[Ubuntu] 新增 Root CA,解決 curl 出現 unable to get local issuer certificate 的問題
今天在公司的 Ubuntu 機器上,跑 curl 去連自己的網站時,
出現了 unable to get local issuer certificate 這個錯誤訊息:
$ curl -L -v https://ephrain.net ...... < * Connection #0 to host ephrain.net left intact * Issue another request to this URL: 'https://ephrain.net/' * Trying 34.83.58.244:443... * TCP_NODELAY set * Connected to ephrain.net (34.83.58.244) port 443 (#1) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 1 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html
這個訊息,其實和這篇裡遇到的 certificate signed by unknown authority,
感覺是同一件事情,同樣是 Linux 認不得 CA,
只是上次是 CentOS,這次是 Ubuntu…
來看一下在 Ubuntu 上要怎麼做吧~
1. 下載網站的 Root CA
參考這篇裡的方法,把 Root CA 憑證抓下來。
不過這次不同的地方是,公司最近打開了 SSL Inspection 的功能,
因此所有的 HTTPS 連線,都會被中間攔截並換成另一張憑證。
而因為那張新發憑證的 CA (本例中的 TWCA01) 並不被系統信任,
導致 curl 無法成功驗證憑證:
$ openssl s_client -connect ephrain.net:443 -showcerts ...... Certificate chain 0 s:CN = ephrain.net i:C = TW, ST = Taiwan, L = Taipei, CN = IWSVASUBCA -----BEGIN CERTIFICATE----- MIIDyjCCArKgAwIBAgIQWlv8covk785Emhwmcby+RzANBgkqhkiG9w0BAQsFADCB ...... esCDm4iPay5MDen1j0c= -----END CERTIFICATE----- 1 s:C = TW, ST = Taiwan, L = Taipei, CN = IWSVASUBCA i:DC = org, DC = testnet, DC = us, CN = TWCA01 -----BEGIN CERTIFICATE----- MIIFszCCBJugAwIBAgITdwAABb6+gFgtg/DITAAAAAAFvjANBgkqhkiG9w0BAQsF ...... -----END CERTIFICATE-----
因此要做的事,就是將 TWCA01 的憑證抓下來,
並儲存成 /usr/local/share/ca-certificates/TWCA01.crt
2. 更新系統的憑證信任庫
執行 sudo update-ca-certificates 來更新系統的憑證信任庫:
$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done.
如果去看 /etc/ssl/certs 這個目錄的話,
會發現新建了一個叫 TWCA01.pem 的符號連結 (symbolic link),
指向我們剛剛放 TWCA01 憑證的地方:
$ ll /etc/ssl/certs/ ...... lrwxrwxrwx 1 root root 46 Nov 28 00:23 TWCA01.pem -> /usr/local/share/ca-certificates/TWCA01.crt ......
3. 重新執行 curl
這時再次執行 curl 指令,網站已經可以連上,
憑證也驗證通過了:
$ curl -L -v ephrain.net ...... * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs ...... * Server certificate: * subject: CN=ephrain.net * start date: Nov 17 23:00:56 2021 GMT * expire date: Feb 15 23:00:55 2022 GMT * subjectAltName: host "ephrain.net" matched cert's "ephrain.net" * issuer: C=TW; ST=Taiwan; L=Taipei; CN=IWSVASUBCA * SSL certificate verify ok. ......
參考資料:How do I install a root certificate?
(本頁面已被瀏覽過 6,363 次)