[Ubuntu] 新增 Root CA,解決 curl 出現 unable to get local issuer certificate 的問題

[Ubuntu] 新增 Root CA,解決 curl 出現 unable to get local issuer certificate 的問題

今天在公司的 Ubuntu 機器上,跑 curl 去連自己的網站時,

出現了 unable to get local issuer certificate 這個錯誤訊息:

$ curl -L -v https://ephrain.net

......
<
* Connection #0 to host ephrain.net left intact
* Issue another request to this URL: 'https://ephrain.net/'
*   Trying 34.83.58.244:443...
* TCP_NODELAY set
* Connected to ephrain.net (34.83.58.244) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 1
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

 

這個訊息,其實和這篇裡遇到的 certificate signed by unknown authority,

感覺是同一件事情,同樣是 Linux 認不得 CA,

只是上次是 CentOS,這次是 Ubuntu…

來看一下在 Ubuntu 上要怎麼做吧~

 

1. 下載網站的 Root CA

參考這篇裡的方法,把 Root CA 憑證抓下來。

不過這次不同的地方是,公司最近打開了 SSL Inspection 的功能,

因此所有的 HTTPS 連線,都會被中間攔截並換成另一張憑證。

而因為那張新發憑證的 CA (本例中的 TWCA01) 並不被系統信任,

導致 curl 無法成功驗證憑證:

$ openssl s_client -connect ephrain.net:443 -showcerts

......
Certificate chain

 0 s:CN = ephrain.net
   i:C = TW, ST = Taiwan, L = Taipei, CN = IWSVASUBCA
-----BEGIN CERTIFICATE-----
MIIDyjCCArKgAwIBAgIQWlv8covk785Emhwmcby+RzANBgkqhkiG9w0BAQsFADCB
......
esCDm4iPay5MDen1j0c=
-----END CERTIFICATE-----

 1 s:C = TW, ST = Taiwan, L = Taipei, CN = IWSVASUBCA
   i:DC = org, DC = testnet, DC = us, CN = TWCA01
-----BEGIN CERTIFICATE-----
MIIFszCCBJugAwIBAgITdwAABb6+gFgtg/DITAAAAAAFvjANBgkqhkiG9w0BAQsF
......
-----END CERTIFICATE-----

 

因此要做的事,就是將 TWCA01 的憑證抓下來,

並儲存成 /usr/local/share/ca-certificates/TWCA01.crt

 

2. 更新系統的憑證信任庫

執行  sudo update-ca-certificates 來更新系統的憑證信任庫:

$ sudo update-ca-certificates

Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

 

如果去看 /etc/ssl/certs 這個目錄的話,

會發現新建了一個叫 TWCA01.pem 的符號連結 (symbolic link),

指向我們剛剛放 TWCA01 憑證的地方:

$ ll /etc/ssl/certs/

......
lrwxrwxrwx 1 root root     46 Nov 28 00:23  TWCA01.pem -> /usr/local/share/ca-certificates/TWCA01.crt
......

 

3. 重新執行 curl

這時再次執行 curl 指令,網站已經可以連上,

憑證也驗證通過了:

$ curl -L -v ephrain.net

......
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
......
* Server certificate:
*  subject: CN=ephrain.net
*  start date: Nov 17 23:00:56 2021 GMT
*  expire date: Feb 15 23:00:55 2022 GMT
*  subjectAltName: host "ephrain.net" matched cert's "ephrain.net"
*  issuer: C=TW; ST=Taiwan; L=Taipei; CN=IWSVASUBCA
*  SSL certificate verify ok.
......

 

參考資料:How do I install a root certificate?

(本頁面已被瀏覽過 6,334 次)

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料