我正在尝试运行以下 CURL 命令,但出现 SSL 证书错误:
curl https://example.com:8443/cli/agentCLI -u username:password
错误:
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). The default bundle is named curl-ca-bundle.crt; you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
如何解决此问题以允许使用 SSL URL?
最佳答案
如果您在服务器上使用自签名证书,您可以使用:
curl -k https://example.com:8443/cli/agentCLI -u username:password
但请注意,这并不比使用非 SSL 连接到服务器更好,因为您的通信将不再安全,从而导致各种中间人攻击。
尽管我建议您从服务器下载 .pem:
- 通常在
/etc/ssl/中找到 if you have access to the server , - 或者您可以下载,
使用:
echo "HEAD / HTTP/1.0\n Host: example.com\n\n EOT\n" | openssl s_client -prexit -connect example.com:8443 > cert.pem
到您的计算机,只保留文件中BEGIN CERTIFICATE 和END CERTIFICATE 之间的部分(包括BEGIN/END 行)并将其作为参数提供给--cacert 选项,你也可以下载它。然后您将在每次连接时验证您的服务器!
curl --cacert cert.pem https://example.com:8443/cli/agentCLI -u username:password
在我自己的自签名服务器上测试,它工作正常:
% openssl s_client -showcerts -connect example.com:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----' > cert.pem
% curl --cacert cert.pem https://example.com
一个应该有效的例子:
% openssl s_client -showcerts -connect git.cryptolib.org:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----' > cert.pem
% curl --cacert cert.pem https://git.cryptolib.org
curl: (51) SSL: certificate verification failed (result: 5)
但遗憾的是它不是。
我也试过按照提示做here :
% openssl x509 -inform PEM -in cert.pem -text -out certdata.pem
% curl --cacert certdata.pem https://git.cryptolib.org
这不起作用,因为我用于测试的那个站点 (git.cryptolib.org) 不是自签名的,但它来自 CACert 链,可以通过使用 CACert 根证书来解决,遵循这个FAQ .
需要挖掘的一些资源:
- http://curl.haxx.se/docs/sslcerts.html
- http://curl.haxx.se/mail/archive-2012-01/0049.html
- https://turboflash.wordpress.com/2009/06/23/curl-adding-installing-trusting-new-self-signed-certificate/
- http://curl.haxx.se/docs/caextract.html
- curl self-signed certificate web service over SSL
但到目前为止还没有确定的答案:-s
关于linux - https ( SSL ) 的 curl 命令,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/28927051/