Estou usando o Ubuntu 14.04 64bit com o desktop Unity. Ele é totalmente atualizado com a última versão dos certificados de ca e a última versão disponível do firefox.
No outro dia eu estava tentando baixar algo do site da Harper e notei que o curl está reclamando sobre o certificado.
Se eu executar este cli:
curl -v https://harpers.org/wp-content/themes/harpers/images/logoBlack.png
Eu recebo a seguinte saída:
* Hostname was NOT found in DNS cache
* Trying 54.243.234.21...
* Connected to harpers.org (54.243.234.21) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
O que é bobagem desde que o certificado Harper é emitido pelo DigiCert e o Firefox vem com esse certificado.
Então,fizissomanualmenteapenasparaversefunciona:
cd/tmp/wgethttps://www.digicert.com/CACerts/DigiCertGlobalRootCA.crtopensslx509-inDigiCertGlobalRootCA.crt-informDER-outDigiCertGlobalRootCA.pem-outformPEMwgethttps://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crtopensslx509-inDigiCertSHA2SecureServerCA.crt-informDER-outDigiCertSHA2SecureServerCA.pem-outformPEMcatDigiCertGlobalRootCA.pem>>DigiCertGlobalRootCASHA2SecureServerCA.pemcatDigiCertSHA2SecureServerCA.pem>>DigiCertGlobalRootCASHA2SecureServerCA.pemcurl-v--cacertDigiCertGlobalRootCASHA2SecureServerCA.pem\https://harpers.org/wp-content/themes/harpers/images/logoBlack.png\-ologoBlack.png2>down.logEentendiisso:
*Connectedtoharpers.org(54.243.234.21)port443(#0)*successfullysetcertificateverifylocations:*CAfile:DigiCertGlobalRootCASHA2SecureServerCA.pemCApath:/etc/ssl/certs*SSLv3,TLShandshake,Clienthello(1):}[datanotshown]*SSLv3,TLShandshake,Serverhello(2):{[datanotshown]*SSLv3,TLShandshake,CERT(11):{[datanotshown]*SSLv3,TLShandshake,Serverkeyexchange(12):{[datanotshown]*SSLv3,TLShandshake,Serverfinished(14):{[datanotshown]*SSLv3,TLShandshake,Clientkeyexchange(16):}[datanotshown]*SSLv3,TLSchangecipher,Clienthello(1):}[datanotshown]*SSLv3,TLShandshake,Finished(20):}[datanotshown]*SSLv3,TLSchangecipher,Clienthello(1):{[datanotshown]*SSLv3,TLShandshake,Finished(20):{[datanotshown]*SSLconnectionusingECDHE-RSA-AES256-GCM-SHA384*Servercertificate:*subject:C=US;ST=NewYork;L=NewYork;O=Harper'sMagazineFoundation;CN=*.harpers.org*startdate:2016-01-1100:00:00GMT*expiredate:2019-01-1512:00:00GMT*subjectAltName:harpers.orgmatched*issuer:C=US;O=DigiCertInc;CN=DigiCertSHA2SecureServerCA*SSLcertificateverifyok.>GET/wp-content/themes/harpers/images/logoBlack.pngHTTP/1.1>User-Agent:curl/7.35.0>Host:harpers.org>Accept:*/*><HTTP/1.1200OK<Date:Mon,29May201720:20:38GMT*ServerApache/2.4.18(Ubuntu)isnotblacklisted<Server:Apache/2.4.18(Ubuntu)<Last-Modified:Fri,14Dec201210:10:30GMT<ETag:"24d7-4d0cd3dc47180"
< Accept-Ranges: bytes
< Content-Length: 9431
< Content-Type: image/png
<
{ [data not shown]
100 9431 100 9431 0 0 12707 0 --:--:-- --:--:-- --:--:-- 12710
* Connection #0 to host harpers.org left intact
Alguma sugestão?
Isso resolve o problema
wget -P /tmp/ -nv https://www.digicert.com/CACerts/DigiCertSHA2SecureServerCA.crt
openssl x509 -in /tmp/DigiCertSHA2SecureServerCA.crt -inform DER \
-out /tmp/DigiCertSHA2SecureServerCA.pem -outform PEM
sudo cp -uv /tmp/DigiCertSHA2SecureServerCA.pem /etc/ssl/certs
sudo c_rehash