www.postgres.org证书过期如何处理？

Question

从 postgres 网站获取证书密钥时，我开始遇到错误：

wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
#6 0.310 --2021-10-04 20:56:35--  https://www.postgresql.org/media/keys/ACCC4CF8.asc
#6 0.315 Resolving www.postgresql.org (www.postgresql.org)... 87.238.57.232, 72.32.157.230, 217.196.149.50, ...
#6 0.318 Connecting to www.postgresql.org (www.postgresql.org)|87.238.57.232|:443... connected.
#6 0.902 ERROR: The certificate of 'www.postgresql.org' is not trusted.
#6 0.902 ERROR: The certificate of 'www.postgresql.org' has expired.

我尝试使用 来解决这个问题--no-check-certificate，但是在安装 postgres 库时遇到了不同的问题：

apt-get update \
    && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    postgresql-client-common postgresql-client-13 \
    && rm -rf /var/lib/apt/lists/*

#9 2.579   404  Not Found [IP: 147.75.85.69 80]
#9 2.606 Fetched 7888 kB in 2s (3486 kB/s)
#9 2.606 Reading package lists...
#9 2.974 W: The repository 'http://apt.postgresql.org/pub/repos/apt -pgdg Release' does not have a Release file.
#9 2.974 E: Failed to fetch http://apt.postgresql.org/pub/repos/apt/dists/-pgdg/main/binary-arm64/Packages  404  Not Found [IP: 147.75.85.69 80]
#9 2.974 E: Some index files failed to download. They have been ignored, or old ones used instead.

还有其他方法可以解决这个问题吗？今天突然开始发生这种情况。

Answer 1

PostgreSQL.org 使用 LetsEncrypt 签名的证书（我刚刚检查过）并根据根证书进行验证。

该证书已过期。它已被续订，但您的系统中可能没有该 CA 证书，因此您的系统无法验证新的 X1 证书，因此会拒绝它。

http 存储库也会发生同样的情况，据我所知，它会自动进行 HTTPS 升级。我没有看到 apt 报告的此升级，所以我的猜测是它会尝试但会默默失败，并且您会收到“没有此类文件”错误，而实际错误更多是“无法连接以检索文件”。您可以通过指示 apt 忽略无效证书来进行验证。

但您需要做的是更新您的 CA 证书。您可能会注意到更新中有一个“ca-certificate”包。一旦到位，其他一切都将重新开始工作。

强制安装 ISRG X1 证书

• 获取证书（例如curl -k https://letsencrypt.org/certs/isrgrootx1.pem > isrgrootx1.pem）
• 提取 CRTopenssl crl2pkcs7 -nocrl -certfile isrgrootx1.pem | openssl pkcs7 -print_certs -out isrgrootx1.crt
• 将其复制到/usr/local/share/ca-certificates/
• 跑步sudo update-ca-certificates。

如果报告有重复的证书，请在 /etc/ssl/certs 中找到并检查它。如果它有“subject=C = US，O = Internet Security Research Group，CN = ISRG Root X1”，那么您已经安装了 ISGR X1 证书，因此问题出在其他地方。

Answer 2

感谢LSerni 为我指明了正确的方向。我还需要一个步骤来解决我的情况下的问题：在.mozilla/DST_Root_CA_X3.crtsed/etc/ca-certificates.conf

另外，一个有趣的说明是，我无法使用 重现 Docker 中的错误debian:stretch，但我可以使用 重现它python:3.7.8-stretch。

重现 bug 的命令基本上就是这 3 个：

apt-get update && apt-get install -y lsb-release wget
sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -

运行上面的命令将产生输出gpg: no valid OpenPGP data found.，这是根本问题。

图像 ID，用于重现错误：

me@home$ docker images
REPOSITORY                        TAG             IMAGE ID       CREATED         SIZE
python                            3.7.8-stretch   b64658cdf594   14 months ago   902MB

重现错误的输出：

me@home$ docker run -it python:3.7.8-stretch /bin/bash
root@771da843c08d:/# apt-get update && apt-get install -y lsb-release wget
Ign:1 http://deb.debian.org/debian stretch InRelease
Get:2 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Get:3 http://deb.debian.org/debian stretch-updates InRelease [93.6 kB]
Get:4 http://deb.debian.org/debian stretch Release [118 kB]           
Get:5 http://deb.debian.org/debian stretch Release.gpg [3177 B]                  
Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [720 kB]
Get:7 http://deb.debian.org/debian stretch/main amd64 Packages [7080 kB]         
Fetched 8067 kB in 1s (4448 kB/s)                     
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
wget is already the newest version (1.18-5+deb9u3).
Suggested packages:
  lsb
The following NEW packages will be installed:
  distro-info-data lsb-release
0 upgraded, 2 newly installed, 0 to remove and 106 not upgraded.
Need to get 32.9 kB of archives.
After this operation, 78.8 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian stretch/main amd64 distro-info-data all 0.36 [5810 B]
Get:2 http://deb.debian.org/debian stretch/main amd64 lsb-release all 9.20161125 [27.1 kB]
Fetched 32.9 kB in 0s (274 kB/s)       
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package distro-info-data.
(Reading database ... 30586 files and directories currently installed.)
Preparing to unpack .../distro-info-data_0.36_all.deb ...
Unpacking distro-info-data (0.36) ...
Selecting previously unselected package lsb-release.
Preparing to unpack .../lsb-release_9.20161125_all.deb ...
Unpacking lsb-release (9.20161125) ...
Setting up distro-info-data (0.36) ...
Setting up lsb-release (9.20161125) ...
root@771da843c08d:/# sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
root@771da843c08d:/# wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
gpg: no valid OpenPGP data found.

显示问题已解决的输出（包括解决步骤）：

root@479753dc1044:/# sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
root@479753dc1044:/# # Remove the DST X3 root certificate, per
root@479753dc1044:/# # https://medium.com/geekculture/will-you-be-impacted-by-letsencrypt-dst-root-ca-x3-expiration-d54a018df257
root@479753dc1044:/# sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
root@479753dc1044:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@479753dc1044:/# wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
OK
root@479753dc1044:/# apt-get update
Ign:1 http://deb.debian.org/debian stretch InRelease
Hit:2 http://security.debian.org/debian-security stretch/updates InRelease
Hit:3 http://deb.debian.org/debian stretch-updates InRelease
Hit:4 http://deb.debian.org/debian stretch Release 
Get:6 http://apt.postgresql.org/pub/repos/apt stretch-pgdg InRelease [81.6 kB]
Get:7 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 Packages [270 kB]
Fetched 352 kB in 1s (220 kB/s)  
Reading package lists... Done

应用上述修复后，您可以继续（例如，安装旧的 Postgres 客户端）。

root@479753dc1044:/# apt-get -y install postgresql-client-12
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libpq-dev libpq5 pgdg-keyring postgresql-client-common
Suggested packages:
  postgresql-doc-14 postgresql-12 postgresql-doc-12
The following NEW packages will be installed:
  pgdg-keyring postgresql-client-12 postgresql-client-common
The following packages will be upgraded:
  libpq-dev libpq5
2 upgraded, 3 newly installed, 0 to remove and 104 not upgraded.
Need to get 1823 kB of archives.
After this operation, 6032 kB of additional disk space will be used.
Get:1 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 libpq-dev amd64 14.0-1.pgdg90+1 [135 kB]
Get:2 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 libpq5 amd64 14.0-1.pgdg90+1 [169 kB]
Get:3 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 pgdg-keyring all 2018.2 [10.7 kB]
Get:4 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 postgresql-client-common all 231.pgdg90+1 [91.3 kB]
Get:5 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 postgresql-client-12 amd64 12.8-1.pgdg90+1 [1417 kB]
Fetched 1823 kB in 1s (1422 kB/s)              
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 30604 files and directories currently installed.)
Preparing to unpack .../libpq-dev_14.0-1.pgdg90+1_amd64.deb ...
Unpacking libpq-dev (14.0-1.pgdg90+1) over (9.6.17-0+deb9u1) ...
Preparing to unpack .../libpq5_14.0-1.pgdg90+1_amd64.deb ...
Unpacking libpq5:amd64 (14.0-1.pgdg90+1) over (9.6.17-0+deb9u1) ...
Selecting previously unselected package pgdg-keyring.
Preparing to unpack .../pgdg-keyring_2018.2_all.deb ...
Unpacking pgdg-keyring (2018.2) ...
Selecting previously unselected package postgresql-client-common.
Preparing to unpack .../postgresql-client-common_231.pgdg90+1_all.deb ...
Unpacking postgresql-client-common (231.pgdg90+1) ...
Selecting previously unselected package postgresql-client-12.
Preparing to unpack .../postgresql-client-12_12.8-1.pgdg90+1_amd64.deb ...
Unpacking postgresql-client-12 (12.8-1.pgdg90+1) ...
Setting up libpq5:amd64 (14.0-1.pgdg90+1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Setting up pgdg-keyring (2018.2) ...
Removing apt.postgresql.org key from trusted.gpg: OK
Setting up libpq-dev (14.0-1.pgdg90+1) ...
Setting up postgresql-client-common (231.pgdg90+1) ...
Setting up postgresql-client-12 (12.8-1.pgdg90+1) ...
update-alternatives: using /usr/share/postgresql/12/man/man1/psql.1.gz to provide /usr/share/man/man1/psql.1.gz (psql.1.gz) in auto mode