我试图在运行Ubuntu 20.04的谷歌云虚拟机上安装sqlbak。由于某种原因,无法验证SSL证书。
sudo wget -O - https://sqlbak.com/deb/key/deb.gpg.key | sudo apt-key add -
--2021-09-26 19:10:56-- https://sqlbak.com/deb/key/deb.gpg.key
Resolving sqlbak.com (sqlbak.com)... 209.133.198.58
Connecting to sqlbak.com (sqlbak.com)|209.133.198.58|:443... connected.
ERROR: cannot verify sqlbak.com's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’:
Unable to locally verify the issuer's authority.
To connect to sqlbak.com insecurely, use `--no-check-certificate'.
gpg: no valid OpenPGP data found.
为了进一步验证这个问题,我运行
echo | openssl s_client -servername sqlbak.com -connect sqlbak.com:443
返回Verification error: unable to get local issuer certificate:
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = sqlbackupandftp.com
verify return:1
---
Certificate chain
0 s:CN = sqlbackupandftp.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGBjCCBO6gAwIBAgISA7es6ONnKRzNDXYStWGIAsCkMA0GCSqGSIb3DQEBCwUA
....
AxD26axM1om2cs27qPwicdDdKwno1osRy1tdX8PlYaTIYxM47mobmYTutmMpJ5OA
mbCQFlo9SFboAA==
-----END CERTIFICATE-----
subject=CN = sqlbackupandftp.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3265 bytes and written 395 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 3072 bit
Secure Renegotiation IS supported
...
---
DONE
我试着在另一个区域运行Debian的另一个Google VM实例上运行相同的检查。但是没有错误。Verification: OK
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = sqlbackupandftp.com
verify return:1
---
Certificate chain
0 s:CN = sqlbackupandftp.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGBjCCBO6gAwIBAgISA7es6ONnKRzNDXYStWGIAsCkMA0GCSqGSIb3DQEBCwUA
...
AxD26axM1om2cs27qPwicdDdKwno1osRy1tdX8PlYaTIYxM47mobmYTutmMpJ5OA
mbCQFlo9SFboAA==
-----END CERTIFICATE-----
subject=CN = sqlbackupandftp.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3265 bytes and written 395 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 3072 bit
Secure Renegotiation IS supported
...
---
DONE
为什么一个VM显示SSL错误而另一个VM工作正常?
观察
- 证书在两个响应中完全相同。
- 有效响应包含
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1。这里有什么暗示吗?
对于解决方案,我尝试重新安装ca-certificates
sudo apt-get install --reinstall ca-certificates
sudo apt-get -f install
sudo dpkg --purge --force-depends ca-certificates
sudo apt-get -f install
PS:正如@dave_thompson_085所提到的,Ubuntu服务器的问题是无法识别根证书。我如何安装它,因为清除ca证书和重新安装也不起作用。
作为一种权宜之计,我手动将这个网站的证书添加到本地受信任的证书中。
echo -n | openssl s_client -connect sqlbak.com:443 |
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' |
sudo tee '/usr/local/share/ca-certificates/sqlbak_com.crt'
sudo update-ca-certificates
但这仍然不能解决最初的问题。为什么这个证书默认不被认可?