Nginx 配置 SSL 後 command line curl出現錯誤 SSL certificate problem: unable to get local issuer certificate
此狀況在瀏覽器下 https 已正常啟用,但在 command line 輸入 curl -I https://domain.com,卻出現錯誤訊息
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
這個錯誤只會在 curl https 的狀況下發生,網路上有許多 curl 加上 -k 參數即可繞過 SSL 驗證,但這方法治標不治本。
另外 Google 上的搜尋到的解決方式都是為 php.ini 的 curl.cainfo 與 openssl.cafile 配置 cacert.pem 檔案,這解法在 Nginx 環境下是無法解決的。
Nginx SSL 原配置
ssl on;
ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/private.key;主要是 nginx.conf 內的 ssl_certificate 需重新組成,原本以 server.crt 即可配置 https 成功,但 curl 仍無法信任該 SSL 憑證,因此需要合併 server.crt 與ca_bundle.crt
合併 SSL 證書
cat server.crt ca_bundle.crt > server.cer重點!合併後的 server.cer 文件結構如下
-----BEGIN CERTIFICATE-----
檔案內容
-----END CERTIFICATE----------BEGIN CERTIFICATE-----
檔案內容
-----END CERTIFICATE-----需打開 server.cer 並調整文件結構
-----BEGIN CERTIFICATE-----
檔案內容
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
檔案內容
-----END CERTIFICATE-----Nginx SSL 新配置
ssl on;
ssl_certificate /etc/ssl/server.cer;
ssl_certificate_key /etc/ssl/private.key;重新設定 SSL 檔案後記得重啟 Nginx
systemctl restart nginx