# yum -y install ca-certificates
# yum info ca-certificates
# rpm -ql ca-certificates
# rpm -ql ca-certificates | grep "crt"
tls-ca-bundle.pem 內(nèi)各個(gè)證書的頭尾格式:
BEGIN CERTIFICATE & END CERTIFICATE
ca-bundle.trust.crt 內(nèi)各個(gè)證書的頭尾格式:
BEGIN TRUSTED CERTIFICATE & END TRUSTED CERTIFICATE
/etc/pki/tls/certs/ca-bundle.crt 文件存儲(chǔ)了各大證書頒發(fā)證的根證書交叉文件叮趴。
curl 訪問https網(wǎng)站時(shí)芍秆,會(huì)比對這個(gè)文件里的根證書侠碧。如果這個(gè)文件過老,那就是有新的根證書未加入到這個(gè)文件里驶冒,導(dǎo)致curl無法正常訪問https網(wǎng)站。
所以嚎杨,你要么更新這個(gè)包(文件)蓄喇,要么可以選擇手動(dòng)添加證書進(jìn)去发侵,當(dāng)然,你可以使用 curl? -k? 跳過證書驗(yàn)證妆偏。
更新最新證書:
https://curl.se/ca/cacert.pem
對CentOS7.x而言刃鳄,手動(dòng)添加證書信任:
獲取服務(wù)端證書 X.crt
# cp? X.crt? /etc/pki/ca-trust/source/anchors/
# update-ca-trust
# cat /etc/pki/ca-trust/README
# man update-ca-trust > update-ca-trust.txt
參考
SSL Certificate Verification
https://curl.se/docs/sslcerts.html
Managing TLS and trusted CA certificates
https://docs.pexip.com/admin/certificate_management.htm
SSL and SSL Certificates Explained For Beginners
http://www.steves-internet-guide.com/ssl-certificates-explained/
Adding trusted root certificates to the server
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
How to add Certificate Authority file in CentOS 7
https://stackoverflow.com/questions/37043442/how-to-add-certificate-authority-file-in-centos-7