curl-users
Re: Using curl behind a proxy: unable to get local issuer certificate
Date: Sat, 27 Jan 2018 11:43:25 +0800
by the way, my browser didn't panic anything while trying to visit the
pypi.org:443
On Sat, Jan 27, 2018 at 11:40 AM, 杜秀涛 <duxiutao_at_gmail.com> wrote:
> I want to visit https://pypi.io, in a linux server. I have set
> environment variable HTTP_PROXY and HTTPS_PROXY, when I issued this
> command:
> *% curl -LO
> https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz
> <https://pypi.io/packages/source/v/virtualenv/virtualenv-15.0.2.tar.gz>*
> I got this error: *unable to get local issuer certificate*
>
> When I was trying to solve the problem, I found that, the certificate my
> browser and the openssl showcerts command shows different while they were
> using the same proxy.
>
> In my browser, I got certificates like this:
>
> *FIRST: MY_COMPANY Root Ca*
> *SECOND: pypi.org <http://pypi.org>*
>
> but in the command I issued below,
> *% proxytunnel -p $HTTPS_PROXY -d pypi.io:443 <http://pypi.io:443> -a 7000*
> *% openssl s_client -connect localhost:7000 -showcerts*
> I got these two
> FIRST:
> 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.
> 60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16
> Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python
> Software Foundation/CN=www.python.org
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> Validation Server CA
> SECOND:
> 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> Validation Server CA
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance
> EV Root CA
>
> I want to know why,
>
> *=================================================================*
> full messages as below:
>
> CONNECTED(00000003)
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> SHA2 Extended Validation Server CA
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
> 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.
> 60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16
> Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python
> Software Foundation/CN=www.python.org
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended
> Validation Server CA
> -----BEGIN CERTIFICATE-----
> *---- keys skiped ----*
> *-----END CERTIFICATE-----*
>
> * 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
> <http://www.digicert.com/CN=DigiCert> SHA2 Extended Validation Server CA
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert
> <http://www.digicert.com/CN=DigiCert> High Assurance EV Root CA -----BEGIN
> CERTIFICATE--------- keys skiped ---------END CERTIFICATE--------Server
> certificatesubject=/businessCategory=Private
> Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16
> Allen Rd/postalCode=03894-4801/C=US/ST=New Hampshire/L=Wolfeboro/O=Python
> Software Foundation/CN=www.python.org
> <http://www.python.org>issuer=/C=US/O=DigiCert
> Inc/OU=www.digicert.com/CN=DigiCert <http://www.digicert.com/CN=DigiCert>
> SHA2 Extended Validation Server CA---No client certificate CA names
> sent---SSL handshake has read 4164 bytes and written 421 bytes---New,
> TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256Server public key is 2048
> bitSecure Renegotiation IS supportedCompression: NONEExpansion:
> NONESSL-Session:---messages skiped--- *
>
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-01-27