freebsd上用https下載github的包失敗了
阿新 • • 發佈:2019-01-09
想從github上下載一個包, 結果fetch居然報錯了
[email protected]:~ # fetch https://github.com/encorehu/django-buddy/archive/master.zip Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 34380826280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168: fetch: https://github.com/encorehu/django-buddy/archive/master.zip: Authentication error
一些資料說是github自己更新了ssl連線的某些東西, 英文太多看不懂, 也懶得看.
2016-1-27更新:::::正確答案:https://github.com/saltstack/salt-bootstrap/issues/290
deeprave commented on 8 Oct 2014 Actually a better (and permanent) solution to this is to: $ pkg install ca_root_nss then, ln or cp the combined root certificates to /etc/ssl/cert.pem e.g. $ ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem which installs the nss root certificates in a place where fetch(1) can find them. Bypassing security is rarely a good solution.
別人解決的方式是
1. 安裝新版的openssl
或者2. 安裝DigiCert的安全證書
具體的, 我這個自己解決之後,再 詳細補充.
----
補充
3 有資料說要下載 digitcert 數字證書網站的 證書, https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt, 結果哪裡知道這個也是要通過https來下載的, 結果根本就下不下來.
[email protected]:~ # fetch https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA 34380826280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168: fetch: https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt: Authentication error
4. 測試命令, openssl s_client -connect github.com:443
openssl s_client -connect github.com:443
結果滾出一堆:
[email protected]:~ # openssl s_client -connect github.com:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV CA-1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHOjCCBiKgAwIBAgIQBH++LkveAITSyvjj7P5wWDANBgkqhkiG9w0BAQUFADBp
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBDQS0xMB4XDTEzMDYxMDAwMDAwMFoXDTE1MDkwMjEyMDAwMFowgfAxHTAb
.......刪了....
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt04nDXXByCfMzTxpydNm2WpVQ
u2hhn/f7Hxnh2gQxrxV8Gn/5c68d5UMrVgkARWlK6MRb38J3UlEZW9Er2TllNqAy
GRxBc/sysj2fmOyCWws3ZDkstxCDcs3w6iRL+tmULsOFFTmpOvaI2vQniaaVT4Si
.....刪了, 覺得安全些...
+UMBmgdx9KPDDzZy4MJZC2hbfUoXj9A54mJN8cuEOPyw3c3yKOcq/h48KzVguQXi
SdJbwfqNIbQ9oJM+YzDjzS62+TCtNSNWzWbwABZCmuQxK0oEOSbTmbhxUF7rND3/
+mx9u8cY//7uAxLWYS5gIZlCbxcf0lkiKSHJB319
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
---
No client certificate CA names sent
---
SSL handshake has read 4139 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: FB3AF14B585A4FE1D98556286E5C82FEF788B2BE6FAF83081B742417E05FD90E
Session-ID-ctx:
Master-Key: 14CD0609C660C0896CF5F159517A02A95E5AE43BC47561EEBB49891112271AD50E4DD113D3CFF622985289FD1ED3E7B5
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1396167645
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed
啥意思, 這一堆, 最後可能是顯示了點東西, 408, 請求超時, 瀏覽器並沒有在預設時間裡傳送完整的請求.
5.臨時解決, 現學現用, 用curl url >a.zip解決了下載問題. openssl的問題以後再補充.
參考資料:
http://smyck.net/2014/01/22/freebsd-authentication-error/
https://forums.freebsd.org/viewtopic.php?&t=14051
http://stackoverflow.com/questions/22027418/openssl-python-requests-error-certificate-verify-failed