Certificate-Authority
為什麼 curl 對特定的 https 站點有效,而 wget 卻出現證書問題?
Centos 6. 最近更新 ca-certificates 後,我遇到了一些麻煩。我有 centos 6 的最新版本 curl:
-bash-4.1$ curl -V -v curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 Protocols: tftp ftp telnet dict ldap ldaps http file https ftps scp sftp Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
和 wget:
-bash-4.1$ wget -V -v GNU Wget 1.12 built on linux-gnu. +digest +ipv6 +nls +ntlm +opie +md5/openssl +https -gnutls +openssl -iri Wgetrc: /etc/wgetrc (system) Locale: /usr/share/locale Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc" -DLOCALEDIR="/usr/share/locale" -I. -I../lib -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fno-strict-aliasing Link: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fno-strict-aliasing -Wl,-z,relro -lssl -lcrypto /usr/lib64/libssl.so /usr/lib64/libcrypto.so -ldl -lrt ftp-opie.o openssl.o http-ntlm.o gen-md5.o ../lib/libgnu.a Copyright (C) 2009 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://www.gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Originally written by Hrvoje Niksic <hniksic@xemacs.org>. Currently maintained by Micah Cowan <micah@cowan.name>. Please send bug reports and questions to <bug-wget@gnu.org>.
現在我對來自 CA https://www.certum.pl/的證書有疑問。捲曲工作正常:
-bash-4.1$ curl -v 'https://certum.pl/' * About to connect() to certum.pl port 443 (#0) * Trying 213.222.201.147... connected * Connected to certum.pl (213.222.201.147) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=certum.pl,businessCategory=Private Organization,serialNumber=0000421310,incorporationState=pomorskie,incorporationLocality=Gdańsk,incorporationCountry=PL,postalCode=81-321,STREET=Podolska 21,ST=pomorskie,L=Gdynia,OU=Certification Authority Division,O=Asseco Data Systems S.A.,C=PL * start date: Aug 16 09:10:07 2017 GMT * expire date: Aug 16 09:10:07 2019 GMT * common name: certum.pl * issuer: CN=Certum Extended Validation CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL > GET / HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: certum.pl > Accept: */* > < HTTP/1.1 302 Found < Date: Tue, 17 Jul 2018 07:02:41 GMT < Server: Apache < Pragma: no-cache < Location: https://www.certum.pl/pl/ < Content-Length: 209 < Connection: close < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://www.certum.pl/pl/">here</a>.</p> </body></html> * Closing connection #0
但是 wget 返回
ERROR
:-bash-4.1$ wget -d -O- 'https://certum.pl/' Setting --output-document (outputdocument) to - DEBUG output created by Wget 1.12 on linux-gnu. --2018-07-17 09:04:42-- https://certum.pl/ Resolving certum.pl... 213.222.201.147 Caching certum.pl => 213.222.201.147 Connecting to certum.pl|213.222.201.147|:443... connected. Created socket 3. Releasing 0x0000000000d2af00 (new refcount 1). Initiating SSL handshake. Handshake successful; connected socket 3 to SSL handle 0x0000000000d4bb40 certificate: subject: /C=PL/O=Asseco Data Systems S.A./OU=Certification Authority Division/L=Gdynia/ST=pomorskie/street=Podolska 21/postalCode=81-321/1.3.6.1.4.1.311.60.2.1.3=PL/1.3.6.1.4.1.311.60.2.1.1=Gda\\xC5\\x84sk/1.3.6.1.4.1.311.60.2.1.2=pomorskie/serialNumber=0000421310/businessCategory=Private Organization/CN=certum.pl issuer: /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Extended Validation CA SHA2 ERROR: cannot verify certum.pl's certificate, issued by `/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Extended Validation CA SHA2': Unable to locally verify the issuer's authority. To connect to certum.pl insecurely, use `--no-check-certificate'. Closed 3/SSL 0x0000000000d4bb40
當我在命令中指定 CA 證書時也會發生同樣的情況 - 對於 wget:
--ca-certificate=/etc/pki/tls/certs/ca-bundle.crt
和 curl:--cacert /etc/pki/tls/certs/ca-bundle.crt
ca-certificates 版本現在
2018.2.22-65.1.el6
是最新的。openssl 版本現在1.0.1e-57.el6
是最新的。你知道發生了什麼嗎?
對於 Centos 6 的這個問題,我的工作解決方案是將“失去”的 CA 證書添加到由
ca-certificates
. 我不知道他們為什麼在那次更新中刪除了它。所以:
- 將“ https://certum.pl/ ”頁面中的根 CA 證書複製到
/etc/pki/ca-trust/source/anchors/
- 執行:
update-ca-trust enable
- 執行:
update-ca-trust extract
我仍然不完全知道為什麼
wget
沒有工作並且curl
是。當我嘗試rpm -ql nss
時,沒有關於任何其他信任儲存的資訊。我不知道它可以放在哪裡。
wget
連結到 OpenSSL 而 curl 連結到 NSS 加密庫,這可能解釋了為什麼它們使用不同的信任庫。我附近沒有 RHEL 6 系統,但
rpm -ql nss
與 OpenSSL 使用的相比,可能會顯示不同/額外的信任庫。此 Red Hat 資源可能與https://access.redhat.com/solutions/1549003相關
簡而言之:
update-ca-trust extract