記一次解決curl https證書問題 : Peer’s Certificate has expired

3,987

 

curl: (60) Peer's Certificate has expired.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
error: skipping https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-centos96-9.6-3.noarch.rpm - transfer failed

問題起因

在訪問https的網站時,報出Peer's Certificate has expired的錯誤。如下:

[[email protected] ~]# curl https://www.baidu.com
curl: (60) Peer's Certificate has expired. More details here: http://curl.haxx.se/docs/sslcerts.html 

搜索了很久,沒有有用的信息。沒能找到已有的解決方法。只能靠自己來分析了。

嘗試分析

首先根據提示,我判斷是CA證書過期。於是對證書進行了更新

update-ca-trust

但是依然沒有解決問題。之後,嘗試了很多方法後,重新回來想想,為什麼不適用curl -v來獲取更多信息呢?於是使用該命令進行再次嘗試。

[[email protected] ~]# curl https://www.baidu.com -v
* About to connect() to www.baidu.com port 443 (#0)
*   Trying 180.97.33.107...
* Connected to www.baidu.com (180.97.33.107) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*   subject: CN=baidu.com,OU=service operation department,O="Beijing Baidu Netcom Science Technology Co., Ltd.",L=Beijing,ST=Beijing,C=CN
*   start date: Sep 17 00:00:00 2015 GMT
*   expire date: Aug 31 23:59:59 2016 GMT
*   common name: baidu.com
*   issuer: CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
* NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
* Peer's Certificate has expired. * Closing connection 0 curl: (60) Peer's Certificate has expired.
More details here: http://curl.haxx.se/docs/sslcerts.html

然後根據SEC_ERROR_EXPIRED_CERTIFICATE的錯誤說明,進行搜索,發現該命令是由於本地的時間不正確造成的。進行一次ntp時間同步,問題解決。

ntpdate pool.ntp.org

結果分析

https的證書是有開始時間和失效時間的。因此本地時間要在這個證書的有效時間內。不過最好的方式,還是能夠把時間進行同步。


作者:xuxinkun
出處:xinkun的博客
鏈接:https://xuxinkun.github.io/
本文版權歸作者所有,歡迎轉載。
未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接,否則保留追究法律責任的權利。
Comments