[root@ip-172-31-32-208 Nginx]# curl https://m.ipcpu.com
curl: (60) Peer's Certificate issuer is not recognized.
more details here: http://curl.haxx.se/docs/sslcerts.html
代码如下:
[root@ip-172-31-32-208 ~]# curl https://kyfw.12306.cn/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
代码如下:
[root@GO-EMAIL-1 aa]# curl https://github.com/
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
此问题多是由于本地CA证书库过旧,导致新签发证书无法识别。
代码如下:
Issuer: C=US, O=GTE Corporation, CN=GTE CyberTrust Root
Validity
Not Before: Feb 23 23:01:00 1996 GMT
Not After : Feb 23 23:59:00 2006 GMT
解决办法是更新本地CA证书库。
代码如下:
[root@WEB_YF_2.7 ~]#curl https://www.alipay.com
curl: (35) error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
此问题多由证书本地openssl不能识别SSL证书签名算法所致。www.alipay.com 使用了SHA-256 RSA 加密算法。而openssl在OpenSSL 0.9.8o才加入此算法。
Summary: The OpenSSL toolkit
Name: openssl
Version: 0.9.8e
...
Patch89: openssl-fips-0.9.8e-ssl-sha256.patch
通配符证书又叫泛域名证书,一个证书包含主域名和无限个二级域名
通配符SSL证书是SSL数字证书的一种,但是它比普通的SSL
IP SSL数字证书是SSL证书中比较特殊的一种,一般SSL
Geotrust是自2001年成立的CA颁发机构,经过几年的
通配符SSL数字证书可以用一张SSL证书保护主域名以及主域名