环境:
Red Hat Enterprise Linux Server release 7.7 (Maipo)
# openssl version
OpenSSL 1.0.2g 1 Mar 2016
所以使用 OpenSSL 生成自签名证书,并将 cacert.pem 放在/etc/pki/ca-trust/source/anchors/.
现在根据 man from 的说法update-ca-trust,应该运行 cmd 将证书添加到信任库中,并且证书将被添加到/etc/pki/ca-trust/extracted/.
运行上述 cmd 后,我看到证书仅添加到/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt. 但是像 curl 这样的大多数应用程序都引用了/etc/pki/ca-trust/extracted/openssl/ca-bundle.crt链接到/etc/pki/tls/certs/ca-bundle.crt.
curl -v https://172.21.19.92/api
* About to connect() to 172.21.19.92 port 443 (#0)
* Trying 172.21.19.92...
* Connected to 172.21.19.92 (172.21.19.92) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
我知道传递--cacert …