卷曲:无法获取本地发行者证书。如何调试?

14

我有一个奇怪的问题。将我的LAMP开发机(Debian)更新为PHP7。之后,我无法再通过Curl连接到特定的TLS加密API。

有问题的SSL证书由thawte签名。

curl https://example.com

给我

curl: (60) SSL certificate problem: unable to get local issuer certificate


curl https://thawte.com

当然,这也是Thawte作品签名的。

我可以在其他计算机上通过HTTPS访问API站点,例如通过curl和浏览器在我的桌面上。因此该证书绝对有效。SSL Labs评级为A。

从我的开发机到其他SSL加密站点的任何其他Curl请求都可以工作。我的根证书是最新的。为了验证,我跑了update-ca-certificates。我什至将http://curl.haxx.se/ca/cacert.pem下载到/ etc / ssl / certs并运行c_rehash

还是一样的错误。

有什么方法可以调试验证过程并查看正在寻找但找不到的本地颁发者证书curl(或openssl),即文件名?

更新

curl -vs https://example.com

告诉我(IP +域名已匿名)

* Hostname was NOT found in DNS cache
*   Trying 192.0.2.1...
* Connected to example.com (192.0.2.1) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0


echo | openssl s_client -connect example.com:443


CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=DE/ST=XYZ/CN=*.example.com
   i:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
 1 s:/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=DE/ST=XYZ/CN=*.example.com
issuer=/C=US/O=thawte, Inc./CN=thawte SSL CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 4214 bytes and written 421 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: [...]
    Session-ID-ctx:
    Master-Key: [...]
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 5a 95 df 40 2c c9 6b d5-4a 50 75 c5 a3 80 0a 2d   Z..@,.k.JPu....-
    [...]
    00b0 - d5 b9 e8 25 00 c5 c7 da-ce 73 fb f2 c5 46 c4 24   ...%.....s...F.$

    Start Time: 1455111516
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE
ssl  ssl-certificate  openssl  tls  curl 

source
1
您能否至少给出这些cmd的详细输出?curl -vs https://example.com echo | openssl s_client -connect example.com:443
弗朗索瓦

Answers:

8

使用openssl s_client -connect thawte.com:443节目:

---
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/O=Thawte, Inc./C=US/ST=California/L=Mountain View/businessCategory=Private Organization/serialNumber=3898261/OU=Infrastructure Operations/CN=www.thawte.com
   i:/C=US/O=thawte, Inc./CN=thawte Extended Validation SHA256 SSL CA
 1 s:/C=US/O=thawte, Inc./CN=thawte Extended Validation SHA256 SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
---

最后一个“ i”表示发出自签名的根CA。我猜想那个特定的Thawte根CA _i.e。在主根CA - G3证书,是不是在你的/etc/ssl/certs目录(如在规定curl输出; openssl s_client没有默认的CA的路径,需要给出一个明确的,例如 -CApath /etc/ssl/certs)。

明确地将该证书添加到您的/etc/ssl/certs目录中(并重新运行c_rehash)当然不会受到伤害。并且,如果它可以正常工作(例如,使用验证)openssl s_client -connect example.com:443 -CApath /etc/ssl/certs,那么您会知道该update-ca-certificates命令可能需要进行一些检查/调试,以了解为什么它没有选择此根CA。

现在,可能是上面的根CA已经在您的/etc/ssl/certs目录中,并且上面的步骤无效。在这种情况下,还需要检查其他两个发行CA证书(至少在提供的证书链中thawte.com:443):thawte主根CAthawte SSL CA-G2。重复上述步骤将这些证书安装到您的/etc/ssl/certs目录中(并重新运行c_rehash)可能会起作用。由于这两个是中间CA,而不是根CA,因此如果其中一个都不存在,则可以解释您的结果,并且可能会被视为忽略了证书update-ca-certificates

希望这可以帮助!

卡斯塔利亚
source
谢谢!将中间证书“ thawte SSL CA-G2”下载到/ etc / ssl / certs并重新运行c_rehash解决了该问题!
罗布
1
openssl s_client -connect <server>:443 -CAfile cacert.pem命令非常有帮助...谢谢!
克里斯(Kris)
0

这可能是由于站点的公钥证书文件中站点的顺序错误,发行,中间和根证书而引起的。

浏览器沿上下方向(根,中间,发行,站点)显示证书,但是证书必须沿上下方向(站点,发行,中间,根)显示证书。

安德烈(Andrej)
source
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.