Shulou(Shulou.com)06/01 Report--

This article mainly explains the "Linux using curl commands to visit the https site of four common errors and solutions", the content of the article is simple and clear, easy to learn and understand, the following please follow the editor's ideas slowly in-depth, together to study and learn "Linux use curl commands to visit the https site of the four common mistakes and solutions" bar!

Each client uses a different certificate store when dealing with https connections. Both IE and FireFox browsers can find the Certificate Manager in the control panel of this browser. You are free to add and delete root certificates in Certificate Manager.

The certificate store used by Linux's curl is in the file "/ etc/pki/tls/certs/ca-bundle.crt". (CentOS)

The following are common error messages for curl when visiting https sites

1.Peer's Certificate issuer is not recognized

The code is as follows:

[root@ip-172-31-32-208Nginx] # curl https://m.ipcpu.com

Curl: (60) Peer's Certificate issuer is not recognized.

More details here: http://curl.haxx.se/docs/sslcerts.html

This situation often occurs in self-signed certificates, and the meaning of error reporting means that the certificate-issuing authority has not been authenticated and cannot be identified.

The solution is to append the contents of the private CA public key cacert.pem file that issued the certificate to / etc/pki/tls/certs/ca-bundle.crt.

We reported a similar error when we visited the 12306.cn booking website.

The code is as follows:

[root@ip-172-31-32-208] # curl https://kyfw.12306.cn/

Curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

More details here: http://curl.haxx.se/docs/sslcerts.html

2.SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The code is as follows:

[root@GO-EMAIL-1 aa] # curl https://github.com/

Curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:

Error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

More details here: http://curl.haxx.se/docs/sslcerts.html

Most of this problem is due to the fact that the local CA certificate store is too old, so that the newly issued certificate cannot be recognized.

After investigation, the github.com certificate is issued by GTE CyberTrust Root. The current time of the certificate is:

1. Not earlier than (0:29:00 GMT on 1998-8-13)

two。 No later than (23:59:00 GMT on 2018-8-13)

On our Redhat5.3 system, the ca-bundle.crt file found that the GTE CyberTrust Root time had expired.

The code is as follows:

Issuer: C=US, O=GTE Corporation, CN=GTE CyberTrust Root

Validity

Not Before: Feb 23 23:01:00 1996 GMT

Not After: Feb 23 23:59:00 2006 GMT

The solution is to update the local CA certificate store.

Method 1:

Download http://curl.haxx.se/ca/cacert.pem replacement / etc/pki/tls/certs/ca-bundle.crt

Method 2:

Use update-ca-trust to update the CA certificate store. (CentOS6, which belongs to the ca-certificates package)

3.unknown message digest algorithm

The code is as follows:

[root@WEB_YF_2.7 ~] # curl https://www.alipay.com

Curl: (35) error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm

This problem is mostly caused by the fact that the local openssl of the certificate cannot recognize the SSL certificate signature algorithm. Www.alipay.com uses the SHA-256 RSA encryption algorithm. Openssl did not add this algorithm until OpenSSL 0.9.8o.

The workaround is to upgrade the local openssl.

In my operating system RedHat5.3, yum upgrades openssl to openssl-0.9.8e-22.el5 to recognize the SHA-256 algorithm. The reason is that Redhat patches 0.9.8e every time, rather than changing the version directly. I found this patch in the srpm package.

The code is as follows:

Summary: The OpenSSL toolkit

Name: openssl

Version: 0.9.8e

...

Patch89: openssl-fips-0.9.8e-ssl-sha256.patch

The problem with 4.JAVA and PHP

Both java and php can be programmed to access https websites. Such as httpclient and so on.

The CA root certificate store it calls is not consistent with the operating system.

JAVA's CA root certificate store is in JRE's $JAVA_HOME/jre/lib/security/cacerts, which will be upgraded as the JRE version is upgraded. It can be managed using the keytool tool.

I have not tested the PHP side. From the process of installing curl components in php, it is very likely that it is the data that the operating system curl has been using directly.

Of course, PHP also provides the curl.cainfo parameter (php.ini) to specify the location of the CA root certificate store.

Thank you for your reading, these are the contents of "four common errors and solutions in Linux using curl commands to access https sites". After the study of this article, I believe you have a deeper understanding of the four common errors and solutions in Linux using curl commands to access https sites, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.