Jam*_*s F 5 ssl centos centos7 ssl-certificate-errors
我们有一个面向公众的开发服务器,需要 SSL 来实现特定功能。
然而,以任何形式使用 SSL 的一切都会返回
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
这不是“好吧,在 yum 上使用 ssl-verify=false,或者在curl 请求上使用 --insecure”的问题。
我意识到我可以在这两个电话上这样做。但最终 - 我必须能够使用 SSL,因为我们使用这些服务器进行的开发需要它。
CA 似乎已经过时了。我已尝试以下 https://access.redhat.com/solutions/1549003
我尝试过自己导入 cacert.pem 文件(不过我承认,我在这里缺乏知识,所以可能我做错了)
我已经检查了服务器上的日期/时间,以确保这不是问题。
我无法让“网络管理员”(宽松使用的术语,因为他将是第一个承认他对 Linux 完全一无所知的人 - 纯微软)甚至不关心在这台机器上重新安装 Centos,所以我需要找到一个解决这个问题。
任何帮助,将不胜感激。以下是我们在尝试执行 yum、curl 和运行 certbot --apache 等操作时得到的一些示例
百胜餐饮集团
[root@localhost work]# yum reinstall mc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel-
7&arch=x86_64 error was
14: curl#60 - "Peer's certificate issuer has been marked as not trusted by
the user."
* base: repos.dfw.quadranet.com
* epel: mirror.compevo.com
* extras: repos-tx.psychz.net
* updates: mirror.us.oneandone.net
* webtatic: repo.webtatic.com
https://us-east.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno
14] curl#60 - "Peer's certificate issuer has been marked as not trusted by
the user."
Trying other mirror.
It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the
requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect
system clock.
You can try to solve this issue by using the instructions on
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use
https://bugs.centos.org/.
https://uk.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14]
curl#60 - "Peer's certificate issuer has been marked as not trusted by the
user."
Trying other mirror.
https://sp.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14]
curl#60 - "Peer's certificate issuer has been marked as not trusted by the
user."
Trying other mirror.
https://repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14]
curl#60 - "Peer's certificate issuer has been marked as not trusted by the
user."
Trying other mirror.
卷曲
[root@localhost work]# curl https://www.google.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the
user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
CERTBOT(用于 LetsenCrypt SSL 证书请求)
[root@localhost work]# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter
'c' to cancel): email@host.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:579)
Please see the logfiles in /var/log/letsencrypt for more details.
想回答并关闭此问题以供将来参考。
事实证明,我们确实有一个代理服务器,它搞乱了事情。我们在我的工作中遇到了相当有趣的情况(3家公司,其中2家由我公司的一位所有者拥有,与我自己的公司分开)。
原来B公司的系统管理员在x年前就已经在循环中放置了一个代理服务器,然后就忘记了它。输入我公司的系统管理员,他接管所有公司的整个系统管理员角色。没有人告诉他代理的事。它在任何人都不知情的情况下运行了多年。
| 归档时间: |
|
| 查看次数: |
74892 次 |
| 最近记录: |