【證照】curl 和 java 請求報證照錯誤

易波葉平發表於2020-12-01

1. 說明:

以下:例子的域名因為工作環境的問題,被我拿自己的部落格域名替代了,所以無法進行模擬測試,請珍重,哈哈!

2. 環境:

centos:7.5

java jdk:1.8.0_74

3. curl 請求報錯

[root@test01 tmp]# curl "https://www.zhaouncle.com/api/v2/app/getBopomofo?source=%e8%b5%b5%e8%b6%99" 
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

3.1 解決辦法一,治本之法

3.1.1 Firefox 火狐瀏覽器

開啟 https://www.zhaouncle.com,然後依次點選以下操作

“?安全鎖圖示”——》“向右箭頭”——》“更多資訊”——》“檢視證照”——》“中間那個證照”,下載為 pem 檔案

【證照】curl 和 java 請求報證照錯誤 【證照】curl 和 java 請求報證照錯誤 【證照】curl 和 java 請求報證照錯誤 【證照】curl 和 java 請求報證照錯誤

3.1.2 進入 centos 系統

將下載的 pem 檔案放入/etc/pki/ca-trust/source/anchors 目錄,然後執行 update-ca-trust extract 命令

【證照】curl 和 java 請求報證照錯誤

3.2 解決辦法二,治標

curl -k 或者 curl --insecure,在命令列上直接避免證照校驗

curl -k "https://www.zhaouncle.com/api/v2/app/getBopomofo?source=%e8%b5%b5%e8%b6%99" 
curl --insecure "https://www.zhaouncle.com/api/v2/app/getBopomofo?source=%e8%b5%b5%e8%b6%99" 
【證照】curl 和 java 請求報證照錯誤

3.3 解決辦法三,治標

3.3.1 wget 解決方法:

echo "check_certificate = off" >> ~/.wgetrc

3.3.2 curl 解決方法:

echo "insecure" >> ~/.curlrc

4. Java 和 curl 都請求證照錯誤

4.1 以下是 curl 報錯:

[centos@test01 ~]$ curl "https://www.zhaouncle.com/api/v2/app/getBopomofo?source=%e8%b5%b5%e8%b6%99"
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[centos@test01 ~]$ ping www.zhaouncle.com
PING www.zhaouncle.com (10.0.0.100) 56(84) bytes of data.
64 bytes from test01 (10.0.0.100): icmp_seq=1 ttl=64 time=262 ms
64 bytes from test01 (10.0.0.100): icmp_seq=2 ttl=64 time=262 ms
64 bytes from test01 (10.0.0.100): icmp_seq=3 ttl=64 time=262 ms
^C
--- www.zhaouncle.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 262.636/262.636/262.637/0.418 ms

4.2 以下是 java 請求 www 證照報錯

org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://www.zhaouncle.com/api/v2/app/getBopomofo": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

4.3 說明

4.3.1 疑問:大家肯定很好奇我為啥會 ping 域名,然後還是內網 ip?

解答:因為繫結了 hosts,然後請求的是內網 ip,於是走的是本地的 nginx,nginx 配置了證照,而不是外部的 cdn,如果是走外部請求走 cdn,curl 和 java 都不會報錯,因為 cdn 已經繫結了證照,這個證照上傳了證照鏈。哎,沒錯了,證照鏈。

4.3.2 何謂證照鏈

加速 https 需要上傳 SSL 證照,開啟公鑰 domain.com.crt ,發現裡面有 3 個證照:

證照鏈。一般是一個使用者證照,一箇中間證照,和一個根證照。

一般只需要 使用者證照+中間證照 就可以了, 根證照不用傳, 除非你這個證照鏈不是三級,而是有兩個中間證照.

一般來講,只有傳 使用者證照 才能正常工作,可以同時傳 使用者證照和中間證照 或者 使用者證照和中間證照和根證照

注意這些證照必須在同一個檔案裡面

格式如下:

-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIQHV3ex3xRLXOHkz2GjVAKrjANBgkqhkiG9w0BAQsFADCB
......後面省略,第一個是使用者證照
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
......後面省略,第二個是中間證照
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
......後面省略,第三個是根證照
-----END CERTIFICATE-----

4.3.3 解決:

解決方法:在哪 nginx 那裡把 www 的 crt 證照新增進中間證照,ok,就解決了所以問題,而且還不需要 步驟 3 但對對系統和命令列進行從處理,就可以解決問題。

參考:https://ep.gnt.md/index.php/curl-60-peers-certificate-issuer-is-not-recognized/

相關文章