使用wgetcurl的Ubuntu 11.10与ssl失败

概述在一个全新的Ubuntu安装中,我在使用wget时遇到以下错误： wget https://test.sagepay.com--2012-03-27 12:55:12-- https://test.sagepay.com/Resolving test.sagepay.com... 195.170.169.8Connecting to test.sagepay.com|195.170.16 在一个全新的Ubuntu安装中,我在使用wget时遇到以下错误：

wget https://test.sagepay.com--2012-03-27 12:55:12--  https://test.sagepay.com/Resolving test.sagepay.com... 195.170.169.8Connecting to test.sagepay.com|195.170.169.8|:443... connected.ERROR: cannot verify test.sagepay.com's certificate,issued by `/C=US/O=VeriSign,Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended ValIDation SSL SGC CA':Unable to locally verify the issuer's authority.To connect to test.sagepay.com insecurely,use `--no-check-certificate'.

我已经尝试安装ca证书并配置ca-certs,它们似乎都在/ etc / ssl / certs中设置.

cURL存在同样的问题：

curl https://test.sagepay.comcurl: (60) SSL certificate problem,verify that the CA cert is OK. Details:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify Failed

这让我相信openssl服务器范围有问题.

wget和curl都在OSX上本地正常工作,我已经与少数人确认它正在他们的服务器上工作,所以我怀疑它与我试图连接的服务器无关.

有什么想法或建议可以尝试缩小范围吗？

谢谢

编辑来自curl的请求详细输出

curl -Iv https://test.sagepay.com* About to connect() to test.sagepay.com port 443 (#0)*   Trying 195.170.169.8... connected* Connected to test.sagepay.com (195.170.169.8) port 443 (#0)* successfully set certificate verify locations:*   CAfile: none  CApath: /etc/ssl/certs* SSLv3,TLS handshake,ClIEnt hello (1):* SSLv3,Server hello (2):* SSLv3,CERT (11):* SSLv3,TLS alert,Server hello (2):* SSL certificate problem,verify that the CA cert is OK. Details:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify Failed* Closing connection #0curl: (60) SSL certificate problem,verify that the CA cert is OK. Details:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify FailedMore details here: http://curl.haxx.se/docs/sslcerts.HTML

编辑2
使用评论中的哈希我看到：

ubuntu@srv-tf6sq:/etc/ssl/certs$ls -al 7651b327.0lrwxrwxrwx 1 root root 59 2012-03-27 12:48 7651b327.0 -> Verisign_Class_3_Public_Primary_Certification_Authority.pemubuntu@srv-tf6sq:/etc/ssl/certs$ls -al Verisign_Class_3_Public_Primary_Certification_Authority.pemlrwxrwxrwx 1 root root 94 2012-01-18 07:21 Verisign_Class_3_Public_Primary_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crtubuntu@srv-tf6sq:/etc/ssl/certs$ls -al /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt-rw-r--r-- 1 root root 834 2011-09-28 14:53 /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crtubuntu@srv-tf6sq:/etc/ssl/certs$more /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt-----BEGIN CERTIFICATE-----MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWdulCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWdulCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhEbarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/isI19wKTakyYbnsZogy1olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ2HUw19JlYD1n1khVDWk/kfVIC0dpImmClr7JyDiGSnoscxliaU5rfGW/D/xwzoiQ-----END CERTIFICATE-----

但是我自己做了一些步骤,最后得到了一个不同的哈希：

strace -o /tmp/foo.out curl -Iv https://test.sagepay.com

和

grep ssl /tmp/foo.outopen("/lib/x86_64-linux-gnu/libssl.so.1.0.0",O_RDONLY) = 3stat("/etc/ssl/certs/415660c1.0",{st_mode=S_IFREG|0644,st_size=834,...}) = 0open("/etc/ssl/certs/415660c1.0",O_RDONLY) = 4stat("/etc/ssl/certs/415660c1.1",0x7fff7dab07b0) = -1 ENOENT (No such file or directory)readlink -f /etc/ssl/certs/415660c1.0/usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crtmore /usr/share/ca-certificates/mozilla/Verisign_Class_3_Public_Primary_Certification_Authority.crt-----BEGIN CERTIFICATE-----MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWdulCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWdulCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhEbarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/isI19wKTakyYbnsZogy1olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ2HUw19JlYD1n1khVDWk/kfVIC0dpImmClr7JyDiGSnoscxliaU5rfGW/D/xwzoiQ-----END CERTIFICATE-----

还有其他想法吗？谢谢你的帮助到目前为止:)

编辑：回答如下

解决方法 事实证明,安装ca-certificates软件包并没有安装我需要的软件包.我发现 this post关于无序出现的证书.我对sagepay的要求似乎就是这种情况.

解决方案最终是从Verisign安装另一个CA证书.我不确定为什么这会解决它出现故障的问题,但确实如此,但我怀疑乱序问题确实根本不是问题,而且事实上是因为我一直都缺少证书.该帖子中提供了额外的证书,但我不想盲目信任它.我查看了cURL’s site的CA证书列表,它列在那里,所以我确实相信它.

证书：

Verisign Class 3 Public Primary Certification Authority=======================================================-----BEGIN CERTIFICATE-----MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWdulCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWdulCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhEbarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/isI19wKTakyYbnsZogy1olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0GCSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Dolbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNycAA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k-----END CERTIFICATE-----

我把它放在一个文件中：

/usr/share/ca-certificates/curl/Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.crt

然后我修改了/etc/ca-certificates.conf并在最后添加了以下行：

curl/Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.crt

之后我运行了命令：

sudo update-ca-certificates

查看/ etc / ssl / certs目录,我看到它正确链接：

ls -al | grep cURLlrwxrwxrwx 1 root root     69 2012-03-27 16:03 415660c1.0 -> Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.pemlrwxrwxrwx 1 root root     69 2012-03-27 16:03 7651b327.0 -> Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.pemlrwxrwxrwx 1 root root    101 2012-03-27 16:03 Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.pem -> /usr/share/ca-certificates/curl/Verisign_Class_3_Public_Primary_Certification_Authority-from_cURL.crt

一切正常！

curl  -I https://test.sagepay.comhttp/1.1 200 OK...

总结

以上是内存溢出为你收集整理的使用wget / curl的Ubuntu 11.10与ssl失败全部内容，希望文章能够帮你解决使用wget / curl的Ubuntu 11.10与ssl失败所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。