# yum -y install ca-certificates
# yum info ca-certificates
# rpm -ql ca-certificates
# rpm -ql ca-certificates | grep "crt"
tls-ca-bundle.pem 内各个证书的头尾格式:
BEGIN CERTIFICATE & END CERTIFICATE
ca-bundle.trust.crt 内各个证书的头尾格式:
BEGIN TRUSTED CERTIFICATE & END TRUSTED CERTIFICATE
/etc/pki/tls/certs/ca-bundle.crt 文件存储了各大证书颁发证的根证书交叉文件。
curl 访问https网站时,会比对这个文件里的根证书。如果这个文件过老,那就是有新的根证书未加入到这个文件里,导致curl无法正常访问https网站。
所以,你要么更新这个包(文件),要么可以选择手动添加证书进去,当然,你可以使用 curl -k 跳过证书验证。
更新最新证书:
https://curl.se/ca/cacert.pem
对CentOS7.x而言,手动添加证书信任:
获取服务端证书 X.crt
# cp X.crt /etc/pki/ca-trust/source/anchors/
# update-ca-trust
# cat /etc/pki/ca-trust/README
# man update-ca-trust > update-ca-trust.txt
参考
SSL Certificate Verification
https://curl.se/docs/sslcerts.html
Managing TLS and trusted CA certificates
https://docs.pexip.com/admin/certificate_management.htm
SSL and SSL Certificates Explained For Beginners
http://www.steves-internet-guide.com/ssl-certificates-explained/
Adding trusted root certificates to the server
https://manuals.gfi.com/en/kerio/connect/content/server-configuration/ssl-certificates/adding-trusted-root-certificates-to-the-server-1605.html
How to add Certificate Authority file in CentOS 7
https://stackoverflow.com/questions/37043442/how-to-add-certificate-authority-file-in-centos-7