遵循似乎是将证书添加到 Linux 信任的标准程序,它似乎添加了证书:
$ sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt`
$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
但是curl,wget拒绝使用该证书连接到服务器,并出现以下错误:
verify error: Unable to get local issuer certificate
Unable to locally verify the issuer's authority
(如果使用 禁用验证,它会连接curl -k,但这不是解决方案。)
证书本身是使用此命令创建的,用于在本地 Gitlab 实例 (nginx) 上启用 SSL:
$ openssl req -x509 -days 365 -newkey rsa:1024 -keyout bar.pem -nodes -out foo.crt -config openssl_conf
哪里openssl_conf是:
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = XX
ST = XX
L = XXX
O = XXXX
OU = XXXX
CN = ...
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = XX.XX.X.X
问题似乎与用于证书生成的 openssl 配置文件有关(看起来它没有被充分填充)。使用此新配置文件创建的证书已成功添加到信任库中
update-ca-certificates. 根据这篇文章,看来这里的关键是basicConstraints = CA:true。(相同的证书生成命令)
$ openssl req -x509 -days 365 -newkey rsa:1024 -keyout bar.pem -nodes -out foo.crt -config openssl_conf(将证书添加到信任库的方法相同)