При попытке запросить через curl некий урл получаем ошибку

curl 'https://some.site.com/test/input' -H 'Content-Type: application/json' -d '{"test":"test"}'

Ответ с ошибкой

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

Система — Ubuntu 16.04. Обновлять все пакеты нельзя — это живой и рабочий продакт сервер. Методом аккуратных тыков помогло данное действие.

Скачиваем актуальные LetsEncrypt root CA сертификаты:

sudo curl -k https://letsencrypt.org/certs/isrgrootx1.pem.txt -o /usr/local/share/ca-certificates/isrgrootx1.crt

sudo curl -k https://letsencrypt.org/certs/letsencryptauthorityx1.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx1.crt

sudo curl -k https://letsencrypt.org/certs/letsencryptauthorityx2.pem.txt -o /usr/local/share/ca-certificates/letsencryptauthorityx2.crt

sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx1.crt

sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx2.crt

sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx3.crt

sudo curl -k https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.pem.txt -o /usr/local/share/ca-certificates/letsencryptx4.crt

Запускаем обновление сертификатов

sudo dpkg-reconfigure ca-certificates

На первый вопрос отвечаем 'Yes' — доверять новым сертификатам. На втором шаге нужно снять звездочку с пункта «DST Root CA X3» Проверяем снова наш запрос curl .

Оценка сообщения:
1 Star2 Stars3 Stars4 Stars5 Stars
(Еще не оценили)
Загрузка...

Метки: , ,