ssl - centos6/letsencrypt - wget 证书错误,但 curl 没有

标签 ssl curl wget lets-encrypt

我试图了解 wget 和 curl 在同一系统上连接到同一目的地时的行为差异。
环境
我的测试是在 centos6 上(我知道它已被弃用,我仍然想了解)。详细版本是 6.10(根据 vault.centos.org 更新数据包)。
测试:SSL 连接到带有letsencrypt 证书的网站
我正在尝试使用letsencrypt证书连接到服务器,例如https://letsencrypt.org .
由于the expiration of a letsencrypt intermediate certificate ,我希望证书验证失败。
所以我很惊讶 curl 没有提示证书,而 wget 确实:
wget测试

# wget --output-document=/dev/null  https://letsencrypt.com --verbose
--2021-10-27 18:02:39--  https://letsencrypt.com/
Resolving letsencrypt.com... 206.189.50.215, 3.67.153.12, 2a03:b0c0:3:d0::d23:4001, ...
Connecting to letsencrypt.com|206.189.50.215|:443... connected.
ERROR: cannot verify letsencrypt.com's certificate, issued by `/C=US/O=Let\'s Encrypt/CN=R3':
  Issued certificate has expired.
To connect to letsencrypt.com insecurely, use `--no-check-certificate'.
curl 测试
# curl https://letsencrypt.org --output /dev/null --verbose
* About to connect() to letsencrypt.org port 443 (#0)
*   Trying 3.125.252.47... connected
* Connected to letsencrypt.org (3.125.252.47) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=lencr.org
*       start date: Oct 10 03:00:44 2021 GMT
*       expire date: Jan 08 03:00:43 2022 GMT
*       common name: lencr.org
*       issuer: CN=R3,O=Let's Encrypt,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: letsencrypt.org
> Accept: */*
>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/1.1 200 OK
< cache-control: public, max-age=0, must-revalidate
< content-security-policy: default-src 'none'; font-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' data: https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://donorbox.org https://js.stripe.com/v3/ https://sdks.shopifycdn.com ; img-src 'self' data: blob: https://www.google-analytics.com https://www.paypal.com https://www.paypalobjects.com https://ak2s.abmr.net https://ak1s.abmr.net https://www.google.com https://cdn.shopify.com https://v.shopify.com ; frame-src https://donorbox.org https://www.youtube.com https://www.youtube-nocookie.com https://bid.g.doubleclick.net https://js.stripe.com/v3/ https://js.stripe.com/v2/ ; connect-src 'self' https://d4twhgtvn0ff5.cloudfront.net/ https://letsencrypt-merch.myshopify.com https://monorail-edge.shopifysvc.com ;
< content-type: text/html; charset=UTF-8
< date: Tue, 26 Oct 2021 16:00:55 GMT
< etag: "f9fe2f13bc4ea4cc3ad994a763b6113c-ssl"
< permissions-policy: geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(self), vibrate=(), fullscreen=(self), interest-cohort=()
< referrer-policy: no-referrer
< strict-transport-security: max-age=31536000
< x-xss-protection: 1; mode=block
< age: 86183
< server: Netlify
< x-nf-request-id: 01FK17GMX7JW56W5ABGPH06ZP3
< content-length: 32108
< x-content-type-options: nosniff
< x-frame-options: DENY
<
{ [data not shown]
100 32108  100 32108    0     0  79841      0 --:--:-- --:--:-- --:--:--  407k* Connection #0 to host letsencrypt.org left intact

* Closing connection #0
我在 wget ( wget --ca-certificate=/etc/pki/tls/certs/ca-bundle.crt https://letsencrypt.org -O /dev/null ) 上使用强制 ca 文件进行了一些测试,但没有差异。
有什么提示吗?谢谢你的时间=)

最佳答案

在 curl 工作但 wget 返回证书错误的 debian 10 上有类似的问题。 curl 和 wget 使用不同的库。更新包 wget 取决于修复问题。

# apt depends wget
wget
  Depends: libc6 (>= 2.28)
  Depends: libgnutls30 (>= 3.6.6)
  Depends: libidn2-0 (>= 0.6)
  Depends: libnettle6
  Depends: libpcre2-8-0 (>= 10.32)
  Depends: libpsl5 (>= 0.16.0)
  Depends: libuuid1 (>= 2.16)
  Depends: zlib1g (>= 1:1.1.4)
  Conflicts: <wget-ssl>
  Recommends: ca-certificates
# apt install wget libc6 libgnutls30 libidn2-0 libnettle6 libpcre2-8-0 libpsl5 libuuid1 zlib1g ca-certificates

关于ssl - centos6/letsencrypt - wget 证书错误,但 curl 没有,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69742075/

上一篇:ruby-on-rails - 在 ruby​​ on rails app 中运行 bundle install 时无法验证 SSL 证书错误

下一篇:node.js - MacOS 上的 Nuxt JS SSL 服务器安装问题

相关文章:

perl - Paypal IPN : unable to get local issuer certificate

regex - 如何在 wget 中使用正则表达式来拒绝文件?

java - 如何使用 PHP 到 Java 的 JSON 数据发出 POST 请求?

php - 我如何 curl www.google.com - 它不断将我重定向到 .co.uk

java - 用 Java 镜像网站

c - wget logfile,如何设置单位为秒和千字节

ssl - 在 Play 中强制执行 SSL!框架 2.1.3

c# -> Kafka 通过 TLS : "The message received was unexpected or badly formatted"

apache - MediaWiki 上的 LDAP 身份验证

linux - Docker 镜像rabbitmq,apt损坏

©2024 IT工具网  联系我们