ssl centos 6/letsencrypt -wget出现证书错误,但curl没有出现证书错误

blpfk2vs  于 2022-12-13  发布在  其他
关注(0)|答案(2)|浏览(223)

我试图了解wget和curl在同一个系统上连接到同一个目的地时的行为差异。

环境

我的测试是在centos6上(我知道它已经过时了,我仍然想了解)。详细的版本是6.10(根据www.example.com的数据包更新vault.centos.org)。

测试:使用letsencrypt证书与网站建立SSL连接

我正在尝试使用letsencrypt证书连接到服务器,例如https://letsencrypt.org
由于the expiration of a letsencrypt intermediate certificate,我认为证书验证会失败。
所以我很惊讶curl没有抱怨证书,而wget却抱怨:
wget试验

# wget --output-document=/dev/null  https://letsencrypt.com --verbose
--2021-10-27 18:02:39--  https://letsencrypt.com/
Resolving letsencrypt.com... 206.189.50.215, 3.67.153.12, 2a03:b0c0:3:d0::d23:4001, ...
Connecting to letsencrypt.com|206.189.50.215|:443... connected.
ERROR: cannot verify letsencrypt.com's certificate, issued by `/C=US/O=Let\'s Encrypt/CN=R3':
  Issued certificate has expired.
To connect to letsencrypt.com insecurely, use `--no-check-certificate'.

curl 试验

# curl https://letsencrypt.org --output /dev/null --verbose
* About to connect() to letsencrypt.org port 443 (#0)
*   Trying 3.125.252.47... connected
* Connected to letsencrypt.org (3.125.252.47) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=lencr.org
*       start date: Oct 10 03:00:44 2021 GMT
*       expire date: Jan 08 03:00:43 2022 GMT
*       common name: lencr.org
*       issuer: CN=R3,O=Let's Encrypt,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: letsencrypt.org
> Accept: */*
>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/1.1 200 OK
< cache-control: public, max-age=0, must-revalidate
< content-security-policy: default-src 'none'; font-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' data: https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://donorbox.org https://js.stripe.com/v3/ https://sdks.shopifycdn.com ; img-src 'self' data: blob: https://www.google-analytics.com https://www.paypal.com https://www.paypalobjects.com https://ak2s.abmr.net https://ak1s.abmr.net https://www.google.com https://cdn.shopify.com https://v.shopify.com ; frame-src https://donorbox.org https://www.youtube.com https://www.youtube-nocookie.com https://bid.g.doubleclick.net https://js.stripe.com/v3/ https://js.stripe.com/v2/ ; connect-src 'self' https://d4twhgtvn0ff5.cloudfront.net/ https://letsencrypt-merch.myshopify.com https://monorail-edge.shopifysvc.com ;
< content-type: text/html; charset=UTF-8
< date: Tue, 26 Oct 2021 16:00:55 GMT
< etag: "f9fe2f13bc4ea4cc3ad994a763b6113c-ssl"
< permissions-policy: geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(self), vibrate=(), fullscreen=(self), interest-cohort=()
< referrer-policy: no-referrer
< strict-transport-security: max-age=31536000
< x-xss-protection: 1; mode=block
< age: 86183
< server: Netlify
< x-nf-request-id: 01FK17GMX7JW56W5ABGPH06ZP3
< content-length: 32108
< x-content-type-options: nosniff
< x-frame-options: DENY
<
{ [data not shown]
100 32108  100 32108    0     0  79841      0 --:--:-- --:--:-- --:--:--  407k* Connection #0 to host letsencrypt.org left intact

* Closing connection #0

我已经在wget(wget --ca-certificate=/etc/pki/tls/certs/ca-bundle.crt https://letsencrypt.org -O /dev/null)上用强制ca文件做了一些测试,但没有差异。
有什么提示吗?谢谢你的时间=)

nmpmafwu

nmpmafwu1#

在debian 10上有一个类似的问题,curl可以工作,但wget返回了证书错误。curl和wget使用不同的库。更新wget依赖的包修复了这个问题。

# apt depends wget
wget
  Depends: libc6 (>= 2.28)
  Depends: libgnutls30 (>= 3.6.6)
  Depends: libidn2-0 (>= 0.6)
  Depends: libnettle6
  Depends: libpcre2-8-0 (>= 10.32)
  Depends: libpsl5 (>= 0.16.0)
  Depends: libuuid1 (>= 2.16)
  Depends: zlib1g (>= 1:1.1.4)
  Conflicts: <wget-ssl>
  Recommends: ca-certificates
# apt install wget libc6 libgnutls30 libidn2-0 libnettle6 libpcre2-8-0 libpsl5 libuuid1 zlib1g ca-certificates
j9per5c4

j9per5c42#

我在Centos7上也遇到了同样的问题。多亏了Ali,我才能让WGET再次工作。

yum update

相关问题