【问题标题】:centos6/letsencrypt - certificate error with wget, but not with curlcentos6/letsencrypt - wget 证书错误,但 curl 没有
【发布时间】:2021-12-12 22:43:10
【问题描述】:

我试图了解 wget 和 curl 在同一系统上连接到同一目的地时的行为差异。

环境

我的测试是在 centos6 上(我知道它已被弃用,我仍然想了解)。详细版本为 6.10(根据 vault.centos.org 更新数据包)。

测试:使用 Letsencrypt 证书与网站建立 SSL 连接

我正在尝试使用letsencrypt证书连接到服务器,例如https://letsencrypt.org

由于the expiration of a letsencrypt intermediate certificate,我预计证书验证会失败。

所以我很惊讶 curl 不会抱怨证书,而 wget 会:

wget 测试

# wget --output-document=/dev/null  https://letsencrypt.com --verbose
--2021-10-27 18:02:39--  https://letsencrypt.com/
Resolving letsencrypt.com... 206.189.50.215, 3.67.153.12, 2a03:b0c0:3:d0::d23:4001, ...
Connecting to letsencrypt.com|206.189.50.215|:443... connected.
ERROR: cannot verify letsencrypt.com's certificate, issued by `/C=US/O=Let\'s Encrypt/CN=R3':
  Issued certificate has expired.
To connect to letsencrypt.com insecurely, use `--no-check-certificate'.

卷曲测试

# curl https://letsencrypt.org --output /dev/null --verbose
* About to connect() to letsencrypt.org port 443 (#0)
*   Trying 3.125.252.47... connected
* Connected to letsencrypt.org (3.125.252.47) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=lencr.org
*       start date: Oct 10 03:00:44 2021 GMT
*       expire date: Jan 08 03:00:43 2022 GMT
*       common name: lencr.org
*       issuer: CN=R3,O=Let's Encrypt,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: letsencrypt.org
> Accept: */*
>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0< HTTP/1.1 200 OK
< cache-control: public, max-age=0, must-revalidate
< content-security-policy: default-src 'none'; font-src 'self'; style-src 'unsafe-inline' 'self'; script-src 'unsafe-eval' 'unsafe-inline' 'self' data: https://www.google-analytics.com https://www.googleadservices.com https://www.googletagmanager.com https://googleads.g.doubleclick.net https://donorbox.org https://js.stripe.com/v3/ https://sdks.shopifycdn.com ; img-src 'self' data: blob: https://www.google-analytics.com https://www.paypal.com https://www.paypalobjects.com https://ak2s.abmr.net https://ak1s.abmr.net https://www.google.com https://cdn.shopify.com https://v.shopify.com ; frame-src https://donorbox.org https://www.youtube.com https://www.youtube-nocookie.com https://bid.g.doubleclick.net https://js.stripe.com/v3/ https://js.stripe.com/v2/ ; connect-src 'self' https://d4twhgtvn0ff5.cloudfront.net/ https://letsencrypt-merch.myshopify.com https://monorail-edge.shopifysvc.com ;
< content-type: text/html; charset=UTF-8
< date: Tue, 26 Oct 2021 16:00:55 GMT
< etag: "f9fe2f13bc4ea4cc3ad994a763b6113c-ssl"
< permissions-policy: geolocation=(), midi=(), notifications=(), push=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), speaker=(self), vibrate=(), fullscreen=(self), interest-cohort=()
< referrer-policy: no-referrer
< strict-transport-security: max-age=31536000
< x-xss-protection: 1; mode=block
< age: 86183
< server: Netlify
< x-nf-request-id: 01FK17GMX7JW56W5ABGPH06ZP3
< content-length: 32108
< x-content-type-options: nosniff
< x-frame-options: DENY
<
{ [data not shown]
100 32108  100 32108    0     0  79841      0 --:--:-- --:--:-- --:--:--  407k* Connection #0 to host letsencrypt.org left intact

* Closing connection #0

我在 wget (wget --ca-certificate=/etc/pki/tls/certs/ca-bundle.crt https://letsencrypt.org -O /dev/null) 上对强制 ca 文件进行了一些测试,但没有差异。

有什么提示吗?并感谢您的宝贵时间 =)

【问题讨论】:

    标签: ssl curl wget lets-encrypt


    【解决方案1】:

    在 curl 工作但 wget 返回证书错误的 debian 10 上遇到了类似的问题。 curl 和 wget 使用不同的库。更新包 wget 取决于修复问题。

    # apt depends wget
    wget
      Depends: libc6 (>= 2.28)
      Depends: libgnutls30 (>= 3.6.6)
      Depends: libidn2-0 (>= 0.6)
      Depends: libnettle6
      Depends: libpcre2-8-0 (>= 10.32)
      Depends: libpsl5 (>= 0.16.0)
      Depends: libuuid1 (>= 2.16)
      Depends: zlib1g (>= 1:1.1.4)
      Conflicts: <wget-ssl>
      Recommends: ca-certificates
    # apt install wget libc6 libgnutls30 libidn2-0 libnettle6 libpcre2-8-0 libpsl5 libuuid1 zlib1g ca-certificates
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2016-05-27
      • 2020-08-14
      • 2017-03-16
      • 2015-12-27
      • 2020-09-18
      • 2017-03-18
      • 2022-12-18
      • 2015-04-29
      相关资源
      最近更新 更多