SSL证书在线检测工具
https://csr.chinassl.net/ssl-checker.html
image.png
# curl -vvv https://www.example.com
* About to connect() to www.example.com port 443 (#0)
* Trying 93.184.215.14...
* Connected to www.example.com (93.184.215.14) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=www.example.org,O=Internet Corporation for Assigned Names and Numbers,L=Los Angeles,ST=California,C=US
* start date: Jan 30 00:00:00 2024 GMT
* expire date: Mar 01 23:59:59 2025 GMT
* common name: www.example.org
* issuer: CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1,O=DigiCert Inc,C=US
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.example.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Age: 437800
< Cache-Control: max-age=604800
< Content-Type: text/html; charset=UTF-8
< Date: Sun, 04 Aug 2024 03:46:20 GMT
< Etag: "3147526947+ident"
< Expires: Sun, 11 Aug 2024 03:46:20 GMT
< Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
< Server: ECAcc (sac/2533)
< Vary: Accept-Encoding
< X-Cache: HIT
< Content-Length: 1256
curl -vvv https://www.example.com
Peer’s Certificate issuer is not recognized
方法1: 下载http://curl.haxx.se/ca/cacert.pem 替换/etc/pki/tls/certs/ca-bundle.crt
方法2: 使用update-ca-trust 更新CA证书库。(CentOS6,属于ca-certificates包)
方法3:解决办法是将签发该证书的私有CA公钥cacert.pem文件内容,追加到/etc/pki/tls/certs/ca-bundle.crt
参考
【公告】关于DigiCert根证书升级说明
https://help.aliyun.com/zh/ssl-certificate/product-overview/update-of-digicert-root-certificates
SSL报错 sun.security.validator.ValidatorException: PKIX path building failed
https://help.aliyun.com/zh/ssl-certificate/support/sun-security-validator-validatorexception-pkix-path-building-failed
关于升级CFCA全球信任SSL证书情况说明
https://help.aliyun.com/zh/ssl-certificate/product-overview/upgrade-of-global-trust-ssl-certificates-of-cfca
网友评论