curl 遇到的CA证书问题

[xx]

RT。

root@Tek-life:/home/xx/bin# curl https://www.google.com
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

摸索了一天也没搞出个所以然来。

有人遇到同样的问题么？

[du yang]

装一下这个包试试，
ca-certificates

也可以用
openssl s_client -connect www.google.com:443
查看Server certificate，把它拷贝到一个文件。然后curl运行的时候设置--cacert为这
个文件。

--

[xx]

谢谢。

$ openssl s_client -connect www.google.com:443
connect: Connection timed out
connect:errno=110

[xx]

加了vpn后
$ openssl s_client -connect www.google.com:443 -status
CONNECTED(00000003)
OCSP response: no response sent
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
1 s:/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDITCCAoqgAwIBAgIQT52W2WawmStUwpV8tBV9TTANBgkqhkiG9w0BAQUFADBM
MQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkg
THRkLjEWMBQGA1UEAxMNVGhhd3RlIFNHQyBDQTAeFw0xMTEwMjYwMDAwMDBaFw0x
MzA5MzAyMzU5NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHFA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKFApHb29nbGUgSW5jMRcw
FQYDVQQDFA53d3cuZ29vZ2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA3rcmQ6aZhc04pxUJuc8PycNVjIjujI0oJyRLKl6g2Bb6YRhLz21ggNM1QDJy
wI8S2OVOj7my9tkVXlqGMaO6hqpryNlxjMzNJxMenUJdOPanrO/6YvMYgdQkRn8B
d3zGKokUmbuYOR2oGfs5AER9G5RqeC1prcB6LPrQ2iASmNMCAwEAAaOB5zCB5DAM
BgNVHRMBAf8EAjAAMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwudGhhd3Rl
LmNvbS9UaGF3dGVTR0NDQS5jcmwwKAYDVR0lBCEwHwYIKwYBBQUHAwEGCCsGAQUF
BwMCBglghkgBhvhCBAEwcgYIKwYBBQUHAQEEZjBkMCIGCCsGAQUFBzABhhZodHRw
Oi8vb2NzcC50aGF3dGUuY29tMD4GCCsGAQUFBzAChjJodHRwOi8vd3d3LnRoYXd0
ZS5jb20vcmVwb3NpdG9yeS9UaGF3dGVfU0dDX0NBLmNydDANBgkqhkiG9w0BAQUF
AAOBgQAhrNWuyjSJWsKrUtKyNGadeqvu5nzVfsJcKLt0AMkQH0IT/GmKHiSgAgDp
ulvKGQSy068Bsn5fFNum21K5mvMSf3yinDtvmX3qUA12IxL/92ZzKbeVCq3Yi7Le
IOkKcGQRCMha8X2e7GmlpdWC1ycenlbN0nbVeSv3JUMcafC4+Q==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
---
No client certificate CA names sent
---
SSL handshake has read 1907 bytes and written 290 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: BD42BA375108081E114AD9A757E46AFAFB62E78426CD5415D4FEA3D192BBED23
Session-ID-ctx:
Master-Key:
1377093A273B7EC3CC71CEC78E7131E8E3D5C80B4D4AA797FAAD8BB2D55E312C8B4AD6D682C3204CCF82CF1F05DCDB88
Key-Arg : None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 3b 15 46 41 6f 7b ae d7-50 92 ae 41 47 a9 04 cf ;.FAo{..P..AG...
0010 - b3 6d 9f da f1 04 c4 44-4c 2b 0d 0b ff d2 3b 60 .m.....DL+....;`
0020 - f8 e1 93 4e 21 1b 48 4c-5c 54 58 0b 37 97 da e4 ...N!.HL\TX.7...
0030 - e4 28 2a 4e f3 e5 38 d3-f8 e9 c3 27 ad 25 6e bd .(*N..8....'.%n.
0040 - 82 2b 8c a5 6b 19 3d 2d-a3 bd 23 72 4c b9 43 da .+..k.=-..#rL.C.
0050 - dc 61 ba 6b 21 45 5c c0-29 88 c1 8d 44 1d 7c 39 .a.k!E\.)...D.|9
0060 - 6d 37 58 c2 a1 08 58 39-08 e3 ee ec a8 95 60 21 m7X...X9......`!
0070 - c7 fe ef be d6 12 25 81-b3 39 6e c0 ec f3 21 14 ......%..9n...!.
0080 - 42 c7 bd ee 81 cf d3 3a-16 97 ba 98 00 cd 8c e3 B......:........
0090 - a6 f4 fd 53 ...S

Start Time: 1321577321
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
把Server certificate拷贝到ca.crt。然后：
$ curl https://www.google.com --cacert ca.crt

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

问题依旧啊。

[du yang]

On Friday 11/18/11 10:32:20 CST, xx wrote:
> 在 2011年11月18日 上午9:48，du yang <duya...@gmail.com> 写道：
> > 1） 先把ca-certificates安装了。
> >
> > 2） 把-----BEGIN CERTIFICATE-----
> > 与-----END CERTIFICATE-----
> > *及其*之间的东西拷到一个文件xx.pem里面，然后这个文件放到一个目录.certs里面。
> > 运行c_rehash.
> > 然后用curl -cacert xx.pem应该就不会错了。
> >
> > 或着openssl s_client -connect www.google.com:443 -CApath ~/.certs/
> >
> > ~/.certs/为放xx.pem的目录
> >
>
> 我确实是找你说的这么做的，但问题依旧啊。
> 如果你乐意的话，你可以ssh登录到我的机器上
> 211.69.198.24
> id:guest
> pwd:guest
>
连接没有反应。

> > 或者请看这篇文档
> > http://wiki.qnap.com/wiki/Setup_Fetchmail_For_GMail_To_XDove
> > 的Install Certificates。

--
临江仙·滚滚长江东逝水--杨慎
滚滚长江东逝水，浪花淘尽英雄。
是非成败转头空。青山依旧在，几度夕阳红。
白发渔樵江渚上，惯看秋月春风。
一壶浊酒喜相逢。古今多少事，都付笑谈中。

[Li Haifeng]

恩。我这边是教育网

--
Li Haifeng
Laboratory of Service Computing Technology and System
Home page:http://tek-life.org

[du yang]

www.google.com的https好像不是用的443.
所以用刚才那种方式得到的证书对于https好像是不对的。

你打开Firefox在地址栏输入https://www.google.com. 然后在地址栏最前面的按
钮打开的对话框里面把证书导出来，然后用这个证书去curl。

[du yang]

我这样试过了，是可以的。
google的https应该是443.
不过不知道是因为翻墙代理还是什么原因，得到的Certificate是不同的。

[xx]

能否把你获得的google.com证书发给我，我打开后，自动转化为http://了。

[du yang]

证书就是以前那个。

之前证书的证书不同，是因为我用了Wallproxy。

这里我给你贴一个。
用curl同样也会被定向到http://...hk.

如果你无法直接连接，可以在hosts文件里面把www.google.com对应到
74.125.235.17。

这里是我的运行结果。
# curl --cacert ./www.google.com.pem https://www.google.com
<HTML><HEAD><meta http-equiv="content-type"
content="text/html;charset=utf-8">
<TITLE>302 Moved</TITLE></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A
HREF="http://www.google.com.hk/url?sa=p&amp;hl=zh-CN&amp;pref=hkredirect&amp;pval=yes&amp;q=http://www.google.com.hk/&amp;ust=1321593933060945&amp;usg=AFQjCNF2ngM8pbxQdhBMubosFBFSeVfNPw">here</A>.
</BODY></HTML>

在你的机器上不行，现在有两个怀疑的地方，你的VPN，还有curl的版本。
你可以先把VPN关掉。把上面那个IP加到hosts里面试试。

还有我的curl版本是，(你的没有TLS，不知道这个会不会影响)
# curl --version
curl 7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 GnuTLS/2.10.5
zlib/1.2.5.1 libidn/1.22 libssh2/1.3.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL
libz TLS-SRP

最后想说一下，如果你只是想连google，为什么不用-k选项忽略掉证书的检查。

--
Best Regards,
du yang

[xx]

呵呵，我本来是-k掉的。

用curl是下载repo的，用repo来 clone android_platform
但是一直报错。不知道错误原因，所以就在瞎捣鼓。