我们经常会用配置网站可以用https访问,但是购买证书不现实,所以我们会选择自建CA证书,但是自建的CA证书,在linux中用curl访问时总会报错,报错信息如下:
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
让centos系统信任自建CA证书的方式如下:
将自建的CA证书追加到文件/etc/pki/tls/certs/ca-bundle.crt中:
我先将自建的CA证书上传到服务器中,名称为a.crt,然后执行命令:
# cat a.crt >>/etc/pki/tls/certs/ca-bundle.crt
证书已经添加信任成功
还有一种方式是用工具去添加,命令是 update-ca-trust,感兴趣的可以自行百度一下