Ssl

Curl:無法獲取本地頒發者證書。如何調試?

  • May 22, 2019

我有一個奇怪的問題。將我的 LAMP 開發機器 (Debian) 更新為 PHP 7。之後我無法再通過 Curl 連接到特定的 TLS 加密 API。

有問題的 SSL 證書由 thawte 簽名。

curl https://example.com

給我

curl: (60) SSL certificate problem: unable to get local issuer certificate

然而

curl https://thawte.com

當然,這也是 Thawte 作品的簽名。

我可以在其他機器上通過 HTTPS 訪問 API 站點,例如通過 curl 和瀏覽器訪問我的桌面。所以證書絕對有效。SSL Labs 評級為 A。

從我的開發機器到其他 SSL 加密站點的任何其他 Curl 請求都有效。我的根證書是最新的。為了驗證,我跑了update-ca-certificates. 我什至將http://curl.haxx.se/ca/cacert.pem下載到 /etc/ssl/certs 並執行c_rehash.

還是同樣的錯誤。

有沒有辦法調試驗證過程並查看哪個本地頒發者證書 curl(或 openssl)正在尋找但未找到,即文件名?

更新

curl -vs https://example.com

告訴我(IP+域名匿名)

* Hostname was NOT found in DNS cache
*   Trying 192.0.2.1...
* Connected to example.com (192.0.2.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
 CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

echo | openssl s_client -connect example.com:443

CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=DE/ST=XYZ/CN=*.example.com
  i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
  i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
  i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=DE/ST=XYZ/CN=*.example.com
issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 4214 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : TLSv1.2
   Cipher    : ECDHE-RSA-AES256-GCM-SHA384
   Session-ID: [...]
   Session-ID-ctx:
   Master-Key: [...]
   Key-Arg   : None
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   TLS session ticket lifetime hint: 300 (seconds)
   TLS session ticket:
   0000 - 5a 95 df 40 2c c9 6b d5-4a 50 75 c5 a3 80 0a 2d   Z..@,.k.JPu....-
   [...]
   00b0 - d5 b9 e8 25 00 c5 c7 da-ce 73 fb f2 c5 46 c4 24   ...%.....s...F.$

   Start Time: 1455111516
   Timeout   : 300 (sec)
   Verify return code: 20 (unable to get local issuer certificate)
---
DONE

使用openssl s_client -connect thawte.com:443節目:

---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Thawte, Inc./C=US/ST=California/L=Mountain View/businessCategory=Private Organization/serialNumber=3898261/OU=Infrastructure Operations/CN=www.thawte.com
  i:/C=US/O=thawte, Inc./CN=thawte Extended Validation SHA256 SSL CA
1 s:/C=US/O=thawte, Inc./CN=thawte Extended Validation SHA256 SSL CA
  i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
---

最後一個“i”顯示發出的自簽名根 CA。我猜那個特定的Thawte root CA,_i.e. 主根 CA - G3證書不在您的目錄/etc/ssl/certs中(如curl輸出中所述;openssl s_client沒有預設 CA 路徑,需要明確給出,例如 -CApath /etc/ssl/certs)。

將該證書顯式添加到您的/etc/ssl/certs目錄(並重新執行c_rehash)肯定不會受到傷害。如果它有效,例如使用 驗證openssl s_client -connect example.com:443 -CApath /etc/ssl/certs,那麼您知道該update-ca-certificates命令可能需要一些檢查/調試,為什麼它沒有選擇這個根 CA。

現在,可能是上面的根CA已經在你的/etc/ssl/certs目錄下,上面的步驟沒有效果。在這種情況下,還有另外兩個頒發 CA 證書需要檢查(至少在 提供的證書鏈中thawte.com:443):thawte Primary Root CAthawte SSL CA - G2。重複上述步驟將這些證書安裝到您的/etc/ssl/certs目錄中(並重新執行c_rehash)可能會起作用。由於這兩個是中間 CA,而不是根 CA,因此缺少其中一個可以解釋您的結果,並且可能會被update-ca-certificates.

希望這可以幫助!

引用自:https://serverfault.com/questions/755248