使用wget / curl的Ubuntu 11.10与ssl失败

前端之家收集整理的这篇文章主要介绍了使用wget / curl的Ubuntu 11.10与ssl失败前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
在一个全新的Ubuntu安装中,我在使用wget时遇到以下错误
wget https://test.sagepay.com

--2012-03-27 12:55:12--  https://test.sagepay.com/
Resolving test.sagepay.com... 195.170.169.8
Connecting to test.sagepay.com|195.170.169.8|:443... connected.
ERROR: cannot verify test.sagepay.com's certificate,issued by `/C=US/O=VeriSign,Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL SGC CA':
Unable to locally verify the issuer's authority.
To connect to test.sagepay.com insecurely,use `--no-check-certificate'.

我已经尝试安装ca证书并配置ca-certs,它们似乎都在/ etc / ssl / certs中设置.

cURL存在同样的问题:

curl https://test.sagepay.com

curl: (60) SSL certificate problem,verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify Failed

这让我相信openssl服务器范围有问题.

wget和curl都在OSX上本地正常工作,我已经与少数人确认它正在他们的服务器上工作,所以我怀疑它与我试图连接的服务器无关.

有什么想法或建议可以尝试缩小范围吗?

谢谢

编辑来自curl的请求详细输出

curl -Iv https://test.sagepay.com
* About to connect() to test.sagepay.com port 443 (#0)
*   Trying 195.170.169.8... connected
* Connected to test.sagepay.com (195.170.169.8) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3,TLS handshake,Client hello (1):
* SSLv3,Server hello (2):
* SSLv3,CERT (11):
* SSLv3,TLS alert,Server hello (2):
* SSL certificate problem,verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify Failed
* Closing connection #0
curl: (60) SSL certificate problem,verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify Failed
More details here: http://curl.haxx.se/docs/sslcerts.html

编辑2
使用评论中的哈希我看到:

ubuntu@srv-tf6sq:/etc/ssl/certs$ls -al 7651b327.0
lrwxrwxrwx 1 root root 59 2012-03-27 12:48 7651b327.0 -> Verisign_Class_3_Public_Primary_Certification_Authority.pem
ubuntu@srv-tf6sq:/etc/ssl/certs$ls -al Verisign_Class_3_Public_Primary_Certification_Authority.pem
lrwxrwxrwx 1 root root 94 2012-01-18 07:21 Verisign_Class_3_Public_Primary_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
ubuntu@srv-tf6sq:/etc/ssl/certs$ls -al /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
-rw-r--r-- 1 root root 834 2011-09-28 14:53 /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
ubuntu@srv-tf6sq:/etc/ssl/certs$more /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i
2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ
2HUw19JlYD1n1khVdWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
-----END CERTIFICATE-----

但是我自己做了一些步骤,最后得到了一个不同的哈希:

strace -o /tmp/foo.out curl -Iv https://test.sagepay.com

grep ssl /tmp/foo.out
open("/lib/x86_64-linux-gnu/libssl.so.1.0.0",O_RDONLY) = 3
stat("/etc/ssl/certs/415660c1.0",{st_mode=S_IFREG|0644,st_size=834,...}) = 0
open("/etc/ssl/certs/415660c1.0",O_RDONLY) = 4
stat("/etc/ssl/certs/415660c1.1",0x7fff7dab07b0) = -1 ENOENT (No such file or directory)

readlink -f /etc/ssl/certs/415660c1.0
/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt

more /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkG
A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i
2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ
2HUw19JlYD1n1khVdWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
-----END CERTIFICATE-----

还有其他想法吗?谢谢你的帮助到目前为止:)

编辑:回答如下

解决方法

事实证明,安装ca-certificates软件包并没有安装我需要的软件包.我发现 this post关于无序出现的证书.我对sagepay的要求似乎就是这种情况.

解决方案最终是从Verisign安装另一个CA证书.我不确定为什么这会解决它出现故障的问题,但确实如此,但我怀疑乱序问题确实根本不是问题,而且事实上是因为我一直都缺少证书.该帖子中提供了额外的证书,但我不想盲目信任它.我查看了cURL’s site的CA证书列表,它列在那里,所以我确实相信它.

证书:

Verisign Class 3 Public Primary Certification Authority
=======================================================
-----BEGIN CERTIFICATE-----
MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMx
FzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVow
XzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAz
IFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhEBarsAx94
f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/isI19wKTakyYbnsZogy1Ol
hec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0GCSqGSIb3DQEBAgUAA4GBALtMEivPLCYA
TxQT3ab7/AoRhIzzKBxnki98tsX63/Dolbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59Ah
WM1pF+NEHJwZRDmJXNycAA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2Omuf
Tqj/ZA1k
-----END CERTIFICATE-----

我把它放在一个文件中:

/usr/share/ca-certificates/curl/Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.crt

然后我修改了/etc/ca-certificates.conf并在最后添加了以下行:

curl/Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.crt

之后我运行了命令:

sudo update-ca-certificates

查看/ etc / ssl / certs目录,我看到它正确链接

ls -al | grep cURL
lrwxrwxrwx 1 root root     69 2012-03-27 16:03 415660c1.0 -> Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.pem
lrwxrwxrwx 1 root root     69 2012-03-27 16:03 7651b327.0 -> Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.pem
lrwxrwxrwx 1 root root    101 2012-03-27 16:03 Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.pem -> /usr/share/ca-certificates/curl/Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.crt

一切正常!

curl  -I https://test.sagepay.com
HTTP/1.1 200 OK...

猜你在找的Linux相关文章