如何在aliyunLinux 17.1中添加Let's Encrpyt访问根证书

背景

有几台2019年开的阿里云服务器,当时系统选择了Aliyun Linux 17.1 64位, 因为Let’s Encrypt证书DST-Root-CA-X3过期的原因,访问Let’s Encrypt网站会报SSL错误。

1
ERROR: cannot verify gems.ruby-china.com's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:

过程

如果是CentOS 7系统,直接有现成补丁,直接yum update ca-certificates就可以升级系统证书来应对该问题。

搜了一下,Aliyun Linux 17.1的系统说明,在阿里云官网上已经找不到了,现存的只有Alibaba Cloud Linux 2Alibaba Cloud Linux 3。 只有在CSDN的一篇文章中找到了一些描述,说Aliyun Linux 17.1是兼容CentOS 7.2的。

Aliyun Linux 17.1系统中,敲yum update ca-certificates,直接提示No packages marked for update
yum install ca-certificates, 提示Package ca-certificates-2015.2.6-73.4.al7.noarch already installed and latest version
官方yum源中的 ca-certificates 包居然还是2015.2.6的。

系统中找了一下系统中内置的阿里云官方的yum源地址,http://mirrors.aliyun.com/alinux/17.01/os/x86_64, 发现2019-12-22后就再也没更新过了。
Let’s Encrypt是2021年09月的事情,很显然官方yum源中没有对该问题的更新。

找阿里云开工单,想问有没有官方的解决办法。在经历了

  • 他们后台查不到我机器的系统信息,怀疑我系统是Windows
  • 建议我敲击yum -y install ca-certificates升级包
  • 建议我直接忽略SSL跳过证书检测来访问网站
  • 询问了uname -r的内核版本
  • 建议执行yum install ca-certificates -b current命令失败
    一大通扯皮后,售后最终表示系统Aliyun Linux 17.1的支持在2019年就结束了,然后贴心地表示,可以提供下登录授权,他们可以登上服务器来帮忙看下怎么解决。

精疲力尽的我,果断选择不再浪费时间,决定自己找办法手动替换证书。

解决办法

Let’s Encrypt的证书问题,之前在CentOS7 中更新CA根证书解决Let’s Encrypt证书过期问题中已经调查过。主要就是Let’s Encrypt使用的DST Root X3证书在2021-09-30过期了。
那么解决方法就变为

  • 在服务器上手动删除DST Root X3的证书
  • 手动添加Let’s Encrypt的新证书IdenTrust Commercial Root CA 1
    ISRG Root X1证书

相关知识

CentOS中,证书相关的路径:

1
2
3
4
5
6
7
8
# 信任的证书列表
/usr/share/pki/ca-trust-source
# 黑名单证书路径
/etc/pki/ca-trust/source/blacklist
# 白名单证书路径
/etc/pki/ca-trust/source/anchors

CentOS中,证书相关命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# 寻找证书是否在系统中
trust list | grep -C2 "IdenTrust Commercial Root CA 1"
trust list | grep -C2 "ISRG Root X1"
## 输出
$ trust list | grep -C2 "ISRG Root X1"
pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert
    type: certificate
    label: ISRG Root X1
    trust: anchor
    category: authority
$
# 证书导出
# DST-Root-CA-X3 证书
trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee ./DST-Root-CA-X3.pem
# ISRG Root X1 证书导出
trust dump --filter "pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e" | openssl x509 | sudo tee ./ISRG-Root-X1.pem

操作系统中的证书

屏蔽DST Root X3证书
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
vim /etc/pki/ca-trust/source/blacklist/X3.crt
# DST Root CA X3 (expired)
-----BEGIN TRUSTED CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQMBwwCgYIKwYBBQUHAwEMDkRT
VCBSb290IENBIFgz
-----END TRUSTED CERTIFICATE-----
# 更新证书
update-ca-trust
验证X3是否被删除了

执行如下命令:

1
2
3
4
5
6
7
8
9
10
# trust list | grep -C3 'DST Root CA X3'
p11-kit: overriding trust for anchor in blacklist: X3.crt
pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10;type=cert
    type: certificate
    label: DST Root CA X3
    trust: blacklisted
    category: authority
#

看到 trust: blacklisted, 说明DST Root CA X3证书被删除了。

验证是否有IdenTrust Commercial Root CA 1 和 ISRG Root X1
1
2
3
4
5
6
7
8
9
10
11
# trust list | grep -C2 "IdenTrust Commercial Root CA 1"
p11-kit: overriding trust for anchor in blacklist: X3.crt
pkcs11:id=%ed%44%19%c0%d3%f0%06%8b%ee%a4%7b%be%42%e7%26%54%c8%8e%36%76;type=cert
    type: certificate
    label: IdenTrust Commercial Root CA 1
    trust: anchor
    category: authority
#
# trust list | grep -C2 "ISRG Root X1"
p11-kit: overriding trust for anchor in blacklist: X3.crt
#
没有 ISRG Root X1, 则进行添加

从其他服务器上获取ISRG Root X1证书

1
2
3
4
5
6
7
8
9
10
$ trust list | grep -C2 "ISRG Root X1"
pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert
    type: certificate
    label: ISRG Root X1
    trust: anchor
    category: authority
$
$ trust dump --filter "pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e" | openssl x509 | sudo tee ./ISRG-Root-X1.pem
$

ISRG-Root-X1.pem证书存放入服务器中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
vim /etc/pki/ca-trust/source/anchors/ISRG-Root-X1.pem
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----
update-ca-trust

查看证书是否生效

1
2
3
4
5
6
7
8
# trust list | grep -C2 "ISRG Root X1"
p11-kit: overriding trust for anchor in blacklist: X3.crt
pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert
    type: certificate
    label: ISRG Root X1
    trust: anchor
    category: authority
#

验证查看是否可以执行Let’s Encrypt的网站
1
2
# wget 'https://gems.ruby-china.com/'
#

Reference

留言