无法在本地验证发行人的权限


19

我无法使用wget或curl打开任何https URL:

$ wget https://www.python.org
--2015-04-27 17:17:33--  https://www.python.org/
Resolving www.python.org (www.python.org)... 103.245.222.223
Connecting to www.python.org (www.python.org)|103.245.222.223|:443... connected.
ERROR: cannot verify www.python.org's certificate, issued by "/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA":
  Unable to locally verify the issuer's authority.
To connect to www.python.org insecurely, use '--no-check-certificate'.

$ curl https://www.python.org
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

这在CentOS 5.5上使用wget 1.12和curl 7.30.0。听起来好像我的本地证书存储有问题,但是我不知道如何从这里继续。有任何想法吗?

更新:将openssl软件包从0.9.8e-12.el5_4.6升级到0.9.8e-33.el5_11之后,现在出现了另一个错误:

$ wget https://pypi.python.org
--2015-04-28 10:27:35--  https://pypi.python.org/
Resolving pypi.python.org (pypi.python.org)... 103.245.222.223
Connecting to pypi.python.org (pypi.python.org)|103.245.222.223|:443... connected.
ERROR: certificate common name "www.python.org" doesn't match requested host name "pypi.python.org".
To connect to pypi.python.org insecurely, use '--no-check-certificate'.

我认为根证书在ca-certificates软件包中。是否安装了此软件包?也许尝试重新安装它。如果这不是问题,请运行strace -o /tmp/wget.strace wget https://www.python.org并发布结果跟踪,这应该告诉我们问题出在哪里。
吉尔(Gilles)'所以

@Gilles-我将openssl软件包从0.9.8e-12.el5_4.6升级到0.9.8e-33.el5_11,错误消失了(也许这重新安装了根证书?),但是现在出现了另一个错误。
ACO

这似乎是该特定站点的暂时错误。其他网站还能用吗?
吉尔斯(Gilles)'所以

@Gilles-其他网站也不起作用。例如,Google返回错误:证书公用名“ google.com”与请求的主机名“ www.google.com.au”不匹配。
ACO

我可以解决禁用Selinux的相同问题:crypt.gen.nz/selinux/disable_selinux.html干杯!

Answers:





1

解决方案1:

openssl s_client -connect whateversite.com:443 -debug 

获取证书密钥并复制到/etc/ssl/certs

$ wget https://www.python.org --ca-certificate=/etc/ssl/certsfile

如果您想使用不安全的方式,请尝试解决方案2

解决方案2:

$ wget https://www.python.org --no-check-certificate

或使用 Curl

$ curl https://www.python.org --insecure

9
“医生,我的左腿不能走路。—解决方案1:将您需要的东西移到靠近椅子的地方,这样就不需要站立了。解决方案2:跳。”不,解决方案是解决问题。在这里,这意味着修复或重新安装根CA证书。
吉尔斯(Gilles)'所以

4
这仅适用于自签名的自发证书
Pavel Niedoba

1
是的,这是一个坏主意。方案1是不安全的。从现在开始,您将要做的就是通过自动信任证书来绕过wget的检查。您应该通过实际修复wget可以访问的根证书来解决根本问题。
安德鲁·费里尔

虽然这仅是一种变通方法,但是如果您的系统管理员强迫您使用损坏的根证书列表或严苛的安全设置,则不值得您讨厌。
nurettin

0

更新服务器上的时间。一秒钟可能导致此问题!

检查: date

红帽/ CentOS 6/7 yum -y install ntpdate; /usr/sbin/ntpdate -u pool.ntp.org

Ubuntu / Debian的 apt-get -y install ntpdate; /usr/sbin/ntpdate -u pool.ntp.org


By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.