Mik*_*osh 5 permissions ssl 14.04
以普通用户身份尝试通过 HTTPS执行curl或执行git clone某些操作时,失败并显示以下错误:
fatal: unable to access 'https://github.com/mikemackintosh/xxx/': Problem with the SSL CA cert (path? access rights?)
注意:如果我以 root 身份运行命令,它可以正常工作,但 root 不应是唯一能够通过 ssl 进行通信的用户。
所以我想,好吧,curl 在幕后做了什么:
$ GIT_CURL_VERBOSE=1 git clone https://github.com/mikemackintosh/xxx
Cloning into 'xxx'...
* Couldn't find host github.com in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
* Trying 192.30.252.130...
* Connected to github.com (192.30.252.130) port 443 (#0)
* error reading ca cert file /etc/ssl/certs/ca-certificates.crt (Error while reading file.)
* Closing connection 0
fatal: unable to access 'https://github.com/mikemackintosh/xxx/': Problem with the SSL CA cert (path? access rights?)
结果,我们能够确认ca-certificate文件是:/etc/ssl/certs/ca-certificates.crt匹配curl-config -ca输出。
下一步是尝试读取文件。作为一个普通的非 root 用户:
$ cat /etc/ssl/certs/ca-certificates.crt
cat: /etc/ssl/certs/ca-certificates.crt: Permission denied
现在这看起来很奇怪。
$ sudo ls -la /etc/ssl/certs/ca-certificates.crt
-rw-r--r-- 1 root root 273790 Jun 15 22:35 /etc/ssl/certs/ca-certificates.crt
$ sudo lsattr /etc/ssl/certs/ca-certificates.crt
-------------e-- /etc/ssl/certs/ca-certificates.crt
所以看看权限,它是世界可读的。访问它应该没有问题。没有阻止访问的疯狂属性。
做一个ls -la /etc/ssl/certs/回报:
...
l????????? ? ? ? ? ? Verisign_Class_4_Public_Primary_Certification_Authority_-_G3.pem
l????????? ? ? ? ? ? VeriSign_Universal_Root_Certification_Authority.pem
l????????? ? ? ? ? ? Visa_eCommerce_Root.pem
l????????? ? ? ? ? ? WellsSecure_Public_Root_Certificate_Authority.pem
l????????? ? ? ? ? ? WoSign_China.pem
l????????? ? ? ? ? ? WoSign.pem
...
如果我运行 a sudo cat /etc/ssl/certs/ca-certificates.pem,它会按预期吐出内容。
哦,这肯定是权限问题。
做一些谷歌搜索,我发现有一个ssl-cert组,但这个组没有/etc/ssl/certs目录的权限。
排除apparmor,排除磁盘损坏,如果我运行没有任何改善update-ca-certificates (w/wo -f)等。
有没有人见过这种行为?
我以前从未见过这样的东西,但我在两台不同的机器上复制了它。请注意,我确实来自 CentOS/RHEL 背景,所以这可能是 Ubuntu 的正常行为,但我很想找到一个真正的解决方案。
ear*_*Lon 13
运行namei -mo /etc/ssl/certs/ca-certificates.crt。将其输出与以下内容匹配:
f: /etc/ssl/certs/ca-certificates.crt
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x root root ssl
drwxr-xr-x root root certs
-rw-r--r-- root root ca-certificates.crt
您可以使用chmod和chown将所有内容恢复到正确的设置:
sudo chown root / && chown root /etc/ && chown root /etc/ssl/ && chown root /etc/ssl/certs/ && chown root /etc/ssl/certs/ca-certificates.crtsudo chmod 755 /sudo chmod 755 /etc/sudo chmod 755 /etc/ssl/sudo chmod 755 /etc/ssl/certssudo chmod 644 /etc/ssl/certs/ca-certificates.crt我今天遇到了同样的问题。这是我所做的:
GIT_CURL_VERBOSE=1 git 克隆https://github.com/robbyrussell/oh-my-zsh.git
这在 curl 详细模式下克隆存储库( curl 现在导致问题)
这是我得到的
Cloning into 'oh-my-zsh'...
* Couldn't find host github.com in the .netrc file; using defaults
* Hostname was NOT found in DNS cache
* Trying 192.30.252.131...
* Connected to github.com (192.30.252.131) port 443 (#0)
* error reading ca cert file /bin/curl-ca-bundle.crt (Error while reading file.)
* Closing connection 0
fatal: unable to access 'https://github.com/robbyrussell/oh-my-zsh.git/': Problem with the SSL CA cert (path? access rights?)
注意这一行:
- 读取 ca 证书文件 /bin/curl-ca-bundle.crt 时出错(读取文件时出错。)
我在~/.gitconfig [HTTP]->sslCAinfo 部分中遇到了配置问题。您可能不会遇到同样的问题,但它会为您提供足够的信息来自行调试。
| 归档时间: |
|
| 查看次数: |
42003 次 |
| 最近记录: |