SSL 問題“對等方的證書頒發者已被標記為不受使用者信任。”
我們有一個面向公眾的開發伺服器,它需要 SSL 才能實現特定功能。
然而,以任何形式使用 SSL 的一切都會返回
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.這不是“好吧,只在 yum 上使用 ssl-verify=false 或在 curl 請求上使用 –insecure ”的問題。
我意識到我可以在這兩個上都這樣做來接聽電話。但最終 - 我必須能夠使用 SSL,因為我們使用這些伺服器的開發需要它。
看來 CA 已經過時了。我嘗試了以下 https://access.redhat.com/solutions/1549003
我試過自己導入 cacert.pem 文件(我承認,我在這裡缺乏知識,所以可能我做錯了)
我已經檢查了伺服器上的日期/時間,以確保這不是問題。
我無法讓“網路管理員”(使用鬆散的術語,因為他將是第一個承認他對 Linux 完全不了解的人——純微軟)甚至為在這台機器上重新安裝 Centos 而煩惱,所以我需要找到一個解決這個問題。
任何幫助,將不勝感激。以下是我們在嘗試執行 yum、curl 和執行 certbot –apache 等操作時得到的一些範例
百勝
[root@localhost work]# yum reinstall mc Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel- 7&arch=x86_64 error was 14: curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." * base: repos.dfw.quadranet.com * epel: mirror.compevo.com * extras: repos-tx.psychz.net * updates: mirror.us.oneandone.net * webtatic: repo.webtatic.com https://us-east.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." Trying other mirror. It was impossible to connect to the CentOS servers. This could mean a connectivity issue in your environment, such as the requirement to configure a proxy, or a transparent proxy that tampers with TLS security, or an incorrect system clock. You can try to solve this issue by using the instructions on https://wiki.centos.org/yum-errors If above article doesn't help to resolve this issue please use https://bugs.centos.org/. https://uk.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." Trying other mirror. https://sp.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." Trying other mirror. https://repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] curl#60 - "Peer's certificate issuer has been marked as not trusted by the user." Trying other mirror.捲曲
[root@localhost work]# curl https://www.google.com curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.CERTBOT(用於 LETSENCRYPT SSL 證書請求)
[root@localhost work]# sudo certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): email@host.com Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org An unexpected error occurred: SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579) Please see the logfiles in /var/log/letsencrypt for more details.
想回答並關閉這個以供將來參考。
原來我們確實有一個代理伺服器搞砸了。我們在工作中遇到了非常有趣的情況(3 家公司,2 家由我公司的一位所有者擁有,與我自己的公司分開)。
事實證明,B 公司的系統管理員多年前在循環 x 中放置了一個代理伺服器,卻完全忘記了它。輸入我公司的系統管理員,他將接管所有公司的整個系統管理員角色。沒有人告訴他關於代理的事情。它在無人知曉的情況下執行了多年。
我這裡是在 CentOS7 中,執行
pyspider顯示錯誤:
Exception HTTP 599 Peer's certificate issuer has been marked as not trusted by the user並使用以下步驟修復它:
更改無效的 libcurl .so 文件:
/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0_openssl到有效的 libcurl .so 文件:
/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0並重新安裝 pycurl:
pip3 uninstall pycurl export PYCURL_SSL_LIBRARY=nss export LDFLAGS=-L/usr/local/opt/openssl/lib;export CPPFLAGS=-I/usr/local/opt/openssl/include;pip install pycurl --compile --no-cache-dir詳細描述參考另一個SO文章