通过 cURL 发送 Pushkit 通知 - curl: (60) SSL 证书问题:无法获取本地颁发者证书

Sending Pushkit Notifications via cURL - curl: (60) SSL certificate problem: unable to get local issuer certificate

我使用 cURL 向 Apple 发送 pushkit 通知。我的 Rails 代码如下所示:

curl --http2 -v -d '#{payload.to_json}' --cert #{pem} #{pushkit_base_uri}/#{registration_id}

自 2020 年 1 月 19 日起,运行 Ubuntu 上的此命令已返回以下内容:

...
...
...

* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

到目前为止我已经尝试了以下解决方案:

  1. update-ca-certificates(文档 here
  2. 列出的解决方案here

我还没能让它工作。感谢任何帮助,如果我找到解决方案,我会更新此 post。

滚动到 TLDR 结束;

通过 运行 awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt | less 我们可以查看我们的 OS.

信任的所有权威机构的列表
...
...
...
subject=C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
subject=C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA 2
subject=C = EU, L = Madrid (see current address at www.camerfirma.com/address), serialNumber = A82743287, O = AC Camerfirma S.A., CN = Chambers of Commerce Root - 2008
subject=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
subject=O = "Cybertrust, Inc", CN = Cybertrust Global Root
subject=C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 3 CA 2 2009
subject=C = DE, O = D-Trust GmbH, CN = D-TRUST Root Class 3 CA 2 EV 2009
subject=O = Digital Signature Trust Co., CN = DST Root CA X3
...
...
...

并且通过在 Firefox 中打开 api.push.apple.com,我们可以检查他们的证书。

根据您的浏览器上次更新它的 CA 商店的时间,该站点可能显示为安全站点,也可能不显示为安全站点。我们看到 Apple IST CA 2 - G1 证书是由 GeoTrust Global CA 颁发的。在我们的 OS.

中搜索受信任的 CA 列表时,这两个术语 return 都没有结果

为了解决这个问题,我们可以下载Firefox提供的api-push-apple-com-chain.pem maid,然后在我们的cURL请求时使用它:

curl --cacert '#{ca_cert}' --http2 -v -d ...

虽然这解决了我们的问题并且我们的请求成功了,但我们可以继续尝试并了解为什么这个问题开始出现。查看 /etc/ca-certificates.conf,我们发现几个 GeoTrust CA 已被标记为不可信。 (注意行首的爆炸)

...
...
 !mozilla/GeoTrust_Global_CA.crt
 !mozilla/GeoTrust_Primary_Certification_Authority.crt
 mozilla/GeoTrust_Primary_Certification_Authority_-_G2.crt
 !mozilla/GeoTrust_Primary_Certification_Authority_-_G3.crt
 !mozilla/GeoTrust_Universal_CA.crt
 !mozilla/GeoTrust_Universal_CA_2.crt
...
...

在一些谷歌搜索中,我们发现这个 ticket and this wiki

In accordance with the consensus proposal that was adopted in 2017, Mozilla began to distrust Symantec (including GeoTrust, RapidSSL, and Thawte) certificates issued before 1-June 2016 starting in Firefox 60, and plans to distrust Symantec certificates regardless of the date of issuance starting in Firefox 64, unless they are issued by whitelisted subordinate CAs that have the following SHA-256 Subject Public Key hashes (subjectPublicKeyInfo):

它还包括列入白名单的 Apple 证书列表:

c0554bde87a075ec13a61f275983ae023957294b454caf0a9724e3b21b7935bc
56e98deac006a729afa2ed79f9e419df69f451242596d2aaf284c74a855e352e
7289c06dedd16b71a7dcca66578572e2e109b11d70ad04c2601b6743bc66d07b
fae46000d8f7042558541e98acf351279589f83b6d3001c18442e4403d111849
b5cf82d47ef9823f9aa78f123186c52e8879ea84b0f822c91d83e04279b78fd5
e24f8e8c2185da2f5e88d4579e817c47bf6eafbc8505f0f960fd5a0df4473ad3
3174d9092f9531c06026ba489891016b436d5ec02623f9aafe2009ecc3e4d557

这使我们可以在 firefox 上安全地打开 URL。 (由于某种原因不在 Firefox 开发者版本上)

TLDR:在 cURL 命令中使用 attached file 作为 --cacert