wget ERROR: The certificate of ‘xyz’ is not trusted, has expired
wget ERROR: The certificate of ‘xyz’ is not trusted, has expired
我有一个 Debian 10 buster 服务器,几个相同的 hardware/software 配置之一。我使用部署它们的脚本,它们都是相同的。但是,其中之一在使用 wget 时抛出错误:
# wget https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
--2020-05-30 12:49:20-- https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
Resolving mirrors.edge.kernel.org (mirrors.edge.kernel.org)... 147.75.69.165, 2604:1380:1000:8100::1
Connecting to mirrors.edge.kernel.org (mirrors.edge.kernel.org)|147.75.69.165|:443... connected.
ERROR: The certificate of ‘mirrors.edge.kernel.org’ is not trusted.
ERROR: The certificate of ‘mirrors.edge.kernel.org’ has expired.
我做过的事情:
- 已检查 SSL 证书是否有效
- 确认完全相同的命令在其他服务器上有效
- 查看系统日期,确认无误
- 已检查resolv.conf,为 8.8.8.8 8.8.4.4 配置与其他相同
- 手动检查名称解析,工作正常
- 重新安装
apt-get install --reinstall ca-certificates
- 运行
update-ca-certificates --fresh
- 运行
c_rehash
- 使用 curl,它工作正常没有错误,显示正确的 SSL 过期
据我所知,问题似乎只是wget。我不需要解决方法。我需要一个解决方案,因此我有信心此服务器正常运行。
我能够使用 --no-dns-cache
解决我自己的问题
# wget --no-dns-cache --debug https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
在此之后,它显然更新了任何损坏的文件。它现在也可以在没有 --no-dns-cache 的情况下工作。好奇怪,但看起来很稳定。
我有同样的症状 f-droid.org:
% wget 'https://f-droid.org/F-Droid.apk'
--2020-06-03 14:10:18-- https://f-droid.org/F-Droid.apk
Resolving f-droid.org (f-droid.org)... 217.160.165.113, 148.251.140.42
Connecting to f-droid.org (f-droid.org)|217.160.165.113|:443... connected.
ERROR: The certificate of ‘f-droid.org’ is not trusted.
ERROR: The certificate of ‘f-droid.org’ has expired.
就我而言 (Debian 9 stretch),curl 也不起作用:
% curl 'https://f-droid.org/F-Droid.apk'
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
查看 wget 源代码可以看到错误来自 gnutls_certificate_verify_peers2 返回的状态标志。我们 can 要求 gnutls 显示证书验证详细信息:
% gnutls-cli f-droid.org -p 443
Processed 151 CA certificate(s).
Resolving 'f-droid.org:443'...
Connecting to '217.160.165.113:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=f-droid.org,OU=PositiveSSL,OU=Domain Control Validated', issuer `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x02a8508e042b9f065fafadd87cd7d103, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-09-17 00:00:00 UTC', expires `2020-09-16 23:59:59 UTC', key-ID `sha256:e97ccbf3c188b5cf69a83ed0fc39b001ce1688a62b573193cef3f74984c7d703'
Public Key ID:
sha1:638f93856e1f5edfcbd40c46d4160cff21b0713a
sha256:e97ccbf3c188b5cf69a83ed0fc39b001ce1688a62b573193cef3f74984c7d703
Public key's random art:
+--[ RSA 2048]----+
| o o+o.|
| *...o|
| E ..+ |
| . ... o|
| S . o .|
| o * . o.|
| * o . .o|
| . + o .o. |
| o .oo|
+-----------------+
- Certificate[1] info:
- subject `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x7d5b5126b476ba11db74160bbc530da7, RSA key 2048 bits, signed using RSA-SHA384, activated `2018-11-02 00:00:00 UTC', expires `2030-12-31 23:59:59 UTC', key-ID `sha256:e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8'
- Certificate[2] info:
- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', key-ID `sha256:c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde'
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
*** PKI verification of server certificate failed...
所以问题出在服务器 f-droid.org 提供的 USERTrust RSA 证书颁发机构 证书上。这是由 AddTrust External CA Root 签署的中间证书,已于 4 天前过期。
Debian ca-certificates 软件包具有 USERTrust RSA 证书颁发机构:
的自签名(根)证书
% openssl x509 -inform PEM -in /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt -text | grep -A2 Validity
Validity
Not Before: Feb 1 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
...但是 gnutls 被服务器提供的过期证书弄糊涂了,因此出现错误。
在你的例子中(mirrors.edge.kernel.org)证书链如下:
% gnutls-cli mirrors.edge.kernel.org -p 443
Processed 151 CA certificate(s).
Resolving 'mirrors.edge.kernel.org:443'...
Connecting to '147.75.101.1:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=*.edge.kernel.org', issuer `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00a34d0ccfbf4ea450fe030fd3378f5d68, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-03-16 00:00:00 UTC', expires `2021-03-16 23:59:59 UTC', key-ID `sha256:f3746cf281b6453def23289054e75e26e157bfd9eed5252b76ffdc828b802e41'
Public Key ID:
sha1:72d8fc84d0dea848189bc3ff8eb1d47629fd72c0
sha256:f3746cf281b6453def23289054e75e26e157bfd9eed5252b76ffdc828b802e41
Public key's random art:
+--[ RSA 2048]----+
| |
| . |
| . . . |
| . = * + |
| * . o.S o |
| + o =E+ |
| = = +.. |
| . * o... |
| o.o o. |
+-----------------+
- Certificate[1] info:
- subject `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x7d5b5126b476ba11db74160bbc530da7, RSA key 2048 bits, signed using RSA-SHA384, activated `2018-11-02 00:00:00 UTC', expires `2030-12-31 23:59:59 UTC', key-ID `sha256:e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8'
- Certificate[2] info:
- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x01fd6d30fca3ca51a81bbc640e35032d, RSA key 4096 bits, signed using RSA-SHA384, activated `2010-02-01 00:00:00 UTC', expires `2038-01-18 23:59:59 UTC', key-ID `sha256:c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde'
- Status: The certificate is trusted.
我们再次看到 USERTrust RSA 证书颁发机构,但这是一个自签名(根)证书,未过期。我想 kernel.org 也提供了过期的中间证书,但在您的手中进行了更正。我认为 --no-dns-cache 无关紧要,纯属巧合。
顺便说一句,Firefox 显示 https://f-droid.org 很好。 Show page info / Security 显示新的自签名(root)USERTrust 证书:Not after: 18 January 2038, 23:59:59 GMT。也就是说,Firefox 忽略了服务器提供的过期中间 USERTrust 证书,使用了本地可用的有效根 USERTrust 证书。
分辨率?服务器网站管理员应从服务器配置中删除过时的中间证书。同时,使用 Firefox(或 curl,如果可以的话)而不是 wget。
更新:正如 f-droid 人指出的那样,gnutls bug 已经修复,修复应该很快就会在 Debian-security 中。
我有一个 Debian 10 buster 服务器,几个相同的 hardware/software 配置之一。我使用部署它们的脚本,它们都是相同的。但是,其中之一在使用 wget 时抛出错误:
# wget https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
--2020-05-30 12:49:20-- https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
Resolving mirrors.edge.kernel.org (mirrors.edge.kernel.org)... 147.75.69.165, 2604:1380:1000:8100::1
Connecting to mirrors.edge.kernel.org (mirrors.edge.kernel.org)|147.75.69.165|:443... connected.
ERROR: The certificate of ‘mirrors.edge.kernel.org’ is not trusted.
ERROR: The certificate of ‘mirrors.edge.kernel.org’ has expired.
我做过的事情:
- 已检查 SSL 证书是否有效
- 确认完全相同的命令在其他服务器上有效
- 查看系统日期,确认无误
- 已检查resolv.conf,为 8.8.8.8 8.8.4.4 配置与其他相同
- 手动检查名称解析,工作正常
- 重新安装
apt-get install --reinstall ca-certificates - 运行
update-ca-certificates --fresh - 运行
c_rehash - 使用 curl,它工作正常没有错误,显示正确的 SSL 过期
据我所知,问题似乎只是wget。我不需要解决方法。我需要一个解决方案,因此我有信心此服务器正常运行。
我能够使用 --no-dns-cache
# wget --no-dns-cache --debug https://mirrors.edge.kernel.org/pub/linux/kernel/v5.x/linux-5.6.15.tar.xz
在此之后,它显然更新了任何损坏的文件。它现在也可以在没有 --no-dns-cache 的情况下工作。好奇怪,但看起来很稳定。
我有同样的症状 f-droid.org:
% wget 'https://f-droid.org/F-Droid.apk'
--2020-06-03 14:10:18-- https://f-droid.org/F-Droid.apk
Resolving f-droid.org (f-droid.org)... 217.160.165.113, 148.251.140.42
Connecting to f-droid.org (f-droid.org)|217.160.165.113|:443... connected.
ERROR: The certificate of ‘f-droid.org’ is not trusted.
ERROR: The certificate of ‘f-droid.org’ has expired.
就我而言 (Debian 9 stretch),curl 也不起作用:
% curl 'https://f-droid.org/F-Droid.apk'
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
查看 wget 源代码可以看到错误来自 gnutls_certificate_verify_peers2 返回的状态标志。我们 can 要求 gnutls 显示证书验证详细信息:
% gnutls-cli f-droid.org -p 443
Processed 151 CA certificate(s).
Resolving 'f-droid.org:443'...
Connecting to '217.160.165.113:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=f-droid.org,OU=PositiveSSL,OU=Domain Control Validated', issuer `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x02a8508e042b9f065fafadd87cd7d103, RSA key 2048 bits, signed using RSA-SHA256, activated `2019-09-17 00:00:00 UTC', expires `2020-09-16 23:59:59 UTC', key-ID `sha256:e97ccbf3c188b5cf69a83ed0fc39b001ce1688a62b573193cef3f74984c7d703'
Public Key ID:
sha1:638f93856e1f5edfcbd40c46d4160cff21b0713a
sha256:e97ccbf3c188b5cf69a83ed0fc39b001ce1688a62b573193cef3f74984c7d703
Public key's random art:
+--[ RSA 2048]----+
| o o+o.|
| *...o|
| E ..+ |
| . ... o|
| S . o .|
| o * . o.|
| * o . .o|
| . + o .o. |
| o .oo|
+-----------------+
- Certificate[1] info:
- subject `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x7d5b5126b476ba11db74160bbc530da7, RSA key 2048 bits, signed using RSA-SHA384, activated `2018-11-02 00:00:00 UTC', expires `2030-12-31 23:59:59 UTC', key-ID `sha256:e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8'
- Certificate[2] info:
- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE', serial 0x13ea28705bf4eced0c36630980614336, RSA key 4096 bits, signed using RSA-SHA384, activated `2000-05-30 10:48:38 UTC', expires `2020-05-30 10:48:38 UTC', key-ID `sha256:c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde'
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
*** PKI verification of server certificate failed...
所以问题出在服务器 f-droid.org 提供的 USERTrust RSA 证书颁发机构 证书上。这是由 AddTrust External CA Root 签署的中间证书,已于 4 天前过期。
Debian ca-certificates 软件包具有 USERTrust RSA 证书颁发机构:
% openssl x509 -inform PEM -in /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt -text | grep -A2 Validity
Validity
Not Before: Feb 1 00:00:00 2010 GMT
Not After : Jan 18 23:59:59 2038 GMT
...但是 gnutls 被服务器提供的过期证书弄糊涂了,因此出现错误。
在你的例子中(mirrors.edge.kernel.org)证书链如下:
% gnutls-cli mirrors.edge.kernel.org -p 443
Processed 151 CA certificate(s).
Resolving 'mirrors.edge.kernel.org:443'...
Connecting to '147.75.101.1:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=*.edge.kernel.org', issuer `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', serial 0x00a34d0ccfbf4ea450fe030fd3378f5d68, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-03-16 00:00:00 UTC', expires `2021-03-16 23:59:59 UTC', key-ID `sha256:f3746cf281b6453def23289054e75e26e157bfd9eed5252b76ffdc828b802e41'
Public Key ID:
sha1:72d8fc84d0dea848189bc3ff8eb1d47629fd72c0
sha256:f3746cf281b6453def23289054e75e26e157bfd9eed5252b76ffdc828b802e41
Public key's random art:
+--[ RSA 2048]----+
| |
| . |
| . . . |
| . = * + |
| * . o.S o |
| + o =E+ |
| = = +.. |
| . * o... |
| o.o o. |
+-----------------+
- Certificate[1] info:
- subject `CN=Sectigo RSA Domain Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x7d5b5126b476ba11db74160bbc530da7, RSA key 2048 bits, signed using RSA-SHA384, activated `2018-11-02 00:00:00 UTC', expires `2030-12-31 23:59:59 UTC', key-ID `sha256:e1ae9c3de848ece1ba72e0d991ae4d0d9ec547c6bad1dddab9d6beb0a7e0e0d8'
- Certificate[2] info:
- subject `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', issuer `CN=USERTrust RSA Certification Authority,O=The USERTRUST Network,L=Jersey City,ST=New Jersey,C=US', serial 0x01fd6d30fca3ca51a81bbc640e35032d, RSA key 4096 bits, signed using RSA-SHA384, activated `2010-02-01 00:00:00 UTC', expires `2038-01-18 23:59:59 UTC', key-ID `sha256:c784333d20bcd742b9fdc3236f4e509b8937070e73067e254dd3bf9c45bf4dde'
- Status: The certificate is trusted.
我们再次看到 USERTrust RSA 证书颁发机构,但这是一个自签名(根)证书,未过期。我想 kernel.org 也提供了过期的中间证书,但在您的手中进行了更正。我认为 --no-dns-cache 无关紧要,纯属巧合。
顺便说一句,Firefox 显示 https://f-droid.org 很好。 Show page info / Security 显示新的自签名(root)USERTrust 证书:Not after: 18 January 2038, 23:59:59 GMT。也就是说,Firefox 忽略了服务器提供的过期中间 USERTrust 证书,使用了本地可用的有效根 USERTrust 证书。
分辨率?服务器网站管理员应从服务器配置中删除过时的中间证书。同时,使用 Firefox(或 curl,如果可以的话)而不是 wget。
更新:正如 f-droid 人指出的那样,gnutls bug 已经修复,修复应该很快就会在 Debian-security 中。