pycurl.error: (60, ‘SSL certificate problem: unable to get local issuer certificate’)
分别使用openssl查看子网站可以发现:
root@d61-2:/code# openssl s_client -showcerts -servername x.y.com -connect x.y.com:443
CONNECTED(00000003)
depth=0 C = CN, OU = \E6\B5\99\E6\B1\9F..., CN = x.y.com
verify error:num=20:unable to get local issuer certificate # 错误
verify return:1
depth=0 C = CN, OU = \E6\B5\99\E6\B1\9F..., CN = x.y.com
verify error:num=21:unable to verify the first certificate # 错误
verify return:1
---
Certificate chain
0 s:/C=CN/OU=\xE6\xB5\x99\.../CN=x.y.com
i:/C=cn/OU=V\xFD[\xB6z\x0ER\xA1`;\@/CN=z\x0ER\xA1u5[P\x8B\xC1Nf{\xA1t\x06N-_\xC3/description=\x00c\x00a\x001\x000\x000\x000\x000\x002
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=CN/OU=\xE6\xB5\x99\.../CN=x.y.com
issuer=/C=cn/OU=V\xFD[\xB6z\x0ER\xA1`;\@/CN=z\x0ER\xA1u5[P\x8B\xC1Nf{\xA1t\x06N-_\xC3/description=\x00c\x00a\x001\x000\x000\x000\x000\x002
---
No client certificate CA names sent
---
SSL handshake has read 1664 bytes and written 419 bytes
Verification error: unable to verify the first certificate
---
New, SSLv3, Cipher is AES128-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA
Session-ID: 9B731F3393...
Session-ID-ctx:
Master-Key: 670854BA6747BDF1...
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 1800 (seconds)
TLS session ticket:
0000 - 4b 08 17 c5 99 1f fb e3-08 9b 73 ba 5a 51 a7 de K.........s.ZQ..
0010 - cf d3 6c c5 ec 97 52 a0-30 82 f9 6a 85 94 47 2f ..l...R.0..j..G/
.....
Start Time: 1531963197
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
---
^C
p7b格式:以树状展示证书链(certificate chain),同时也支持单个证书,不含私钥。
# 查看p7b证书。
~ openssl pkcs7 -inform DER -outform PEM -in certificate.p7b -print_certs
# 导出p7b证书。
~ openssl pkcs7 -inform DER -outform PEM -in certificate.p7b -print_certs > certificate_bundle.cer
curl的 -k/–insecure参数:
# curl也会通过验证服务器的证书来证明服务器声明的身份,如果验证失败curl将拒绝和这个服务器连接,可以使用参数--insecure(-k)忽略服务器不能被验证。
# 更多关于服务器证书验证以及ca cert bundles可以参读SSLCERTS文档(https://curl.haxx.se/docs/sslcerts.html)。
curl.setopt(pycurl.SSL_VERIFYPEER, False) # equivalent to curl's --insecure
弊端:
一旦服务器端需要验证证书,那么所有访问都将失败!