[curl] SSL certificate problem: unable to get local issuer certificate
신뢰할 수 있는 인증 기관으로 등록되지 않은 SSL/TLS 인증서를 쓰는 곳을 curl로 접근하먼 이런 오류를 겪을 수 있다. 구글(google) 인증서를 쓰는 곳에서 그럴 수 있다.
# curl https://www...
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
'-k'(또는 '--insecure')와 '-L google.com'을 붙여서 인증서 검증을 하지 않게 할 수 있다.
# curl -k -L google.com https://www..
# curl --insecure -L google.com https://www...
신뢰할 수 있는 인증서 목록에 넣으려면
# curl -v https://google.com
* Trying 2607:f8b0:4009:81b::200e:443...
* Connected to google.com (2607:f8b0:4009:81b::200e) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.google.com
* start date: Dec 11 08:03:31 2023 GMT
* expire date: Mar 4 08:03:30 2024 GMT
* subjectAltName: host "google.com" matched cert's "google.com"
* issuer: C=US; O=Google Trust Services LLC; CN=GTS CA 1C3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* Using Stream ID: 1 (easy handle 0x55bacf75c540)
* TLSv1.2 (OUT), TLS header, Unknown (23):
> GET / HTTP/2
> Host: google.com
> user-agent: curl/7.76.1
> accept: */*
>
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.2 (OUT), TLS header, Unknown (23):
* TLSv1.2 (IN), TLS header, Unknown (23):
* TLSv1.2 (IN), TLS header, Unknown (23):
< HTTP/2 301
< location: https://www.google.com/
< content-type: text/html; charset=UTF-8
< content-security-policy-report-only: object-src 'none';base-uri 'self';script-src 'nonce-A71EtqVLshhMqBU3l6geSg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
< date: Sat, 13 Jan 2024 20:31:41 GMT
< expires: Mon, 12 Feb 2024 20:31:41 GMT
< cache-control: public, max-age=2592000
< server: gws
< content-length: 220
< x-xss-protection: 0
< x-frame-options: SAMEORIGIN
< alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
<
* TLSv1.2 (IN), TLS header, Unknown (23):
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* TLSv1.2 (IN), TLS header, Unknown (23):
* Connection #0 to host google.com left intact
위에 보이는 /etc/pki/tls/certs/ca-bundle.crt 파일에 신뢰할 수 있는 인증서 목록이 들어가므로, 이 목록에 문제가 되는 인증서 정보를 끼워 넣으면 된다. (아래 글들에 자세한 방법이 나옴)
- [curl] (60) server certificate verification failed. 문제 해결 방법
(https://frankler.tistory.com/43) - https 연결시 서버의 SSL 인증서 추출하기 (curl 또는 web browser 사용)
(https://www.lesstif.com/gitbook/https-ssl-curl-web-browser-16744456.html)
※ 참고한 글
- curl 에 신뢰하는 인증기관 인증서(CA Cert) 추가하기
(https://www.lesstif.com/gitbook/curl-ca-cert-15892500.html)
덧글을 달아 주세요