我有一个奇怪的问题。 更新我的LAMP开发机器(Debian)到PHP 7.之后,我无法通过Curl连接到特定的TLSencryptionAPI。
有问题的SSL证书是由thawte签署的。
curl https://example.com 给我
curl: (60) SSL certificate problem: unable to get local issuer certificate
而
curl https://thawte.com
当然这也是Thawte的作品。
我可以通过其他机器上的HTTPS访问API网站,例如我的桌面通过curl和浏览器。 所以证书是有效的。 SSL实验室的评级是A.
从我的开发机器到其他SSLencryption站点的任何其他curl请求的工作。 我的根证书是最新的。 为了validation,我运行了update-ca-certificates 。 我甚至将http://curl.haxx.se/ca/cacert.pem下载到/ etc / ssl / certs并运行c_rehash 。
还是一样的错误。
有没有办法debuggingvalidation过程,看看哪些本地发行者证书curl(或openssl)正在寻找,但没有find,即文件名?
UPDATE
curl -vs https://example.com
告诉我(IP +域名匿名)
* Hostname was NOT found in DNS cache * Trying 192.0.2.1... * Connected to example.com (192.0.2.1) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0
和
echo | openssl s_client -connect example.com:443
给
CONNECTED(00000003) depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=DE/ST=XYZ/CN=*.example.com i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/C=DE/ST=XYZ/CN=*.example.com issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2 --- No client certificate CA names sent --- SSL handshake has read 4214 bytes and written 421 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: [...] Session-ID-ctx: Master-Key: [...] Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 5a 95 df 40 2c c9 6b d5-4a 50 75 c5 a3 80 0a 2d Z..@,.k.JPu....- [...] 00b0 - d5 b9 e8 25 00 c5 c7 da-ce 73 fb f2 c5 46 c4 24 ...%.....s...F.$ Start Time: 1455111516 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- DONE
使用openssl s_client -connect thawte.com:443显示:
--- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Thawte, Inc./C=US/ST=California/L=Mountain View/businessCategory=Private Organization/serialNumber=3898261/OU=Infrastructure Operations/CN=www.thawte.com i:/C=US/O=thawte, Inc./CN=thawte Extended Validation SHA256 SSL CA 1 s:/C=US/O=thawte, Inc./CN=thawte Extended Validation SHA256 SSL CA i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3 ---
最后一个“我”显示发行自签名根CA. 我猜测那个特别的Thawte根CA ,_i。 主根CA – G3 cert不在你的/etc/ssl/certs目录中(如curl输出中所述; openssl s_client没有缺省的CApath,需要明确给出一个, 例如 -CApath /etc/ssl/certs )。
将该证书显式添加到/etc/ssl/certs目录(并重新运行c_rehash )肯定不会受到影响。 如果它工作正常, 例如使用openssl s_client -connect example.com:443 -CApath /etc/ssl/certs ,那么你知道update-ca-certificates命令可能需要一些检查/debugging,至于为什么它没有拿起这个根CA.
现在可能是上面的根CA已经在你的/etc/ssl/certs目录下了,上面的步骤没有任何作用。 在这种情况下,还有另外两个颁发CA证书来检查(至less在thawte.com:443提供的证书链中: thawte.com:443 ): thawte.com:443 CA , thawte.com:443 SSL CA-G2 。 重复上述步骤将这些证书安装到/etc/ssl/certs目录(并重新运行c_rehash )可能会起作用。 由于这两个是中间CA,而不是根CA,因此缺less其中一个会解释您的结果,并且可能被认为是update-ca-certificates忽略update-ca-certificates 。
希望这可以帮助!