就在最近,我的服务器停止处理对我的 Web 服务器的 https://地址的 curl 请求。仔细研究后发现,这是运行网络服务器的用户的问题。
如果我以 root 身份 SSH 到服务器并调用
curl -I -v https://google.com
...我收到以下响应...
* About to connect() to google.com port 443 (#0)
* Trying 173.194.67.113... connected
* Connected to google.com (173.194.67.113) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_SHA
* Server certificate:
* subject: CN=*.google.com,O=Google Inc,L=Mountain View,ST=California,C=US
* start date: May 22 15:50:20 2013 GMT
* expire date: Oct 31 23:59:59 2013 GMT
* common name: *.google.com
* issuer: CN=Google Internet Authority,O=Google Inc,C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: google.com
> Accept: */*
但是,如果我以任何 cPanel 帐户(在通过 Web 服务器运行时也使用)登录,我会得到以下...
* About to connect() to google.com port 443 (#0)
* Trying 173.194.67.101... connected
* Connected to google.com (173.194.67.101) port 443 (#0)
* Initializing NSS with certpath: none
* NSS error -5978
* Closing connection #0
* Problem with the SSL CA cert (path? access rights?)
curl: (77) Problem with the SSL CA cert (path? access rights?)
我一直无法找到问题的明确答案,而且我的托管公司拒绝提供帮助,因为它“失去支持”,尽管它上周运行良好!
我确实在 http://curl.haxx.se/docs/sslcerts.html 上找到了提及那个
"If libcurl was built with NSS support, then depending on the OS distribution, it is probably required to take some additional steps to use the system-wide CA cert db. RedHat ships with an additional module, libnsspem.so, which enables NSS to read the OpenSSL PEM CA bundle. This library is missing in OpenSuSE, and without it, NSS can only work with its own internal formats. NSS also has a new database format: https://wiki.mozilla.org/NSS_Shared_DB"
...但我找不到有关如何在我的 CentOS 服务器上实现此系统范围内工作的信息。
信息
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
任何人都可以阐明为什么这可能会突然改变,或者更好的是如何解决它?
谢谢
最佳答案
我刚刚在 CentOS7 上遇到了类似的 Error#77 问题。我缺少随 ca-certificates RPM 安装的软链接(soft link) /etc/pki/tls/certs/ca-bundle.crt。
'curl' 试图打开此路径以获取证书颁发机构。 我发现:
strace curl https://example.com
并且清楚地看到该链接打开失败。
我的修复是:
yum reinstall ca-certificates
那应该重新设置一切。如果您有用于企业或自签名用途的私有(private) CA,请确保它们位于/etc/pki/ca-trust/source/anchors 中,以便重新添加它们。
关于对于非根用户的 CentOS 上的 SSL 连接,cURL 不起作用(错误 #77),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17064601/