[root@localhost ~]# curl -v "https://**.**.cn" * About to connect() to **.**.cn.cn port 443 (#0) * Trying 172.23.5.176... * Connected to **.**.cn (172.23.5.176) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=**.**.cn * start date: 9月 04 00:00:00 2020 GMT * expire date: 9月 04 23:59:59 2021 GMT * common name: **.**.cn * issuer: CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized. More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
使用openssl s_client访问报错
1 2 3 4 5 6 7
[root@localhost ~]# openssl s_client -connect *.*.cn:443 CONNECTED(00000003) depth=0 CN = *.*.cn verify error:num=20:unable to get local issuer certificate # 报错 verify return:1 depth=0 CN = *.*.cn verify error:num=21:unable to verify the first certificate # 报错
[root@localhost ~]# curl -v "https://*.*.cn" * About to connect() to *.*.cn port 443 (#0) * Trying 172.23.5.176... * Connected to *.*.cn (172.23.5.176) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=*.*.cn * start date: 9月 04 00:00:00 2020 GMT * expire date: 9月 04 23:59:59 2021 GMT * common name: *.*.cn * issuer: CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: *.*.cn > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.16.1 < Date: Thu, 04 Feb 2021 03:40:41 GMT < Content-Type: text/html < Content-Length: 4568 < Last-Modified: Tue, 26 Jan 2021 02:17:28 GMT < Connection: keep-alive < ETag: "600f7bb8-11d8" < Content-Security-Policy: upgrade-insecure-requests < Accept-Ranges: bytes
使用openssl s_client访问验证
1 2 3 4 5 6 7 8 9 10 11 12
[root@localhost ~]# openssl s_client -connect *.*.cn:443 CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = *.*.cn verify return:1 --- Certificate chain 0 s:/CN=*.*.cn i:/C=GB/ST=Greater Manchester/L=Salford/O=Sectigo Limited/CN=Sectigo RSA Domain Validation Secure Server CA