# curl -vvv https://www.baidu.com
* About to connect() to www.baidu.com port 443 (#0)
* Trying 180.101.49.44...
* Connected to www.baidu.com (180.101.49.44) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=baidu.com,O="Beijing Baidu Netcom Science Technology Co., Ltd",L=beijing,ST=beijing,C=CN
* start date: Jul 09 07:01:02 2025 GMT
* expire date: Aug 10 07:01:01 2026 GMT
* common name: baidu.com
* issuer: CN=GlobalSign RSA OV SSL CA 2018,O=GlobalSign nv-sa,C=BE
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: www.baidu.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
< Connection: keep-alive
< Content-Length: 2443
< Content-Type: text/html
< Date: Tue, 28 Oct 2025 02:10:13 GMT
< Etag: "58860410-98b"
< Last-Modified: Mon, 23 Jan 2017 13:24:32 GMT
< Pragma: no-cache
< Server: bfe/1.0.8.18
< Set-Cookie: BDORZ=27315; max-age=86400; domain=.baidu.com; path=/
< Tr_id: bfe_9154060250412040345
<
<!DOCTYPE html>
<!--STATUS OK--><html> <head><meta http-equiv=content-type content=text/html;charset=utf-8><meta http-equiv=X-UA-Compatible content=IE=Edge><meta content=always nam e=referrer><link rel=stylesheet type=text/css href=https://ss1.bdstatic.com/5eN1bjq8AAUYm2zgoY3K/r/www/cache/bdorz/baidu.min.css><title>百度一下,你就知道</title></ head> <body link=#0000cc> <div id=wrapper> <div id=head> <div class=head_wrapper> <div class=s_form> <div class=s_form_wrapper> <div id=lg> <img hidefocus=true src= //www.baidu.com/img/bd_logo1.png width=270 height=129> </div> <form id=form name=f action=//www.baidu.com/s class=fm> <input type=hidden name=bdorz_come value=1> <i nput type=hidden name=ie value=utf-8> <input type=hidden name=f value=8> <input type=hidden name=rsv_bp value=1> <input type=hidden name=rsv_idx value=1> <input typ e=hidden name=tn value=baidu><span class="bg s_ipt_wr"><input id=kw name=wd class=s_ipt value maxlength=255 autocomplete=off autofocus=autofocus></span><span class= "bg s_btn_wr"><input type=submit id=su value=百度一下 class="bg s_btn" autofocus></span> </form> </div> </div> <div id=u1> <a href=http://news.baidu.com name=tj_trn ews class=mnav>新闻</a> <a href=https://www.hao123.com name=tj_trhao123 class=mnav>hao123</a> <a href=http://map.baidu.com name=tj_trmap class=mnav>地图</a> <a href =http://v.baidu.com name=tj_trvideo class=mnav>视频</a> <a href=http://tieba.baidu.com name=tj_trtieba class=mnav>贴吧</a> <noscript> <a href=http://www.baidu.com/b dorz/login.gif?login&tpl=mn&u=http%3A%2F%2Fwww.baidu.com%2f%3fbdorz_come%3d1 name=tj_login class=lb>登录</a> </noscript> <script>document.write( <a href="ht tp://www.baidu.com/bdorz/login.gif?login&tpl=mn&u= + encodeURIComponent(window.location.href+ (window.location.search === "" ? "?" : "&")+ "bdorz_come=1")+ " name= "tj_login" class="lb">登录</a> );
</script> <a href=//www.baidu.com/more/ name=tj_briicon class=bri style="display: block;">更多产品</a> </div> </div> </div> <div id=ftCon> <div id=f tConw> <p id=lh> <a href=http://home.baidu.com>关于百度</a> <a href=http://ir.baidu.com>About Baidu</a> </p> <p id=cp>©2017 Baidu <a href=http://www. baidu.com/duty/>使用百度前必读</a> <a href=http://jianyi.baidu.com/ class=cp-feedback>意见反馈</a> 京ICP证030173号 <img src=//www.baidu.com/img/gs. gif> </p> </div> </div> </div> </body> </html>
* Connection #0 to host www.baidu.com left intact
# rpm -qf /etc/pki/tls/certs/ca-bundle.crt
ca-certificates-2021.2.50-72.el7_9.noarch
如何获取 LInux上 /etc/pki/tls/certs/ca-bundle.crt 最新文件?
在 Linux 系统上获取 /etc/pki/tls/certs/ca-bundle.crt 文件的最新版本一般有以下几种方法,具体取决于你的发行版:
1. 通过系统包管理器更新
这是最推荐的方式,由于系统包管理器会处理证书的更新和兼容性。
RHEL/CentOS/Fedora (使用 ca-certificates 包):
sudo yum update ca-certificates -y# RHEL/CentOS 7 或更早
sudo dnf update ca-certificates -y# RHEL/CentOS 8+/Fedora
Debian/Ubuntu (使用 ca-certificates 包):
sudo apt update
sudo apt install --only-upgrade ca-certificates -y
# yum -y update ca-certificates
Loaded plugins: fastestmirror, langpacks, versionlock
Determining fastest mirrors
http://mirrors.ucloud.cn/ucloud/centos/7/ucloudsoftware/x86_64/repodata/repomd.xml: [Errno 14] curl#6 - "Could not resolve host: mirrors.ucloud.cn; Unknown error"
Trying other mirror.
base | 3.6 kB 00:00:00
extras | 2.9 kB 00:00:00
http://mirrors.ucloud.cn/ucloud/centos/7/x86_64/repodata/repomd.xml: [Errno 14] curl#6 - "Could not resolve host: mirrors.ucloud.cn; Unknown error"
Trying other mirror.
updates | 2.9 kB 00:00:00
Excluding 1 update due to versionlock (use "yum versionlock status" to show it)
Resolving Dependencies
--> Running transaction check
---> Package ca-certificates.noarch 0:2021.2.50-72.el7_9 will be updated
---> Package ca-certificates.noarch 0:2023.2.60_v7.0.306-72.el7_9 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================================================================
Updating:
ca-certificates noarch 2023.2.60_v7.0.306-72.el7_9 updates 923 k
Transaction Summary
=============================================================================================================================================================================================================
Upgrade 1 Package
Total download size: 923 k
Downloading packages:
No Presto metadata available for updates
ca-certificates-2023.2.60_v7.0.306-72.el7_9.noarch.rpm | 923 kB 00:00:09
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : ca-certificates-2023.2.60_v7.0.306-72.el7_9.noarch 1/2
Cleanup : ca-certificates-2021.2.50-72.el7_9.noarch 2/2
Verifying : ca-certificates-2023.2.60_v7.0.306-72.el7_9.noarch 1/2
Verifying : ca-certificates-2021.2.50-72.el7_9.noarch 2/2
Updated:
ca-certificates.noarch 0:2023.2.60_v7.0.306-72.el7_9
Complete!
openSUSE/SLES:
sudo zypper refresh
sudo zypper update ca-certificates -y
2. 手动替换文件(不推荐)
如果包管理器不可用,可以手动替换文件(需谨慎操作):
- 备份原文件:
sudo cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.bak
- 下载最新证书包(例如从 Mozilla 或发行版官方源):
# 例如从 Fedora 官方获取(适用于 RHEL 系)
curl -o /etc/pki/tls/certs/ca-bundle.crt https://src.fedoraproject.org/rpms/ca-certificates/raw/rawhide/f/ca-bundle.crt
- 或从 Mozilla 的官方源生成:
curl -s https://curl.se/ca/cacert.pem | sudo tee /etc/pki/tls/certs/ca-bundle.crt
- 更新系统证书库:
sudo update-ca-trust force-enable
sudo update-ca-trust extract
3. 使用 update-ca-trust 工具(RHEL/Fedora 系)
如果证书文件是通过 update-ca-trust 管理的,运行以下命令强制更新:
sudo update-ca-trust enable
sudo update-ca-trust fetch
注意事项:
-
权限问题:确保文件权限为
644,属主为root:root:
sudo chmod 644 /etc/pki/tls/certs/ca-bundle.crt
sudo chown root:root /etc/pki/tls/certs/ca-bundle.crt
- 兼容性:手动替换可能导致与系统包管理器的冲突,提议优先使用包管理器。
- 验证更新:更新后检查文件日期或版本:
ls -l /etc/pki/tls/certs/ca-bundle.crt
openssl crl2pkcs7 -nocrl -certfile /etc/pki/tls/certs/ca-bundle.crt | openssl pkcs7 -print_certs | grep issuer
4. 检查证书包来源
- 文件一般由
ca-certificates包提供,可通过以下命令确认:
rpm -qf /etc/pki/tls/certs/ca-bundle.crt# RHEL/Fedora
dpkg -S /etc/ssl/certs/ca-certificates.crt# Debian/Ubuntu
提议始终通过官方渠道更新证书,以确保系统安全性。
© 版权声明
文章版权归作者所有,未经允许请勿转载。
相关文章
暂无评论...
