我有一堆PHP脚本使用curl与各种服务进行通信。目前,其中一项服务' SSL证书得到了更新,当我尝试从我的服务器CLI获取它时,我的curl开始哭了:
~$ curl https://example.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
目前,我已将verify => false硬编码到我的所有请求中,以保持我的脚本正常运行,但这不是我想要的内容。
我收到了最新的cacert file from mozilla,将其放入/etc/ssl/certs/ca-certificates.crt然后运行成功运行的sudo update-ca-certificates(我想......)
~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
但是再次curl对它不太满意,仍然无法通过-k标记获取我的资源。
答案 0 :(得分:1)
您可以使用openssl s_client命令进一步调试问题,以便找出证书的确切问题。
openssl s_client -showcerts -servername myservice.com -connect myservice.com:443