公司的一个域名,用浏览器打开能正常访问,但是在linux下使用curl命令,总是报错,报错信息如下:
curl: (60) Peer certificate cannot be authenticated with known CA certificates More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
网上搜了下这个报错信息,花了一天的时间居然还是没能解决。
后来偶然搜索ssl,打开了一个ssl检测网站(能检测https证书是否正常的一个网站),放上链接:https://myssl.com/ 检测后发现公司的这个域名https证书有问题:好像是"证书链不完整"之类的信息.
于是乎接着百度,google搜索证书链不完整的相关结果,终于发现了解决方法。
用另外一个网站生产中间证书: https://www.myssl.cn/tools/downloadchain.html(该网站可以在线生产中间证书)
生产中间证书之后,把中间证书的内容完完全全的复制并追加到crt/cer文件后面(不要有空格,空行)
之后重载nginx配置文件,发现curl 命令不再报错,至此,问题应该得到了解决,只是还不清楚其中的所以然,有时间了再研究吧。