错误：60, 'SSL certificate problem: unable to get local issuer certificate'

pycurl.error: (60, ‘SSL certificate problem: unable to get local issuer certificate’)

分别使用openssl查看子网站可以发现：

root@d61-2:/code# openssl s_client -showcerts -servername x.y.com -connect x.y.com:443
CONNECTED(00000003)
depth=0 C = CN, OU = \E6\B5\99\E6\B1\9F..., CN = x.y.com
verify error:num=20:unable to get local issuer certificate  # 错误
verify return:1
depth=0 C = CN, OU = \E6\B5\99\E6\B1\9F..., CN = x.y.com
verify error:num=21:unable to verify the first certificate  # 错误
verify return:1
---
Certificate chain
 0 s:/C=CN/OU=\xE6\xB5\x99\.../CN=x.y.com
   i:/C=cn/OU=V\xFD[\xB6z\x0ER\xA1`;\@/CN=z\x0ER\xA1u5[P\x8B\xC1Nf{\xA1t\x06N-_\xC3/description=\x00c\x00a\x001\x000\x000\x000\x000\x002
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/OU=\xE6\xB5\x99\.../CN=x.y.com
issuer=/C=cn/OU=V\xFD[\xB6z\x0ER\xA1`;\@/CN=z\x0ER\xA1u5[P\x8B\xC1Nf{\xA1t\x06N-_\xC3/description=\x00c\x00a\x001\x000\x000\x000\x000\x002
---
No client certificate CA names sent
---
SSL handshake has read 1664 bytes and written 419 bytes
Verification error: unable to verify the first certificate
---
New, SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES128-SHA
    Session-ID: 9B731F3393...
    Session-ID-ctx:
    Master-Key: 670854BA6747BDF1...
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 1800 (seconds)
    TLS session ticket:
    0000 - 4b 08 17 c5 99 1f fb e3-08 9b 73 ba 5a 51 a7 de   K.........s.ZQ..
    0010 - cf d3 6c c5 ec 97 52 a0-30 82 f9 6a 85 94 47 2f   ..l...R.0..j..G/
    .....

    Start Time: 1531963197
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---
^C

p7b格式：以树状展示证书链(certificate chain)，同时也支持单个证书，不含私钥。

 # 查看p7b证书。
 ~ openssl pkcs7 -inform DER -outform PEM -in certificate.p7b -print_certs
 # 导出p7b证书。
 ~ openssl pkcs7 -inform DER -outform PEM -in certificate.p7b -print_certs > certificate_bundle.cer

curl的 -k/–insecure参数：

# curl也会通过验证服务器的证书来证明服务器声明的身份，如果验证失败curl将拒绝和这个服务器连接，可以使用参数--insecure(-k)忽略服务器不能被验证。
# 更多关于服务器证书验证以及ca cert bundles可以参读SSLCERTS文档(https://curl.haxx.se/docs/sslcerts.html)。
curl.setopt(pycurl.SSL_VERIFYPEER, False)  # equivalent to curl's --insecure

弊端：

• 一旦服务器端需要验证证书，那么所有访问都将失败！