解决cURL error 60 Peer's Certificate issuer is not recognized.问题

有时更新了SSL证书后，在浏览器端正常访问，但在服务端，比如PHP不能正常请求该接口，报错如下：

cURL error 60: Peer's Certificate issuer is not recognized.

如果使用PHP的file_get_contents函数，报错如下：

PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

使用curl命令测试下，报错如下：

curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

说得很清楚了，更新的SSL没匹配上，我们要手动处理下。

处理方法

1.用火狐浏览器(Firefox)打开地址,点击网址旁边那个安全锁的图标，点击安全连接，点击更多信息，会弹出一个安全页面信息。

2.点击安全证书，在打开的页面中往下浏览，找到一个下载项，点击 PEM（证书链），将该文件下载到本地。

3.将该文件上传到服务器，如果是centos，将该文件上传到目录/etc/pki/ca-trust/source/anchors/下，将文件的后缀名改为.crt, 然后执行命令update-ca-trust extract

4.此时就可以正常curl了。

Requests库的问题

php有个封装的库https://github.com/rmccue/Requests,它有个自己维护的cacert.pem文件，路径在vendor/rmccue/requests/library/Requests/Transport/cacert.pem。

如果用到了这个库，要手动更新下这个文件，将刚才下载的证书内容追加到这个文件后面即可。

cat xxx.crt >> ./vendor/rmccue/requests/library/Requests/Transport/cacert.pem

完成后就可以正常使用这个库了。