SSL證書驗證結果：無法獲得本地頒發者證書（20）

Question

我想在使用Windows 8的Heroku上添加SSL證書。我指的是Heroku's ssl-endpoint article來添加它。一切正常，直到最後一步，但是當我進入

curl -kvI https://www.example.com 

它說

SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. 

下面是完整的輸出：

* Adding handle: conn: 0x606458 
* Adding handle: send: 0 
* Adding handle: recv: 0 
* Curl_addHandleToPipeline: length: 1 
* - Conn 0 (0x606458) send_pipe: 1, recv_pipe: 0 
* About to connect() to www.example.com port 443 (#0) 
* Trying 107.21.111.209... 
* Connected to www.example.com (107.21.111.209) port 443 (#0) 
* SSLv3, TLS handshake, Client hello (1): 
* SSLv3, TLS handshake, Server hello (2): 
* SSLv3, TLS handshake, CERT (11): 
* SSLv3, TLS handshake, Server key exchange (12): 
* SSLv3, TLS handshake, Server finished (14): 
* SSLv3, TLS handshake, Client key exchange (16): 
* SSLv3, TLS change cipher, Client hello (1): 
* SSLv3, TLS handshake, Finished (20): 
* SSLv3, TLS change cipher, Client hello (1): 
* SSLv3, TLS handshake, Finished (20): 
* SSL connection using DHE-RSA-AES128-SHA 
* Server certificate: 
*  subject: C=US; ST=California; L=San Francisco; O=Heroku, Inc.; CN=*.her 
okuapp.com 
*  start date: 2014-01-21 00:00:00 GMT 
*  expire date: 2017-05-19 12:00:00 GMT 
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Hig 
h Assurance Server CA 
*  SSL certificate verify result: unable to get local issuer certificate (
20), continuing anyway. 
> HEAD/HTTP/1.1 
> User-Agent: curl/7.30.0 
> Host: www.example.com 
> Accept: */* 
> 
< HTTP/1.1 200 OK 
HTTP/1.1 200 OK 
* Server Cowboy is not blacklisted 
< Server: Cowboy 
Server: Cowboy 
< Connection: keep-alive 
Connection: keep-alive 
< X-Powered-By: Express 
X-Powered-By: Express 
< Accept-Ranges: bytes 
Accept-Ranges: bytes 
< Date: Thu, 02 Apr 2015 05:14:25 GMT 
Date: Thu, 02 Apr 2015 05:14:25 GMT 
< Cache-Control: public, max-age=0 
Cache-Control: public, max-age=0 
< Last-Modified: Tue, 31 Mar 2015 14:21:19 GMT 
Last-Modified: Tue, 31 Mar 2015 14:21:19 GMT 
< Etag: W/"9e3-2781781373" 
Etag: W/"9e3-2781781373" 
< Content-Type: text/html; charset=UTF-8 
Content-Type: text/html; charset=UTF-8 
< Content-Length: 2531 
Content-Length: 2531 
< Set-Cookie: connect.sid=s%3AiRH8B-WEim3II5fgpXfF1otZXeqvmdMi.ibAcnpY2ATqERWyMJ 
3c%2BptFMqgQLwrFQvAoOW6zh9HM; Path=/; HttpOnly 
Set-Cookie: connect.sid=s%3AiRH8B-WEim3II5fgpXfF1otZXeqvmdMi.ibAcnpY2ATqERWyMJ3c 
%2BptFMqgQLwrFQvAoOW6zh9HM; Path=/; HttpOnly 
< Via: 1.1 vegur 
Via: 1.1 vegur 

< 
* Connection #0 to host www.example.com left intact 

有什麼不對嗎？先謝謝你。

Answer 1

我合併兩個SSL證書，然後在heroku上上傳。命令這兩個SSL證書相結合是：

cat certificate.crt gd_bundle.crt > combine.crt 

它將結合certificate.crt和gd_bundle.crt創建combine.crt

Answer 2

您需要告知curl您受信任的根證書存儲的位置。嘗試：

curl -vI --cacert /etc/ssl/cert.pem 

或

curl -vI --capath /etc/ssl/certs/ 

（以系統信任的根存儲的確切路徑由OS /發行變化，所以它可能不完全上面的一個。）