node.js 如何修复 curl:(60) SSL 证书:无效的证书链
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/18964175/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to fix curl: (60) SSL certificate: Invalid certificate chain
提问by leafiy
I get the following error running curl https://npmjs.org/install.sh | shon Mac OSX 10.9 (Mavericks):
我curl https://npmjs.org/install.sh | sh在 Mac OSX 10.9 (Mavericks) 上运行时出现以下错误:
install npm@latest
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
How do I fix this?
我该如何解决?
回答by Lewis Buckley
Using the Safari browser (not Chrome, Firefox or Opera) on Mac OS X 10.9 (Mavericks) visit https://registry.npmjs.org
在 Mac OS X 10.9 (Mavericks) 上使用 Safari 浏览器(不是 Chrome、Firefox 或 Opera)访问https://registry.npmjs.org
Click the Show certificate button and then check the checkbox labelled Always trust. Then click Continue and enter your password if required.
单击显示证书按钮,然后选中标记为始终信任的复选框。然后单击继续并根据需要输入您的密码。
Curl should now work with that URL correctly.
Curl 现在应该可以正确处理该 URL。
回答by Steen
First off, you should be wary of urls that throw SSL errors. That being said, you can suppress certificate errors in curlwith
首先,您应该警惕会引发 SSL 错误的 url。话虽这么说,你可以抑制证书错误curl与
curl -k https://insecure.url/content-i-really-really-trust
回答by grempe
The problem is an expired intermediate certificate that is no longer used and must be deleted. Here is a blog post from Digicert explaining the issue and how to resolve it.
问题是过期的中间证书不再使用,必须删除。这是 Digicert 的一篇博客文章,解释了这个问题以及如何解决它。
https://blog.digicert.com/expired-intermediate-certificate/
https://blog.digicert.com/expired-intermediate-certificate/
I was seeing the issue with Github not loading via SSL in both Safari and the command line with git pull. Once I deleted the old expired cert everything was fine.
我在 Safari 和带有 git pull 的命令行中都看到了 Github 未通过 SSL 加载的问题。一旦我删除了旧的过期证书,一切都很好。
回答by scarver2
After updating to OS X 10.9.2, I started having invalid SSL certificate issues with Homebrew, Textmate, RVM, and Github.
更新到 OS X 10.9.2 后,我开始遇到 Homebrew、Textmate、RVM 和 Github 的无效 SSL 证书问题。
When I initiate a brew update, I was getting the following error:
当我启动 a 时brew update,出现以下错误:
fatal: unable to access 'https://github.com/Homebrew/homebrew/': SSL certificate problem: Invalid certificate chain
Error: Failure while executing: git pull -q origin refs/heads/master:refs/remotes/origin/master
I was able to alleviate some of the issue by just disabling the SSL verification in Git. From the console (a.k.a. shell or terminal):
我可以通过在 Git 中禁用 SSL 验证来缓解一些问题。从控制台(又名 shell 或终端):
git config --global http.sslVerify false
I am leary to recommend this because it defeats the purpose of SSL, but it is the only advice I've found that works in a pinch.
我不敢推荐这个,因为它违背了 SSL 的目的,但这是我发现的唯一在紧要关头有效的建议。
I tried rvm osx-ssl-certs update allwhich stated Already are up to date.
我试过rvm osx-ssl-certs update all哪个陈述Already are up to date.
In Safari, I visited https://github.comand attempted to set the certificate manually, but Safari did not present the options to trust the certificate.
在 Safari 中,我访问了https://github.com并尝试手动设置证书,但 Safari 没有提供信任证书的选项。
Ultimately, I had to Reset Safari (Safari->Reset Safari... menu). Then afterward visit github.com and select the certificate, and "Always trust" This feelswrong and deletes the history and stored passwords, but it resolved my SSL verification issues. A bittersweet victory.
最终,我不得不重置 Safari(Safari->重置 Safari... 菜单)。然后访问 github.com 并选择证书,“始终信任”这感觉不对,删除了历史记录和存储的密码,但它解决了我的 SSL 验证问题。苦乐参半的胜利。
回答by ChrisJ
NOTE:This answer obviously defeats the purpose of SSL and should be used sparingly as a last resort.
注意:这个答案显然违背了 SSL 的目的,应该谨慎使用作为最后的手段。
For those having issues with scripts that download scripts that download scripts and want a quick fix, create a file called ~/.curlrc
对于那些下载脚本的脚本有问题并希望快速修复的人,请创建一个名为 ~/.curlrc
With the contents
随着内容
--insecure
This will cause curl to ignore SSL certificate problems by default.
这将导致 curl 默认忽略 SSL 证书问题。
Make sure you delete the file when done.
确保在完成后删除文件。
UPDATE
更新
12 days later I got notified of an upvote on this answer, which made me go "Hmmm, did I follow my own advice remember to delete that .curlrc?", and discovered I hadn't. So that really underscores how easy it is to leave your curl insecure by following this method.
12 天后,我收到了对这个答案投赞成票的通知,这让我感到“嗯,我是否按照自己的建议记得删除了那个.curlrc?”,然后发现我没有。所以这真的强调了按照这种方法让你的卷发不安全是多么容易。
回答by Matt Connolly
Another cause of this can be duplicate keys in your KeyChain. I've seen this problem on two macs where there were duplicate "DigiCert High Assurance EV Root CA". One was in the login keychain, the other in the system one. Removing the certificate from the login keychain solved the problem.
另一个原因可能是 KeyChain 中的重复键。我在两台有重复的“DigiCert High Assurance EV Root CA”的 Mac 上看到过这个问题。一个在登录钥匙串中,另一个在系统中。从登录钥匙串中删除证书解决了这个问题。
This affected Safari browser as well as git on the command line.
这影响了 Safari 浏览器以及命令行上的 git。
回答by Diego Zamboni
I started seeing this error after installing the latest command-line tools update (6.1) on Yosemite (10.10.1). In this particular case, a reboot of the system fixed the error (I had not rebooted since the update).
在 Yosemite (10.10.1) 上安装最新的命令行工具更新 (6.1) 后,我开始看到此错误。在这种特殊情况下,系统重新启动修复了错误(自更新以来我没有重新启动)。
Mentioning this in case anyone with the same problem comes across this page, like I did.
提到这一点,以防任何有同样问题的人遇到这个页面,就像我一样。
回答by Pinnacle Systems Group
After attempting all of the above solutions to eliminate the "curl: (60) SSL certificate problem: unable to get local issuer certificate" error, the solution that finally worked for me on OSX 10.9 was:
在尝试了上述所有解决方案以消除“curl:(60) SSL 证书问题:无法获得本地颁发者证书”错误后,最终在 OSX 10.9 上对我来说有效的解决方案是:
Locate the curl certificate PEM file location 'curl-config --ca' -- > /usr/local/etc/openssl/cert.pem
Use the folder location to identify the PEM file 'cd /usr/local/etc/openssl'
Create a backup of the cert.pem file 'cp cert.pem cert_pem.bkup'
Download the updated Certificate file from the curl website 'sudo wget http://curl.haxx.se/ca/cacert.pem'
Copy the downloaded PEM file to replace the old PEM file 'cp cacert.pem cert.pem'
This is a modified version of a solution posted to correct the same issue in Ubuntu found here:
找到 curl 证书 PEM 文件位置 'curl-config --ca' --> /usr/local/etc/openssl/cert.pem
使用文件夹位置来识别 PEM 文件 'cd /usr/local/etc/openssl'
创建 cert.pem 文件“cp cert.pem cert_pem.bkup”的备份
从 curl 网站“sudo wget http://curl.haxx.se/ca/cacert.pem”下载更新的证书文件
复制下载的 PEM 文件以替换旧的 PEM 文件 'cp cacert.pem cert.pem'
这是已发布的解决方案的修改版本,以更正此处在 Ubuntu 中发现的相同问题:
https://serverfault.com/questions/151157/ubuntu-10-04-curl-how-do-i-fix-update-the-ca-bundle
https://serverfault.com/questions/151157/ubuntu-10-04-curl-how-do-i-fix-update-the-ca-bundle
回答by John
In some system like your on your office system, there is sometimes a firewall/security client that is installed for security purpose. Try uninstalling that and then run the command again, it should start the download.
在某些系统(例如您的办公系统)中,有时会出于安全目的安装防火墙/安全客户端。尝试卸载它,然后再次运行该命令,它应该会开始下载。
My system had netskope client installed and was blocking the ssl communication.
我的系统安装了 netskope 客户端并且阻止了 ssl 通信。
search in finder -> uninstall netskope and hit the install homebrew command in terminal, it should work
在finder中搜索->卸载netskope并在终端中点击install homebrew命令,它应该可以工作
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
PS: consider installing the security client.
PS:考虑安装安全客户端。
