本文介绍了在 Ubuntu 12.04 上为 Perl 5.14.2 LWP 安装新的 ca 证书的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在尝试使用 LWP 连接到特定 https 网站时遇到以下错误:

I am getting the following error trying to connect to a specific https website using LWP:

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/local/share/perl/5.14.2/LWP/Protocol/http.pm line 51.

我尝试使用 wget 并得到:

I tried with wget and got:

ERROR: cannot verify [domain]'s certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=********':
  Unable to locally verify the issuer's authority.

我搜索了一下,发现我可能必须安装 Godaddy root ca 证书.我想出了如何做到这一点(下载证书,放入/usr/share/ca-certificates 并运行 update-ca-certificates).过程中也学会了openssl s_client的使用.

I googled around and discovered that I probably had to install the godaddy root ca cert. I figured out how to do that (download certificates, put in /usr/share/ca-certificates and run update-ca-certificates). I also learnt how to use openssl s_client in the process.

现在证书已安装,wget 工作,但 LWP 仍然失败并出现相同的错误,openssl s_client 也是如此:

Now that the certificate is installed, wget works, but LWP still fails with the same error and so does openssl s_client:

# openssl s_client -connect [domain]:443
CONNECTED(00000003)
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = [domain], OU = Domain Control Validated, CN = [domain]
verify error:num=21:unable to verify the first certificate
verify return:1

我不知道下一步该去哪里进行这项工作.有什么建议吗?

I have no idea where to go next to get this working. Any suggestions?

已解决这是一个简单的脚本,描述了在 mikew 的建议之后的工作:

SOLVED Here is a simple script that describes what worked after mikew's suggestion:

#!/usr/bin/perl
use LWP::UserAgent;
$URL="[domain]";
my $ua = LWP::UserAgent->new(ssl_opts => { SSL_ca_path=>'/etc/ssl/certs'});
my $response = $ua->get($URL);

推荐答案

要获得更具体的答案,我们需要知道您是如何实例化 LWP 对象的.

For a more specific answer, we'd need to know how you are instantiating your LWP object.

但您可能需要了解的是 LWP 构造函数中 ssl_optsSSL_ca_fileSSL_ca_path 选项.如果没有这些集合中的任何一个,它将假定 Mozilla_CA 是用于验证网站的 CA.

But what you probably need to know about is the SSL_ca_file and SSL_ca_path options for ssl_opts in the LWP constructor. Without one of these set, it assumes the Mozilla_CA is the CA to to use to verify websites.

参见 LWP::Protocol::httpsLWP::UserAgentssl_opts 构造函数选项.

See LWP::Protocol::httpsAnd LWP::UserAgent, ssl_opts constructor option.

如果您使用的是 lwp-download 之类的东西,而不是自己实际实例化 LWP::UserAgent 对象,那么您需要设置 PERL_LWP_SSL_CA_FILE 环境变量以指向您的证书颁发机构或设置 PERL_LWP_SSL_CA_PATH 到您的 CA 路径.您也可以只设置这些而不是传递给 ssl_opts.

If you are using something like lwp-download and not actually instantiating the LWP::UserAgent object yourself, then you need to set the PERL_LWP_SSL_CA_FILE environment variable to point to your certificate authority or set PERL_LWP_SSL_CA_PATH to your CA path. You can just set these instead of passing in to ssl_opts as well.

如果你不是特别担心做这些验证,喜欢危险的生活,你可以设置 verify_hostname =>;ssl_opts 为 0 或将 PERL_LWP_VERIFY_HOSTNAME 环境变量设置为 0.

If you aren't particularly worried about doing all this verification and like to live dangerously, you can set verify_hostname => 0 for ssl_opts or set PERL_LWP_VERIFY_HOSTNAME environment variable to 0.

如文档中所述,LWP 5.837 及更早版本默认关闭了 verify_hostname,而更高版本默认开启

And as noted in the documentation, LWP 5.837 and earlier had verify_hostname off by default, whereas later versions default to it being on

这篇关于在 Ubuntu 12.04 上为 Perl 5.14.2 LWP 安装新的 ca 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

06-08 12:38