更新憑證

Ubuntu SSL 更新憑證常用指令

在執行 curl 的時候,主機噴出 server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt 憑證過期的錯誤訊息,此時需要重新更新主機憑證資訊

$ curl https://www.google.com
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn\'t adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you\'d like to turn off curl\'s verification of the certificate, use
 the -k (or --insecure) option.

更新主機套件

因為主機套件沒有更新的話,抓取的憑證資料可能還會是舊的憑證,所以在更新憑證之前要先更新主機套件版本

sudo apt-get update

更新主機憑證

更新完主機套件後,就可以重新安裝憑證套件程式,讓主機抓取最新的憑證

sudo apt-get install --reinstall ca-certificates

若套件已是最新的,要直接更新憑證,可以使用下列指令直接更新即可

sudo update-ca-certificates

參考資料