概述
执行 curl、wget 时候遇到 CA 自签名证书问题
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
| → curl -Ivv https://192.168.10.6:8443
* About to connect() to 192.168.10.6 port 8443 (#0)
* Trying 192.168.10.6...
* Connected to 192.168.10.6 (192.168.10.6) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=minikube,O=system:masters
* start date: Oct 18 02:22:08 2021 GMT
* expire date: Oct 19 02:22:08 2022 GMT
* common name: minikube
* issuer: CN=minikubeCA
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
|
解决方案
1
2
3
4
5
6
7
8
9
| # wget关闭证书检测
echo "check_certificate = off" >> ~/.wgetrc
# curl直接全部支持insecure配置
$ vi $HOME/.curlrc
insecure
# curl也可以通过-k或者--insecure在命令行支持
curl -k ....
|
上述做法相当于是忽略了证书安全去检测,存在一定风险
正确做法
- 从正确的渠道下载文件,也可以从浏览器中 Export 导出.crt 证书文件
- CentOS 中:cp
xx.crt文件到 /etc/pki/ca-trust/source/anchors - 运行 ca 信任更新:
update-ca-trust - 重新执行
curl或者wget进行验证
