【发布时间】:2019-05-11 15:28:26
【问题描述】:
我创建了一个 rest api 项目,我正在尝试使用 curl 访问 https 端点,如下所示:
$ dotnet new angular
$ curl -I -X GET 'https://localhost:5001/api/SampleData/WeatherForecasts'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
我搜索了一下,这些是我从 dotnet 提取证书并将其添加到我的受信任 CA 证书存储库中的步骤:
这是我尝试添加证书的方法
# export netcore development certificate
$ dotnet dev-certs https -ep ~/tmp/localhost.pfx -p somepassword
# convert it to crt
$ openssl pkcs12 -in ~/tmp/localhost.pfx -clcerts -nokeys -out ~/tmp/localhost.crt
# copy to a folder in /usr/local/share/ca-certificates/
$ cd /usr/local/share/ca-certificates/
$ sudo mkdir dotnet_devel
$ sudo chmod -R 755 dotnet_devel
$ mkdir dotnet_devel
$ cd dotnet_devel
$ sudo cp ~/tmp/localhost.crt .
$ sudo chmod -R 644 localhost.crt
# update CA trusted certificates repository
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Adding debian:localhost.pem
done.
done.
我也尝试像这样设置 CURL_CA_BUNDLE 环境变量:
$ export CURL_CA_BUNDLE=/usr/local/share/ca-certificates/dotnet_devel/localhost.crt
我不断收到相同的 curl 错误,而且,firefox 和 chrome 告诉我连接不安全
附加信息:
$ dotnet --info
.NET Core SDK (reflecting any global.json):
Version: 2.2.203
Commit: e5bab63eca
Runtime Environment:
OS Name: ubuntu
OS Version: 18.04
OS Platform: Linux
RID: ubuntu.18.04-x64
$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.0g zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4) nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL
$ openssl x509 -in /usr/local/share/ca-certificates/dotnet_devel/localhost.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7146369397181644036 (0x632d011a88bbfd04)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = localhost
Validity
Not Before: Oct 22 19:40:53 2018 GMT
Not After : Oct 22 19:40:53 2019 GMT
Subject: CN = localhost
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication
X509v3 Subject Alternative Name: critical
DNS:localhost
1.3.6.1.4.1.311.84.1.1:
ASP.NET Core HTTPS development certificate
Signature Algorithm: sha256WithRSAEncryption
[...]
参考资料:
https://askubuntu.com/questions/645818/how-to-install-certificates-for-command-line/649463#649463
https://github.com/aspnet/AspNetCore/issues/7246#issue-406461992
【问题讨论】:
-
能否包含
openssl x509 -in /usr/local/share/ca-certificates/dotnet_devel/localhost.crt -text -noout的输出? Firefox 和 Chrome 使用自己的信任库运行,因此需要为两种浏览器单独配置信任 -
没问题
-
证书验证不仅仅是您是否已将其添加到您的证书存储中。验证意味着检查可以将整个证书链验证回原始颁发者。这不适用于自签名证书。没有证书链。虽然自签名证书在 10 年前对启用 ssl 很有用,但如今它们的麻烦多于其价值,因为您必须为每个允许使用它们的应用程序创建一个例外。最好简单地使用
certbot并从 EFF 获取免费的有效证书以用于服务器。 -
好提示,我可以使用 certbot 为我的本地主机创建证书吗?有什么链接可以帮助我开始使用它吗?
标签: ssl https .net-core ubuntu-18.04 self-signed