linux 访问 https 证书问题

一、报错信息

使用curl访问报错如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[root@localhost ~]# curl  -v "https://**.**.cn"
* About to connect() to **.**.cn.cn port 443 (#0)
* Trying 172.23.5.176...
* Connected to **.**.cn (172.23.5.176) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=**.**.cn
* start date: 9月 04 00:00:00 2020 GMT
* expire date: 9月 04 23:59:59 2021 GMT
* common name: **.**.cn
* issuer: CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

使用openssl s_client访问报错

1
2
3
4
5
6
7
[root@localhost ~]# openssl s_client -connect *.*.cn:443
CONNECTED(00000003)
depth=0 CN = *.*.cn
verify error:num=20:unable to get local issuer certificate # 报错
verify return:1
depth=0 CN = *.*.cn
verify error:num=21:unable to verify the first certificate # 报错

windows下浏览器访问正常

原因是linux下使用curl去访问https时,会使用curl默认的ca根证书,我这个域名证书的ca根证书没有在信任列表里面,所以curl报错。

解决办法:windows下浏览器访问正常,我们windows浏览器访问网站,然后导出证书对应的ca根证书,添加到curl的证书信任列表中。

二、curl访问解决方法

2.获取CA根证书并添加到 linux 证书信任列表

获取curl访问网站时使用的证书路径

1
2
3
4
5
6
[root@localhost ~]# curl -v "https://*.*.cn"
* About to connect() to *.*.cn port 443 (#0)
* Trying 172.23.5.176...
* Connected to *.*.cn (172.23.5.176) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt # 使用的ca根证书文件

从windows主机导出目标网站的CA根证书

chrom访问网站–>点击小锁–>选择证书–>选择证书路径–>选中CA根证书–>查看证书–>详细信息–>复制到文件–>选择DER编码格式–>输入导出文件名–>导出到本地目录

将ca根证书上传至服务器并将证书信息追加到curl使用的证书文件中

1
[root@localhost ~]# cat ca.cer >> /etc/pki/tls/certs/ca-bundle.crt

3.添加信任CA根证书后访问成功

使用curl访问验证

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[root@localhost ~]# curl -v "https://*.*.cn"
* About to connect() to *.*.cn port 443 (#0)
* Trying 172.23.5.176...
* Connected to *.*.cn (172.23.5.176) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=*.*.cn
* start date: 9月 04 00:00:00 2020 GMT
* expire date: 9月 04 23:59:59 2021 GMT
* common name: *.*.cn
* issuer: CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: *.*.cn
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.16.1
< Date: Thu, 04 Feb 2021 03:40:41 GMT
< Content-Type: text/html
< Content-Length: 4568
< Last-Modified: Tue, 26 Jan 2021 02:17:28 GMT
< Connection: keep-alive
< ETag: "600f7bb8-11d8"
< Content-Security-Policy: upgrade-insecure-requests
< Accept-Ranges: bytes

使用openssl s_client访问验证

1
2
3
4
5
6
7
8
9
10
11
12
[root@localhost ~]# openssl s_client -connect *.*.cn:443
CONNECTED(00000003)
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
verify return:1
depth=0 CN = *.*.cn
verify return:1
---
Certificate chain
0 s:/CN=*.*.cn
i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA

三、java中HttpClient解决方法

对于java中如果使用 HttpClient 访问https 可以使用以下命令导入到jre中的作为信任证书

keytool -import -keystore “/usr/local/jdk/jre/lib/security/cacerts” -storepass changeit -keypass changeit -alias twca -file twca.cer

过程中提示是否信任:输入yes即可

1
Trust this certificate? [no]: 

配置过程如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
[root@boss-test-dev01 ~]# keytool -import -keystore "/usr/local/jdk/jre/lib/security/cacerts"  -storepass changeit -keypass changeit -alias twca -file /root/twca.cer
Owner: CN=TWCA Root Certification Authority, OU=Root CA, O=TAIWAN-CA, C=TW
Issuer: CN=TWCA Root Certification Authority, OU=Root CA, O=TAIWAN-CA, C=TW
Serial number: 1
Valid from: Thu Aug 28 15:24:33 CST 2008 until: Tue Dec 31 23:59:59 CST 2030
Certificate fingerprints:
MD5: AA:08:8F:F6:F9:7B:B7:F2:B1:A7:1E:9B:EA:EA:BD:79
SHA1: CF:9E:87:6D:D3:EB:FC:42:26:97:A3:B5:A3:7A:A0:76:A9:06:23:48
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
Key_CertSign
Crl_Sign
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 6A 38 5B 26 8D DE 8B 5A F2 4F 7A 54 83 19 18 E3 j8[&...Z.OzT....
0010: 08 35 A6 BA .5..
]
]

Trust this certificate? [no]: yes
Certificate was added to keystore