我的设置:
our_own_ca.crt ) graphite.local.crt ) Nginxconfiguration:
ssl_certificate /etc/ssl/certs/graphite.local.crt; ssl_certificate_key /etc/ssl/certs/graphite.local.key; ssl_client_certificate /etc/ssl/certs/our_own_ca_chained.crt;
有:
our_own_ca_chained.crt = graphite.local.crt + own_own_ca.crt
根据/usr/share/doc/ca-certificates/README.Debian ,将此CA安装到可信存储中,我只需将其复制到/usr/local/share/ca-certificates/ ,然后运行update-ca-certificates 。 这是输出:
Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d.... Warning: there was a problem reading the certificate file /etc/ssl/certs/our_own_ca.pem. Message: Extensions not allowed in v2 certificate done. done.
在那之后,我们在/etc/ssl/certs有类似下面的内容:
lrwxrwxrwx 1 root root 17 Mar 11 05:27 99ff557c.0 -> our_own_ca.pem lrwxrwxrwx 1 root root 17 Mar 11 05:27 dc79b3f0.0 -> our_own_ca.pem lrwxrwxrwx 1 root root 50 Mar 11 05:27 our_own_ca.pem -> /usr/local/share/ca-certificates/our_own_ca.crt
然后curl工作:
curl -I https://graphite.local
HTTP/1.1 302 FOUND Server: nginx Date: Wed, 11 Mar 2015 05:30:30 GMT Content-Type: text/html; charset=utf-8 Connection: keep-alive Vary: Cookie Location: https://graphite.local/account/login?next=/ Strict-Transport-Security: max-age=15768000
但wget不:
wget https://graphite.local --2015-03-11 05:31:22-- https://graphite.local/ Resolving graphite.local (graphite.local)... 127.0.0.1 Connecting to graphite.local (graphite.local)|127.0.0.1|:443... connected. ERROR: cannot verify graphite.local's certificate, issued by `xxx': Self-signed certificate encountered. To connect to graphite.local insecurely, use `--no-check-certificate'.
我也尝试使用--ca-certificate但得到了同样的错误。
我错过了什么?
我会尝试--ca-directory=directory选项:
wget --ca-directory=/etc/ssl/certs https://graphite.local
从wget手册
指定包含PEM格式的CA证书的目录。 每个文件都包含一个CA证书,文件名基于从证书派生的哈希值。 这是通过使用OpenSSL提供的c_rehash实用程序处理证书目录来实现的。 当安装了许多证书时,使用“-ca-directory”比“–ca-certificate”更有效,因为它允许Wget按需获取证书。
如果没有这个选项,Wget会在系统指定的位置(在OpenSSL安装时select)查找CA证书。