curl 略過檢查自簽 SSL 憑證有效性

有時一些內部使用的加密 SSL 網頁使用自簽憑證, 如果用 curl 擷取這些使用自簽憑證的 SSL 網頁內容, 會出現以下錯誤:

$ curl https://localhost/
curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
More details here:

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the –cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or –insecure) option.

要避免這個情況, 需要在 curl 指令後面加上 “-k” 或 “–insecure” 參數, 這樣 curl 便不會檢查 SSL 的有效性, 例如:

在指令模式可以用 “-k” 或 “–insecure” 參數解決自簽憑證的問題, 如果在 PHP 上使用 curl, 同樣會預設檢查 SSL 有效性, 要略過檢查, 只要在 curl_setopt() 函式上, 設定 CURLOPT_SSL_VERIFYPEER 選項為 false 即可, 例如:

Leave a Reply