curl_Ssl_Openssl_Ssl Certificate_X509certificate - Fatal编程技术网
Fatal编程技术网
  • curl/
  • curl:(60)SSL证书问题:无法获取本地颁发者证书 root@sclrdev:/home/sclr/certs/FreshCerts#curl--ftp ssl--verbose ftp://{abc}/-u trup:trup--cacert/etc/ssl/certs/ca-certificates.crt *即将连接()到{abc}端口21(#0) *正在尝试{abc}。。。 *已连接到{abc}({abc})端口21(#0)

curl:(60)SSL证书问题:无法获取本地颁发者证书 root@sclrdev:/home/sclr/certs/FreshCerts#curl--ftp ssl--verbose ftp://{abc}/-u trup:trup--cacert/etc/ssl/certs/ca-certificates.crt *即将连接()到{abc}端口21(#0) *正在尝试{abc}。。。 *已连接到{abc}({abc})端口21(#0)

curl ssl openssl

curl:(60)SSL证书问题:无法获取本地颁发者证书 root@sclrdev:/home/sclr/certs/FreshCerts#curl--ftp ssl--verbose ftp://{abc}/-u trup:trup--cacert/etc/ssl/certs/ca-certificates.crt *即将连接()到{abc}端口21(#0) *正在尝试{abc}。。。 *已连接到{abc}({abc})端口21(#0),curl,ssl,openssl,ssl-certificate,x509certificate,Curl,Ssl,Openssl,Ssl Certificate,X509certificate,它失败,因为cURL无法验证服务器提供的证书 有两个选项可以让它工作: 使用cURL和-k选项,该选项允许cURL建立不安全的连接,即cURL不验证证书 将根CA(签署服务器证书的CA)添加到/etc/ssl/certs/CA证书。crt 您应该使用选项2,因为它是确保您连接到安全FTP服务器的选项。在windows上,我遇到了这个问题。Curl是由mysysgit安装的,因此下载并安装最新版本修复了我的问题 否则,关于如何更新您的CA证书,您可以尝试一下。在安装Git Extensions v

它失败,因为cURL无法验证服务器提供的证书

有两个选项可以让它工作:

  • 使用cURL和
    -k
    选项,该选项允许cURL建立不安全的连接,即cURL不验证证书

  • 将根CA(签署服务器证书的CA)添加到
    /etc/ssl/certs/CA证书。crt

    • 您应该使用选项2,因为它是确保您连接到安全FTP服务器的选项。

    在windows上,我遇到了这个问题。Curl是由mysysgit安装的,因此下载并安装最新版本修复了我的问题

    否则,关于如何更新您的CA证书,您可以尝试一下。在安装Git Extensions v3.48之后,出现了这个问题。尝试再次安装mysysgit,但出现相同问题。最后,必须禁用(请考虑安全性暗示)Git SSL验证:

    root@sclrdev:/home/sclr/certs/FreshCerts# curl --ftp-ssl --verbose ftp://{abc}/ -u trup:trup --cacert /etc/ssl/certs/ca-certificates.crt
* About to connect() to {abc} port 21 (#0)
*   Trying {abc}...
* Connected to {abc} ({abc}) port 21 (#0)
< 220-Cerberus FTP Server - Home Edition
< 220-This is the UNLICENSED Home Edition and may be used for home, personal use only
< 220-Welcome to Cerberus FTP Server
< 220 Created by Cerberus, LLC
> AUTH SSL
< 234 Authentication method accepted
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
    但如果您有域证书,最好将其添加到(Win7)

    我通过在cURL脚本中添加一行代码解决了这个问题:

    C:\Program Files (x86)\Git\bin\curl-ca-bundle.crt
    警告:这使得请求绝对不安全(请参见@YSU的回答)

    与“SSL证书问题:无法获取本地颁发者证书”错误相关。需要注意的是,这适用于发送CURL请求的系统,而不是接收请求的服务器

  • 从下载最新的cacert.pem

  • 将以下行添加到php.ini:(如果这是共享主机,而您没有访问php.ini的权限,那么您可以将其添加到public_html中的.user.ini)

    curl.cainfo=“/path/to/download/cacert.pem”

    确保将路径括在双引号内

  • 默认情况下,FastCGI进程将每300秒解析一次新文件(如果需要,您可以按照此处的建议添加两个文件来更改频率)

    • 简单解决方案: 在
    ~/.sdkman/etc/config
    中,更改
    sdkman\u unsecure\u ssl=true

    步骤:
    nano
    ~/.sdkman/etc/config

    sdkman\u unsecure\u ssl=false
    更改为
    sdkman\u unsecure\u ssl=true

    保存并退出

    在我的例子中,在我试图使用cURL的服务上安装证书时出现了问题我未能将中间证书和根证书捆绑/连接到域证书中。一开始,问题并不明显,因为Chrome解决了这个问题并接受了证书,而忽略了中间证书和根证书

    捆绑证书后,一切都按预期进行。我像这样打捆

    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    并对所有中间证书和根证书重复此操作。

    我们最近遇到此错误。原来这与根证书未正确安装在CA存储目录中有关。我在使用curl命令时直接指定了CA dir
    curl--cacert/etc/test/server.pem--capath/etc/test…
    此命令每次都失败,原因是curl:(60)SSL证书问题:无法获取本地颁发者证书。

    使用
    strace curl…
    后,确定curl正在查找名为60ff2731.0的根证书文件,该文件基于openssl哈希命名转换。因此,我发现这个命令可以有效地正确导入根证书:

    ln-s rootcert.pem`openssl x509-hash-noout-in rootcert.pem`.0

    它创建了一个软链接

    60ff2731.0->rootcert.pem

    curl在读取server.pem证书的掩护下,确定了根证书文件(rootcert.pem)的名称,将其转换为哈希名称,然后进行了操作系统文件查找,但找不到它

    因此,要点是,在curl错误不明显的情况下运行curl时使用strace(这是一个巨大的帮助),然后确保使用openssl命名约定正确安装根证书。

    是的,您还需要添加CA证书。在Node.js中添加代码片段以获得清晰的视图

    $ cat intermediate.crt >> domain.crt
    很可能是服务器丢失了证书

    根->中间->服务器

    服务器应至少发送服务器和中间服务器

    使用openssl s_客户端-showcerts-starttls 
    $ cat intermediate.crt >> domain.crt

    var fs = require(fs)
var path = require('path')
var https = require('https')
var port = process.env.PORT || 8080;
var app = express();

https.createServer({
key: fs.readFileSync(path.join(__dirname, './path to your private key/privkey.pem')),
cert: fs.readFileSync(path.join(__dirname, './path to your certificate/cert.pem')),
ca: fs.readFileSync(path.join(__dirname, './path to your CA file/chain.pem'))}, app).listen(port)

    > curl -X GET "https://some.place"

    CURL_CA_BUNDLE = C:\somefolder\cacert.pem

    refreshenv

    Network layout: |Web Server 10.x.x.x| <-> |pfSense 49.x.x.x| <-> |Open Internet|

    sudo apt-get install ca-certificates

    $client = new Client(env('API_HOST'));
$client->setSslVerification(false);

    curl --cacert mycertificate.cer -v https://www.stackoverflow.com

    sudo update-ca-certificates -f

    - abc.crt
- abc.pem
- abc-bunde.crt

    -----BEGIN CERTIFICATE-----
/*certificate content here*/
-----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----
/*additional certificate content here*/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
/*other certificate content here*/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
/*different certificate content here*/
-----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----
/*certificate content here*/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
/*additional certificate content here*/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
/*other certificate content here*/
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
/*different certificate content here*/
-----END CERTIFICATE-----

    curl https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem
curl https://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt.pem

curl -v https://mydigisite.com/sign_on --cacert DigiCertCA.pem
...
*  subjectAltName: host "mydigisite.com" matched cert's "mydigisite.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET /users/sign_in HTTP/1.1
> Host: mydigisite.com
> User-Agent: curl/7.65.1
> Accept: */*
...

    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);