我安装了最新版本的ca-certificate,看起来他们有Go Daddy Root Certificate Authority-G2,但这并不是一回事,并且在所有形式的验证中都失败了.我终于通过复制捆绑包并直接在CURL请求中使用它来使其工作.但这只是一种解决方法.是否还有其他我无法在没有直接安装CA的情况下完成这项工作?
# openssl s_client -connect facts.dohrn.com:443
CONNECTED(00000003) depth=0 OU = Domain Control Validated,CN = facts.dohrn.com verify
error:num=20:unable to get local issuer certificate verify return:1
depth=0 OU = Domain Control Validated,CN = facts.dohrn.com verify
error:num=27:certificate not trusted verify return:1 depth=0 OU =
Domain Control Validated,CN = facts.dohrn.com verify
error:num=21:unable to verify the first certificate verify return:1
— Certificate chain 0 s:/OU=Domain Control Validated/CN=facts.dohrn.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certs.godaddy.com/repository//CN
=Go Daddy Secure
Certificate Authority – G2
— Server certificate [certificate removed]
—–END CERTIFICATE—–
subject=/OU=Domain Control Validated/CN=facts.dohrn.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
Inc./OU=http://certs.godaddy.com/repository//CN
=Go Daddy Secure
Certificate Authority – G2
— No client certificate CA names sent
— SSL handshake has read 1470 bytes and written 563 bytes
— New,TLSv1/SSLv3,Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion:
NONE SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 1A23000017A7003411F3833970B7FA23C6D782E663CE0C8B17DE4D5A15DEE1A5
Session-ID-ctx:
Master-Key: F6C9C6345A09B7965AF762DE4BEFE8BDD249136BF30D9364598D78CF123F17230B0C25DD552F103BEF9A893F75EAD2B0
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1432044402
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
这似乎是他们的配置错误.这绝对是可以预期会导致兼容性问题的因素,因为您实际上只应该依赖具有预先存在根证书的客户端.
请参阅证书链,例如来自SSLLabs result :(您还会注意到SSL设置存在许多其他问题.)
1 Sent by server facts.dohrn.com Fingerprint: 823e3a70f194c646498b2591069b3727ad0014d9 RSA 2048 bits (e 65537) / SHA256withRSA 2 Extra download Go Daddy Secure Certificate Authority - G2 Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8 RSA 2048 bits (e 65537) / SHA256withRSA 3 In trust store Go Daddy Root Certificate Authority - G2 Self-signed Fingerprint: 47beabc922eae80e78783462a79f45c254fde68b RSA 2048 bits (e 65537) / SHA256withRSA
我会说你的主要选择是要么试图说服服务提供商修复他们的服务,要么通过向客户端提供他们的服务器应该提供的证书来解决问题.