[英]old php container says : curl: (60) SSL certificate problem: certificate has expired
Since 1 or 2 days my old php container (dockerhub php:5.4-apache) can't use curl anymore.从 1 或 2 天开始,我的旧 php 容器 (dockerhub php:5.4-apache) 不能再使用 curl。 this is the log when running curl inside this container.
这是在此容器内运行 curl 时的日志。
$> docker run --rm -ti php:5.6-apache bash
$> curl -X POST https://xxxxx.com
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
This same call works on a modern (updated) OS.同样的调用适用于现代(更新的)操作系统。
the reason is cacerts of the os are outdated原因是操作系统的证书已过时
To update them you need to do the following要更新它们,您需要执行以下操作
curl -k https://curl.se/ca/cacert.pem > cacert.pem
# works : curl --cacert cacert.pem -X POST https://xxxxx.com
apt-get install ca-certificates
openssl x509 -outform der -in cacert.pem -out cacert.crt
cp cacert.crt /usr/local/share/ca-certificates/
update-ca-certificates
other option:其他选择:
sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
update-ca-certificates
best option (imho):最佳选择(恕我直言):
apt-get update
apt-get upgrade -y
Raphael's answer is somewhat correct.拉斐尔的回答有些正确。 I checked the https://curl.se/ca/cacert.pem file and found that as of today it contains the Digital Signature Trust Co. (DST Root CA X3) CA Root certificate.
我检查了https://curl.se/ca/cacert.pem文件,发现截至今天它包含 Digital Signature Trust Co. (DST Root CA X3) CA Root 证书。 So replacing your Root CA certificate bundle may not be the answer, if it contains the same expired certificate.
因此,如果它包含相同的过期证书,则替换您的根 CA 证书包可能不是答案。
It doesn't get clear what cacert you're using.目前尚不清楚您使用的是什么 cacert。 Can you share?
你能分享吗?
You didn't mention what OS is that, so I would assume Linux.你没有提到那是什么操作系统,所以我假设是 Linux。
You can isolate your OS CA Root certificate location and check, if one of your expired certificates is the cause.您可以隔离您的 OS CA 根证书位置并检查是否是您的过期证书之一。
The steps in this article are the same for any expired CA Root certificate in the CA Root bundle (eg https://curl.se/ca/cacert.pem ) cert chain.本文中的步骤对于 CA 根捆绑包(例如https://curl.se/ca/cacert.pem )证书链中任何过期的 CA 根证书都是相同的。 https://stackoverflow.com/a/69411107/1549092
https://stackoverflow.com/a/69411107/1549092
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.