ubuntu困扰多久的ssl证书过期问题certificate verfiy failed

我的问题是ubuntu 16里的curl过期了,也不提供新的curl版本,只能自己更新curl.下面是staticoverflow里面的老哥的解决方案.

问题:

ca-certificates.crt CRLfile: none

i have a few servers likely installed with the same OS Ubuntu Xenial image, and only one of these servers show me an error when trying to fetch some famous websites in SSL :

curl https://forums.openvpn.net/

but fetching https://google.com or https://askubuntu.com works.

I've tried most answers seen around and none worked. Could such problem arise from the network outside my OS ?

解答:

I have Ubuntu 16.04 servers with curl version 7.47.0 and updating the certificates as suggested was not enough to resolve the issue.

The issue was resolved only after I downloaded and installed a statically liked curl version 7.79.1 from: https://github.com/moparisthebest/static-curl/releases/download/v7.79.1/curl-amd64

Download the binary that matches your OS architecture and rename it:

/usr/local/bin/curl

Enjoy.

需要注意的是:
This sounds dangerous. Suggesting people to replace an essential system tool with a binary downloaded from someone's github page raises questions. The main one being, how do we know this is not a phishing attempt, how do we know the binary has no malware baked into it. We all appreciate contributions, but tools that are often run with sudo on one system need to pass a high bar in terms of verification of authenticity. How can this verification be done in this case?

---下面是2023年11月5日的记录, 以为搞清楚了这个问题,其实没有---

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed

I have Rails API server hosted on Heroku, which makes an asynchronous POST request to a callback url specified in an initial API request by the client.
可以用下面的方式试试，取消证书的verify，然后看看会不会出现问题。
生产环境下，还会要及时将证书更新了。

If you need to get around this (but probably not a good permanent solution, because of the potential security hole) you should be able to turn off the certificate verification by putting this before Bundler.require in your application.rb:

# config/application.rb
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

三种情况下会出现这个问题
1.gem install or bundle install 出现
2.your app connect to 3rd-party api
3. your use a gem to connect to payment sites like Paypal

解决方案Solutions

Update CA certificates

The correct solution depends on which code connects to an HTTPS URL. The first thing you can try is to update the root certificates on your machine.

If you’re using Linux, you can use your package manager to update the CA certificates.

sudo apt-get install -y ca-certificates

sudo apt-get update ca-certificates

On RVM on OSX, you can run

rvm osx-ssl-certs update all

If you don’t use RVM, you can extract the certificates from Apple’s Keychain yourself.

cert_file='$( openssl version -d | awk -F''' '{print $2}' )/cert.pem'
mkdir -p '${cert_file%/*}'
security find-certificate -a -p /Library/Keychains/System.keychain > '$cert_file'
security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain >> '$cert_file'

Try setting SSL’s environment variables to the proper location for your distro, e.g.

CentOS/RHEL:

export SSL_CERT_DIR=/etc/pki/tls/certs
export SSL_CERT_FILE=/etc/pki/tls/cert.pem

Ubuntu/Debian:

export SSL_CERT_DIR=/etc/ssl/certs
export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt

This worked for me.

阅读量: 308
发布于: 2023-11-05
修改于: 2024-01-09