8

I am testing SSL access to a local node server with key,ca,cert in options ( self-signed w OpenSSL)

var server_options = {
  key: fs.readFileSync('/etc/ssl/self-signed/server.key'),
  ca: fs.readFileSync('/etc/ssl/self-signed/server.csr'),
  cert: fs.readFileSync('/etc/ssl/self-signed/server.crt')
};

trying to access it:

curl -v --user 1234567890:abcdefghijklmnopqrstuvwxyz --data "grant_type=password&username=yves&password=123456789" https://macMini.local:8000/oauth/token

using curl I get the following error:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I downloaded the ca certificate from http://curl.haxx.se/ca/cacert.pem and add them to my curl-ca-bundle-new.crt file, as suggested in some posts related to curl... but no way

here is the log

  • About to connect() to macMini.local port 8000 (#0)

    • Trying 192.168.1.14...
    • connected
    • Connected to macMini.local (192.168.1.14) port 8000 (#0)
    • SSLv3, TLS handshake, Client hello (1):
    • SSLv3, TLS handshake, Server hello (2):
    • SSLv3, TLS handshake, CERT (11):
    • SSLv3, TLS alert, Server hello (2):
    • SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    • Closing connection #0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html

I know I can bypass the Curl CA checking, using:

curl -k -v --user 1234567890:abcdefghijklmnopqrstuvwxyz --data "grant_type=password&username=yves&password=123456789" https://macMini.local:8000/oauth/token

in which case it's running fine, I can see:

SSL certificate verify result: self signed certificate (18), continuing anyway.

but I'd like to know if there is any way to solve this issue...

4

3 回答 3

7

这是您应该添加到 CA 捆绑包中的自签名证书。否则,curl 无法知道它可以被信任。

于 2013-10-14T00:27:31.753 回答
5

我终于在 OSX (10.8) 上找到了位置:/usr/share/curl/cacert.pem 所以我添加了我的自签名证书,并重新启动了我的 node-ssl 服务器。

然后 curl 命令现在可以正常运行了 -k 选项

curl -v --user 1234567890:abcdefghijklmnopqrstuvwxyz --data "grant_type=password&username=yves&password=123456789" https://macMini.local:8000/oauth/token

* About to connect() to macMini.local port 8000 (#0)
*   Trying 192.168.1.14...
* connected
* Connected to macMini.local (192.168.1.14) port 8000 (#0)
* successfully set certificate verify locations:
*   CAfile: /usr/share/curl/cacert.pem
  CApath: none
...
于 2013-10-14T08:27:23.620 回答
0

在 mac 上,我在尝试安装composer时遇到了类似的 ssl 相关错误。

错误:14090086:SSL 例程:SSL3_GET_SERVER_CERTIFICATE:证书

对于命令

php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

但是我通过运行命令成功安装了它

curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin/composer/

按照这里的指示。

于 2016-11-28T20:12:29.557 回答