今天,我的浏览器之外的所有 HTTPS 连接突然开始失败,并出现错误“SSL 证书问题:无法获取本地颁发者证书”。该问题影响所有工具,包括Python的requests、Node的fetch、curl等。
我希望 HTTPS 连接能够正常工作,不会出现任何证书问题。以下是我测试的每个工具的详细信息:
❯ curl https://stackoverflow.com
curl: (35) schannel: next InitializeSecurityContext failed: CRYPT_E_NO_REVOCATION_CHECK (0x80092012)
即使使用 WSL,Linux 环境也会遇到同样的问题。
$ curl https://stackoverflow.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
> fetch("https://stackoverflow.com")
Promise {
<pending>,
[Symbol(async_id_symbol)]: 108,
[Symbol(trigger_async_id_symbol)]: 86
}
> Uncaught [TypeError: fetch failed] {
[cause]: Error: unable to get local issuer certificate
at TLSSocket.onConnectSecure (node:_tls_wrap:1674:34)
at TLSSocket.emit (node:events:519:28)
at TLSSocket.emit (node:domain:551:15)
at TLSSocket._finishInit (node:_tls_wrap:1085:8)
at ssl.onhandshakedone (node:_tls_wrap:871:12)
at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17) {
code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY'
}
}
为了诊断问题,我运行了以下 OpenSSL 命令:
openssl s_client -connect google.com:443
Connecting to 2404:6800:4012:2::200e
CONNECTED(000001F8)
depth=2 C=US, O=Google Trust Services LLC, CN=GTS Root R1
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=1 C=US, O=Google Trust Services, CN=WR2
verify return:1
depth=0 CN=*.google.com
verify return:1
---
Certificate chain
0 s:CN=*.google.com
i:C=US, O=Google Trust Services, CN=WR2
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 1 06:35:43 2024 GMT; NotAfter: Sep 23 06:35:42 2024 GMT
1 s:C=US, O=Google Trust Services, CN=WR2
i:C=US, O=Google Trust Services LLC, CN=GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
2 s:C=US, O=Google Trust Services LLC, CN=GTS Root R1
i:C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN=*.google.com
issuer=C=US, O=Google Trust Services, CN=WR2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6552 bytes and written 398 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
我已尝试更新系统上的 CA 证书,但问题仍然存在。我使用以下命令并手动导入生成的证书:
Certutil.exe -generateSSTFromWU roots.sst
我在网上找到的大多数解决方案都建议禁用 GIT 或 Node.js 等特定工具的 SSL 检查。但是,我的问题影响除浏览器之外的所有应用程序。
任何帮助或建议将不胜感激。谢谢!
我也遇到过同样的问题。我发现这是与 Avast 防病毒软件相关的错误。请参阅:(https://answers.microsoft.com/en-us/windowsclient/forum/all/avast-curl-ssl-replication-problem/a4fca682-55ec-499d-bb71-208862d617ea)。我已切换到另一个防病毒软件(具有不同的引擎),curl 命令再次开始工作。此外,具有 http 连接的程序可以在 Eclipse IDE 上运行,但不能在 VS code 上运行,但这可能是由不同的错误引起的。 (在切换防病毒软件之前,我没有在 Eclipse IDE 上测试程序。)或者您可以等待 bug 得到修复。如果您决定更换防病毒软件,请确保安全地进行。
希望我至少对你有一点帮助。