Orz小窍门

问题：

CentOS 6访问部分HTTPS网站时，Curl报“NSS error -8179”、wget无法下载。例子如下：

[root@test1 src]# wget https://www.php.net/distributions/php-8.0.2.tar.gz
--2021-02-25 00:01:40--  https://www.php.net/distributions/php-8.0.2.tar.gz
Resolving www.php.net... 185.85.0.29
Connecting to www.php.net|185.85.0.29|:443... connected.
ERROR: cannot verify www.php.net's certificate, issued by `/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte TLS RSA CA G1':
  Unable to locally verify the issuer's authority.
To connect to www.php.net insecurely, use `--no-check-certificate'.



[root@test1 src]# curl -v https://www.php.net
* About to connect() to www.php.net port 443 (#0)
*   Trying 185.85.0.29... connected
* Connected to www.php.net (185.85.0.29) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Peer's certificate issuer is not recognized: 'CN=Thawte TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US'
* NSS error -8179
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

原因：

CentOS 6内没有最新的DigiCert根CA证书，导致访问部分HTTPS网站出错。

解决方法：

（1）从DigiCert网站下载其根CA证书。

地址：https://www.digicert.com/kb/digicert-root-certificates.htm

截至2020-03-04，需下载的根CA证书列表有：

（A）Baltimore CyberTrust Root
Valid until: 12/May/2025
Serial #: 02:00:00:B9
SHA1 Fingerprint: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
SHA256 Fingerprint: 16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB

（B）DigiCert Global Root CA
Valid until: 10/Nov/2031
Serial #: 08:3B:E0:56:90:42:46:B1:A1:75:6A:C9:59:91:C7:4A
SHA1 Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
SHA256 Fingerprint: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61

（C）DigiCert Global Root G2
Valid until: 15/Jan/2038
Serial #: 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5
SHA1 Fingerprint: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
SHA256 Fingerprint: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

（D）DigiCert Global Root G3
Valid until: 15/Jan/2038
Serial #: 05:55:56:BC:F2:5E:A4:35:35:C3:A4:0F:D5:AB:45:72
SHA1 Fingerprint: 7E:04:DE:89:6A:3E:66:6D:00:E6:87:D3:3F:FA:D9:3B:E8:3D:34:9E
SHA256 Fingerprint: 31:AD:66:48:F8:10:41:38:C7:38:F3:9E:A4:32:01:33:39:3E:3A:18:CC:02:29:6E:F9:7C:2A:C9:EF:67:31:D0

（2）安装并使用ca-certificates工具，将上述文件更新到CentOS 6的根CA证书列表中。

详细方法详见：《CentOS添加根证书（根CA证书）的方法》

本页永久链接：https://www.orztip.com/?p=452&article_title=centos-6-curl-nss-error-8179-with-digicert-ca