背景
有几台2019年开的阿里云服务器,当时系统选择了Aliyun Linux 17.1 64位
, 因为Let’s Encrypt证书DST-Root-CA-X3
过期的原因,访问Let’s Encrypt网站会报SSL错误。
1
| ERROR: cannot verify gems.ruby-china.com's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:
|
过程
如果是CentOS 7系统,直接有现成补丁,直接yum update ca-certificates
就可以升级系统证书来应对该问题。
搜了一下,Aliyun Linux 17.1
的系统说明,在阿里云官网上已经找不到了,现存的只有Alibaba Cloud Linux 2
和Alibaba Cloud Linux 3
。 只有在CSDN的一篇文章中找到了一些描述,说Aliyun Linux 17.1
是兼容CentOS 7.2的。
在Aliyun Linux 17.1
系统中,敲yum update ca-certificates
,直接提示No packages marked for update
敲yum install ca-certificates
, 提示Package ca-certificates-2015.2.6-73.4.al7.noarch already installed and latest version
。
官方yum源中的 ca-certificates 包居然还是2015.2.6的。
系统中找了一下系统中内置的阿里云官方的yum源地址,http://mirrors.aliyun.com/alinux/17.01/os/x86_64
, 发现2019-12-22后就再也没更新过了。
Let’s Encrypt是2021年09月的事情,很显然官方yum源中没有对该问题的更新。
找阿里云开工单,想问有没有官方的解决办法。在经历了
- 他们后台查不到我机器的系统信息,怀疑我系统是Windows
- 建议我敲击
yum -y install ca-certificates
升级包
- 建议我直接忽略SSL跳过证书检测来访问网站
- 询问了
uname -r
的内核版本
- 建议执行
yum install ca-certificates -b current
命令失败
一大通扯皮后,售后最终表示系统Aliyun Linux 17.1
的支持在2019年就结束了,然后贴心地表示,可以提供下登录授权,他们可以登上服务器来帮忙看下怎么解决。
精疲力尽的我,果断选择不再浪费时间,决定自己找办法手动替换证书。
解决办法
Let’s Encrypt的证书问题,之前在CentOS7 中更新CA根证书解决Let’s Encrypt证书过期问题中已经调查过。主要就是Let’s Encrypt使用的DST Root X3
证书在2021-09-30过期了。
那么解决方法就变为
- 在服务器上手动删除
DST Root X3
的证书
- 手动添加Let’s Encrypt的新证书
IdenTrust Commercial Root CA 1
和
ISRG Root X1
证书
相关知识
CentOS中,证书相关的路径:
1 2 3 4 5 6 7 8
| # 信任的证书列表 /usr/share/pki/ca-trust-source # 黑名单证书路径 /etc/pki/ca-trust/source/blacklist # 白名单证书路径 /etc/pki/ca-trust/source/anchors
|
CentOS中,证书相关命令:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| # 寻找证书是否在系统中 trust list | grep -C2 "IdenTrust Commercial Root CA 1" trust list | grep -C2 "ISRG Root X1" ## 输出 $ trust list | grep -C2 "ISRG Root X1" pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert type: certificate label: ISRG Root X1 trust: anchor category: authority $ # 证书导出 # DST-Root-CA-X3 证书 trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee ./DST-Root-CA-X3.pem # ISRG Root X1 证书导出 trust dump --filter "pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e" | openssl x509 | sudo tee ./ISRG-Root-X1.pem
|
操作系统中的证书
屏蔽DST Root X3
证书
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
| vim /etc/pki/ca-trust/source/blacklist/X3.crt # DST Root CA X3 (expired) -----BEGIN TRUSTED CERTIFICATE----- MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw 7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69 ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5 JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQMBwwCgYIKwYBBQUHAwEMDkRT VCBSb290IENBIFgz -----END TRUSTED CERTIFICATE----- # 更新证书 update-ca-trust
|
验证X3是否被删除了
执行如下命令:
1 2 3 4 5 6 7 8 9 10
| # trust list | grep -C3 'DST Root CA X3' p11-kit: overriding trust for anchor in blacklist: X3.crt pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10;type=cert type: certificate label: DST Root CA X3 trust: blacklisted category: authority #
|
看到 trust: blacklisted
, 说明DST Root CA X3证书被删除了。
验证是否有IdenTrust Commercial Root CA 1 和 ISRG Root X1
1 2 3 4 5 6 7 8 9 10 11
| # trust list | grep -C2 "IdenTrust Commercial Root CA 1" p11-kit: overriding trust for anchor in blacklist: X3.crt pkcs11:id=%ed%44%19%c0%d3%f0%06%8b%ee%a4%7b%be%42%e7%26%54%c8%8e%36%76;type=cert type: certificate label: IdenTrust Commercial Root CA 1 trust: anchor category: authority # # trust list | grep -C2 "ISRG Root X1" p11-kit: overriding trust for anchor in blacklist: X3.crt #
|
没有 ISRG Root X1, 则进行添加
从其他服务器上获取ISRG Root X1
证书
1 2 3 4 5 6 7 8 9 10
| $ trust list | grep -C2 "ISRG Root X1" pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert type: certificate label: ISRG Root X1 trust: anchor category: authority $ $ trust dump --filter "pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e" | openssl x509 | sudo tee ./ISRG-Root-X1.pem $
|
将ISRG-Root-X1.pem
证书存放入服务器中
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
| vim /etc/pki/ca-trust/source/anchors/ISRG-Root-X1.pem -----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4 WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+ 0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ 3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5 ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq 4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- update-ca-trust
|
查看证书是否生效
1 2 3 4 5 6 7 8
| # trust list | grep -C2 "ISRG Root X1" p11-kit: overriding trust for anchor in blacklist: X3.crt pkcs11:id=%79%b4%59%e6%7b%b6%e5%e4%01%73%80%08%88%c8%1a%58%f6%e9%9b%6e;type=cert type: certificate label: ISRG Root X1 trust: anchor category: authority #
|
验证查看是否可以执行Let’s Encrypt的网站
1 2
| # wget 'https://gems.ruby-china.com/' #
|
Reference