我注意到我们使用cURL的链接检查程序越来越频繁地验证SSL证书.我试图深究这一点.
例如,https://www.bgetem.de/在我的Windows 7机器上的每个浏览器(IE 11,Firefox,Opera,Chrome)上打开都很好,但是我的CentOS 6和Ubuntu 16.04上的cURL(和wget)无法验证证书.
这是cURL来自CentOS的详细输出(版本卷号7.19.7(x86_64-redhat-linux-gnu)libcurl / 7.19.7 NSS / 3.27.1 zlib / 1.2.3 libidn / 1.18 libssh2 / 1.4.2)
* About to connect() to www.bgetem.de port 443 (#0)
* Trying 193.104.3.166... connected
* Connected to www.bgetem.de (193.104.3.166) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Peer's certificate issuer is not recognized: 'CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
和Ubuntu(版本卷7.47.0(x86_64-pc-linux-gnu)libcurl / 7.47.0 GnuTLS / 3.4.10 zlib / 1.2.8 libidn / 1.32 librtmp / 2.3):
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 695 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
知道问题是什么以及如何解决它?