我有一堆使用curl与各种服务进行通信的PHP脚本。目前,这些服务的SSL证书之一已更新,当我尝试从服务器的CLI获取该证书时,我的弯腰就开始哭了:
~$ curl https://example.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
目前,我verify => false对所有请求进行了硬编码,以保持脚本运行,但这不是我想要的。
我从mozilla获得了最新的cacert文件,将其放进去/etc/ssl/certs/ca-certificates.crt,然后sudo update-ca-certificates运行成功运行的文件(我想..)
~$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
但是话又说回来,curl对此不太满意,如果不通过该-k标志,仍然无法获取我的资源。