常规的做法是:
bash
# 检查证书文件是否存在
ls -l /etc/ssl/certs/ca-certificates.crt
# 测试 HTTPS 连接
curl -v https://www.google.com
# 查看证书文件内容
cat /etc/ssl/certs/ca-certificates.crt
# 查看系统日志中与 SSL 相关的错误
grep -i ssl /var/log/messages但是我这样做没用,对了,如何查看是否是CA证书导致的OpenGPG数据无效,只需要运行curl - I https://www.baidu.com.
于是我仔细检查CA证书
bash
```bash
# 1. 获取所有单独的 .pem 文件列表
ls /etc/ssl/certs/*.pem > /tmp/cert-list.txt
wc -l /tmp/cert-list.txt
# 2. 取前一半证书测试
head -n 70 /tmp/cert-list.txt | xargs cat > /tmp/first-half.crt
curl -I --cacert /tmp/first-half.crt https://www.google.com
# 3. 取后一半证书测试
tail -n 70 /tmp/cert-list.txt | xargs cat > /tmp/second-half.crt
curl -I --cacert /tmp/second-half.crt https://www.google.com发现问题出在rancher.pem 证书上,于是我查看rancher证书得到:
bash
cat /etc/ssl/certs/rancher.pem
-----BEGIN CERTIFICATE-----
粘贴 Rancher CA 内容
-----END CERTIFICATE-----受不了,这一看就是本比豆包搞的。
于是把rancher证书删掉后更新即可。
bash
# 1. 删除源证书文件(这是关键!)
sudo rm /usr/local/share/ca-certificates/rancher.crt
# 2. 重新生成证书bundle
sudo update-ca-certificates --fresh
# 3. 验证
curl -I https://www.baidu.com这里做完后最好导入现在ranhcer集群的CA证书,若现在没有集群,则忽略如何导入rancherCA证书