以root身份使用cURL时,一切工作正常:
$ sudo curl -vvv https://test.example.org/ > /dev/null * Connected to test.example.org (1.2.3.4) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=test.example.org,O=organization,L=location,ST=state,C=country * start date: Okt 26 06:58:41 2015 GMT * expire date: Okt 24 06:58:41 2020 GMT * common name: test.example.org * issuer: [email protected],CN=example.org,O=organization,L=location,ST=state,C=country 作为一个普通用户,它不会:
$ curl -vvv https://test.example.org/ > /dev/null * Connected to test.example.org (1.2.3.4) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=test.example.org,O=organization,L=location,ST=state,C=country * start date: Okt 26 06:58:41 2015 GMT * expire date: Okt 24 06:58:41 2020 GMT * common name: test.example.org * issuer: [email protected],CN=example.org,O=organization,L=location,ST=state,C=country * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER) * Peer's certificate issuer has been marked as not trusted by the user. * Closing connection 0 curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html
另外wget按预期工作,openssl连接没有错误:
$ openssl s_client -connect test.example.org:443 -servername test.example.org -showcerts < /dev/null ... Verify return code: 0 (ok)
我正在使用Fedora 22,CA证书是通过将其复制到/ etc / pki / ca-trust / source / anchors /并在之后运行update-ca-trust(以root身份)导入的。
在将CA文件导入到Firefox和Chrome之后,网站也无错地加载。
服务器正在运行apache 2.4,在vhost文件中有以下选项:
SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile /etc/pki/certs/test.exmple.org.crt SSLCertificateKeyFile /etc/pki/private/test.exmple.org.key SSLCACertificateFile /etc/pki/certs/exmple.org.crt
不知道这是服务器configuration问题还是curl问题。 所以我很抱歉,如果这个问题适合不同的社区。
有任何想法吗?