At 2010-12-10 16:07:46£¬"Daniel Stenberg" <daniel_at_haxx.se> wrote:

>On Fri, 10 Dec 2010, ÕÅÐ÷·å wrote:
>
>>> You can get the one Firefox uses from here:
>>>
>>> http://curl.haxx.se/docs/caextract.html
>>
>> Thanks for your help, I have just tried, still doesn't work. when I run
>> "curl --cacert cacert.pem https://bugzilla.mozilla.org", it got following
>> output: curl: (60) Peer certificate cannot be authenticated with known CA
>> certificates More details here: http://curl.haxx.se/docs/sslcerts.html
>
>... as Kamil explained previously, NSS does not (yet) support loading PEM
>files like that but needs a patch for it (that Fedora has applied on the NSS
>they ship).
Some detail info:
$ curl --cacert cacert.pem -v https://www.mozilla.org
  * About to connect() to www.mozilla.org port 443 (#0)
* Trying 63.245.217.21... connected
* Connected to www.mozilla.org (63.245.217.21) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: cacert.pem
  CApath: none
* Remote Certificate has expired.
* NSS error -8181
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates

>
>So I believe the solutions to have to select from are that you either don't
>use PEM certificates with NSS, or you arrange your NSS library to have PEM
>support.

Both are OK, then which one is an easy way? and how to do it?
Thanks very much!

Thanks,
Xufeng Zhang

>
>--
>
> / daniel.haxx.se

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2010-12-10