更新憑證
Ubuntu SSL 更新憑證常用指令
Categories:
在執行 curl 的時候,主機噴出 server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt
憑證過期的錯誤訊息,此時需要重新更新主機憑證資訊
$ curl https://www.google.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn\'t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you\'d like to turn off curl\'s verification of the certificate, use
the -k (or --insecure) option.
更新主機套件
因為主機套件沒有更新的話,抓取的憑證資料可能還會是舊的憑證,所以在更新憑證之前要先更新主機套件版本
sudo apt-get update
更新主機憑證
更新完主機套件後,就可以重新安裝憑證套件程式,讓主機抓取最新的憑證
sudo apt-get install --reinstall ca-certificates
若套件已是最新的,要直接更新憑證,可以使用下列指令直接更新即可
sudo update-ca-certificates
參考資料
- 服务器证书验证失败CAfile:/etc/ssl/certs/ca certificates.crt CRLfile: 无_ssl-certificate_酷徒编程知识库
- 各系統更新 ca (root)根憑證的方法 – Mr. 沙先生