【證書】curl 和 java 請求報證書錯誤

1. 說明：

以下：例子的域名因為工作環境的問題，被我拿自己的博客域名替代了，所以無法進行模擬測試，請珍重，哈哈！

2. 環境：

centos：7.5

java jdk：1.8.0_74

3. curl 請求報錯

[root@test01 tmp]# curl "https://www.zhaouncle.com/api/v2/app/getBopomofo?source=%e8%b5%b5%e8%b6%99" 
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

3.1 解決辦法一，治本之法

3.1.1 Firefox 火狐瀏覽器

打開 https://www.zhaouncle.com，然后依次點擊以下操作

“🔐安全鎖圖標”——》“向右箭頭”——》“更多信息”——》“查看證書”——》“中間那個證書”，下載為 pem 文件

3.1.2 進入 centos 系統

將下載的 pem 文件放入/etc/pki/ca-trust/source/anchors 目錄，然后執行 update-ca-trust extract 命令

3.2 解決辦法二，治標

curl -k 或者 curl --insecure，在命令行上直接避免證書校驗

curl -k "https://www.zhaouncle.com/api/v2/app/getBopomofo?source=%e8%b5%b5%e8%b6%99" 
curl --insecure "https://www.zhaouncle.com/api/v2/app/getBopomofo?source=%e8%b5%b5%e8%b6%99" 

3.3 解決辦法三，治標

3.3.1 wget 解決方法：

echo "check_certificate = off" >> ~/.wgetrc

3.3.2 curl 解決方法：

echo "insecure" >> ~/.curlrc

4. Java 和 curl 都請求證書錯誤

4.1 以下是 curl 報錯：

[centos@test01 ~]$ curl "https://www.zhaouncle.com/api/v2/app/getBopomofo?source=%e8%b5%b5%e8%b6%99"
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
[centos@test01 ~]$ ping www.zhaouncle.com
PING www.zhaouncle.com (10.0.0.100) 56(84) bytes of data.
64 bytes from test01 (10.0.0.100): icmp_seq=1 ttl=64 time=262 ms
64 bytes from test01 (10.0.0.100): icmp_seq=2 ttl=64 time=262 ms
64 bytes from test01 (10.0.0.100): icmp_seq=3 ttl=64 time=262 ms
^C
--- www.zhaouncle.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 262.636/262.636/262.637/0.418 ms

4.2 以下是 java 請求 www 證書報錯

org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://www.zhaouncle.com/api/v2/app/getBopomofo": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

4.3 說明

4.3.1 疑問：大家肯定很好奇我為啥會 ping 域名，然后還是內網 ip？

解答：因為綁定了 hosts，然后請求的是內網 ip，於是走的是本地的 nginx，nginx 配置了證書，而不是外部的 cdn，如果是走外部請求走 cdn，curl 和 java 都不會報錯，因為 cdn 已經綁定了證書，這個證書上傳了證書鏈。哎，沒錯了，證書鏈。

4.3.2 何謂證書鏈

加速 https 需要上傳 SSL 證書，打開公鑰 domain.com.crt ，發現里面有 3 個證書：

證書鏈。一般是一個用戶證書，一個中間證書，和一個根證書。

一般只需要 用戶證書+中間證書 就可以了, 根證書不用傳, 除非你這個證書鏈不是三級,而是有兩個中間證書.

一般來講，只有傳 用戶證書 才能正常工作，可以同時傳 用戶證書和中間證書 或者 用戶證書和中間證書和根證書

注意這些證書必須在同一個文件里面

格式如下：

-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIQHV3ex3xRLXOHkz2GjVAKrjANBgkqhkiG9w0BAQsFADCB
......后面省略，第一個是用戶證書
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB
......后面省略，第二個是中間證書
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv
......后面省略，第三個是根證書
-----END CERTIFICATE-----

4.3.3 解決：

解決方法：在哪 nginx 那里把 www 的 crt 證書添加進中間證書，ok，就解決了所以問題，而且還不需要 步驟 3 但對對系統和命令行進行從處理，就可以解決問題。

參考：https://ep.gnt.md/index.php/curl-60-peers-certificate-issuer-is-not-recognized/