![](/img/trans.png)
[英]Unable to build xgboost with OS X El Capitan Version 10.11.6
[英]OpenSSL: Verifying a certificate against a CRL returning “unable to get issuer certificate” on OS X 10.11.6 El Capitan
我正在使用以下脚本在OS X 10.11.6 El Capitan上针对crl验证证书。
host=wikipedia.org
port=443
openssl s_client -connect $host:$port 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p' > $host.pem
crlurl=$(openssl x509 -noout -text -in $host.pem | grep -A 4 'X509v3 CRL Distribution Points' | grep URI | grep -Eo '(http|https)://[^"]+')
curl $crlurl -o $host.crl.der
openssl crl -inform DER -in $host.crl.der -outform PEM -out $host.crl.pem
OLDIFS=$IFS; IFS=':' certificates=$(openssl s_client -connect "$host":"$port" -showcerts -tlsextdebug -tls1 2>&1 </dev/null | awk '/BEGIN CERT/ {p=1} ; p==1; /END CERT/ {p=0}' | sed 's/-----BEGIN/:-----BEGIN/g'); for certificate in ${certificates#:}; do echo $certificate | tee -a $host.chain.pem ; done; IFS=$OLDIFS
cat $host.chain.pem $host.crl.pem > $host.crl_chain.pem
openssl verify -crl_check -CAfile $host.crl_chain.pem $host.pem
它在ubuntu上工作正常,但是在OS X 10.11.6 El Capitan上运行时抛出以下错误。
wikipedia.org.pem: C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA
error 2 at 1 depth lookup:unable to get issuer certificate
将wikipedia.org与s_client连接返回:
Verify return code: 20 (unable to get local issuer certificate)
wikipedia.org的CA颁发者位于信任库中,即您的ubuntu中的cacerts.pem ,其大部分位于
lib/security/cacerts
OS X 10.11.6 El Capitan中缺少&。 信任库
$(/usr/libexec/java_home)/jre/lib/security/cacerts
使用以下命令查看SSL证书链,并尝试将Wikipedia.org的根CA附加到您的mac truststore
openssl s_client -showcerts -servername wikipedia.org -connect wikipedia.org:443
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.