SSL 证书问题:证书在 macOS 中已过期
SSL certificate problem: certificate has expire in macOS
当我使用这个命令拉取代码时:
➜ rt-analysis-multibranch_zhuolian git:(zhuolian) git pull
fatal: unable to access 'https://gitlab.example.com/development/soa-report-analysis.git/': SSL certificate problem: certificate has expired
我确定证书没有过期,因为在其他 macOS PC 上我可以从同一台 url 中提取代码。服务器端证书由 Let's Encrypt 生成。 macOS Catalina openssl 版本为:
➜ ~ openssl version
LibreSSL 2.6.5
我尝试使用 curl,错误如下:
➜ rt-analysis-multibranch_zhuolian git:(zhuolian) curl https://gitlab.example.com/development/soa-report-analysis.git
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
为什么会这样?我该怎么做才能解决它?我可以使用相同的 url.
从 Google Chrome 浏览器访问存储库
我最后发现我上次默认使用 ISRG Root X1 根证书更新 let's encrypt 证书。 ISRG Root X1 仅兼容 macOS 10.12.1。但是为什么curl命令好像验证的是旧证书。为什么会这样?
见this answer from Ask Different,无耻转载如下:
OpenSSL on macOS does not use the system keychain (which makes sense as it's a cross platform library) but rather has its own .pem file containing its root certificates. Even though my systems have a newer version of OpenSSL installed using homebrew and/or MacPorts, the system-wide OpenSSL pem file located at /etc/ssl/cert.pem was out of date and did not include the ISRG Root X1 certificate.
The solution:
- Rename
/etc/ssl/cert.pem to something else. (I suggest /etc/ssl/cert.pem.org)
- Download the latest
cacert.pem from https://curl.se/docs/caextract.html
- Rename it to
cert.pem
- Copy it to
/etc/ssl/cert.pem
Now curl and any other app using OpenSSL can access websites signed using current Let's Encrypt certificates.
Alternatively, the MacPorts package curl-ca-bundle installs a .pem file containing ISRG Root X1 to /opt/local/etc/openssl/cert.pem which can be used as well.
Other possible solutions:
- Manually add the ISRG Root X1 certificate to
/etc/ssl/cert.pem
- Configure OpenSSL to use a different
.pem file for its root certificates, such as /opt/local/etc/openssl/cert.pem
(另一种可能的解决方案是使用 curl 的 -k/--insecure 标志。
当我使用这个命令拉取代码时:
➜ rt-analysis-multibranch_zhuolian git:(zhuolian) git pull
fatal: unable to access 'https://gitlab.example.com/development/soa-report-analysis.git/': SSL certificate problem: certificate has expired
我确定证书没有过期,因为在其他 macOS PC 上我可以从同一台 url 中提取代码。服务器端证书由 Let's Encrypt 生成。 macOS Catalina openssl 版本为:
➜ ~ openssl version
LibreSSL 2.6.5
我尝试使用 curl,错误如下:
➜ rt-analysis-multibranch_zhuolian git:(zhuolian) curl https://gitlab.example.com/development/soa-report-analysis.git
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
为什么会这样?我该怎么做才能解决它?我可以使用相同的 url.
从 Google Chrome 浏览器访问存储库我最后发现我上次默认使用 ISRG Root X1 根证书更新 let's encrypt 证书。 ISRG Root X1 仅兼容 macOS 10.12.1。但是为什么curl命令好像验证的是旧证书。为什么会这样?
见this answer from Ask Different,无耻转载如下:
OpenSSL on macOS does not use the system keychain (which makes sense as it's a cross platform library) but rather has its own
.pemfile containing its root certificates. Even though my systems have a newer version of OpenSSL installed using homebrew and/or MacPorts, the system-wide OpenSSL pem file located at/etc/ssl/cert.pemwas out of date and did not include the ISRG Root X1 certificate.The solution:
- Rename
/etc/ssl/cert.pemto something else. (I suggest/etc/ssl/cert.pem.org)- Download the latest
cacert.pemfrom https://curl.se/docs/caextract.html- Rename it to
cert.pem- Copy it to
/etc/ssl/cert.pemNow
curland any other app using OpenSSL can access websites signed using current Let's Encrypt certificates.Alternatively, the MacPorts package
curl-ca-bundleinstalls a.pemfile containing ISRG Root X1 to/opt/local/etc/openssl/cert.pemwhich can be used as well.Other possible solutions:
- Manually add the ISRG Root X1 certificate to
/etc/ssl/cert.pem- Configure OpenSSL to use a different
.pemfile for its root certificates, such as/opt/local/etc/openssl/cert.pem
(另一种可能的解决方案是使用 curl 的 -k/--insecure 标志。