curl 证书链问题

在使用curl访问某https网站时,提示错误

curl: (60) SSL certificate problem: unable to get local issuer certificate

但是通过浏览器访问又是正常的,第一反应是服务器的CA列表需要更新了通过 curl.se更新了最新CA列表,但是问题仍然存在

1
2
3
4
5
6
7
8
9
10
11
12
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /usr/local/openssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

这时才意识到可能是网站的证书链不完整,通过ssllabs检查网站提示

This server’s certificate chain is incomplete. Grade capped to B.

网站的证书链是不完整,但是为何浏览器可以正常访问curl却不行呢?问题真的是证书链不完整导致的吗?(实际上现代浏览器为了兼容性,确实会自动替网站补全证书链,但是老旧的浏览器及系统和工具并没有这个功能)

我决定复现这个问题。我们申请的证书中一般会有两个文件 cert.pem 仅包含域名的证书,fullchain.pem 包含域名的证书及给域名发放证书的机构的证书。正常情况下我们需要部署的是 fullchain.pem 为了测试我部署了 cert.pem 其中只有一个 —–BEGIN CERTIFICATE—– 省略 —–END CERTIFICATE—– 证书(fullchain中有多个)。

完成部署后通过 curl -v https://test.ddnpc.com 测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
*   Trying 182.254.233.64:443...
* Connected to test.ddnpc.com (182.254.233.64) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /usr/local/openssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

curl 确实无法正常访问,通过浏览器访问一切正常。至此问题已经得到了确认,修复这个错误很简单,通过证书链补全工具补全证书后,替换掉原有的证书即可 亚洲诚信证书链补全工具 记得重启 nginx 或 apache 使之生效。

新的测试结果如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
*   Trying 182.254.233.64:443...
* Connected to test.ddnpc.com (182.254.233.64) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /usr/local/openssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=test.ddnpc.com
* start date: Nov 16 02:25:50 2024 GMT
* expire date: Feb 14 02:25:49 2025 GMT
* subjectAltName: host "test.ddnpc.com" matched cert's "test.ddnpc.com"
* issuer: C=US; O=Let's Encrypt; CN=R11
* SSL certificate verify ok.
* using HTTP/1.1

如果网站是自己的话,至此问题就解决了。但是如果网站时别人的吗?我们总不能登上别人的服务器帮别人修复吧?这很刑!!!

可以向网站所有人发邮件,说明这个情况,让他们自己修复。他们要是不修复呢?

摆在你面前的只有两条路:

1.忽略证书验证,这是一条不归路 curl -vk https://test.ddnpc.com

2.将该网站使用的中间证书也加入到curl的信任目录中,这里就不再赘述了。

Author

feng

Posted on

2024-11-16

Updated on

2024-11-16

Licensed under

Kommentare