Centos

SSL 問題“對等方的證書頒發者已被標記為不受使用者信任。”

  • September 12, 2021

我們有一個面向公眾的開發伺服器,它需要 SSL 才能實現特定功能。

然而,以任何形式使用 SSL 的一切都會返回

curl: (60) Peer's certificate issuer has been marked as not trusted by the user.

這不是“好吧,只在 yum 上使用 ssl-verify=false 或在 curl 請求上使用 –insecure ”的問題。

我意識到我可以在這兩個上都這樣做來接聽電話。但最終 - 我必須能夠使用 SSL,因為我們使用這些伺服器的開發需要它。

看來 CA 已經過時了。我嘗試了以下 https://access.redhat.com/solutions/1549003

我試過自己導入 cacert.pem 文件(我承認,我在這裡缺乏知識,所以可能我做錯了)

我已經檢查了伺服器上的日期/時間,以確保這不是問題。

我無法讓“網路管理員”(使用鬆散的術語,因為他將是第一個承認他對 Linux 完全不了解的人——純微軟)甚至為在這台機器上重新安裝 Centos 而煩惱,所以我需要找到一個解決這個問題。

任何幫助,將不勝感激。以下是我們在嘗試執行 yum、curl 和執行 certbot –apache 等操作時得到的一些範例

百勝

[root@localhost work]# yum reinstall mc
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Could not get metalink https://mirrors.fedoraproject.org/metalink?repo=epel- 
7&arch=x86_64 error was
14: curl#60 - "Peer's certificate issuer has been marked as not trusted by 
the user."
* base: repos.dfw.quadranet.com
* epel: mirror.compevo.com
* extras: repos-tx.psychz.net
* updates: mirror.us.oneandone.net
* webtatic: repo.webtatic.com
https://us-east.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 
14] curl#60 - "Peer's certificate issuer has been marked as not trusted by 
the user."
Trying other mirror.
It was impossible to connect to the CentOS servers.
This could mean a connectivity issue in your environment, such as the 
requirement to configure a proxy,
or a transparent proxy that tampers with TLS security, or an incorrect 
system clock.
You can try to solve this issue by using the instructions on 
https://wiki.centos.org/yum-errors
If above article doesn't help to resolve this issue please use 
https://bugs.centos.org/.

https://uk.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.
https://sp.repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.
https://repo.webtatic.com/yum/el7/x86_64/repodata/repomd.xml: [Errno 14] 
curl#60 - "Peer's certificate issuer has been marked as not trusted by the 
user."
Trying other mirror.

捲曲

[root@localhost work]# curl https://www.google.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the 
user.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

CERTBOT(用於 LETSENCRYPT SSL 證書請求)

[root@localhost work]#  sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter 
'c' to cancel): email@host.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
An unexpected error occurred:
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed 
(_ssl.c:579)
Please see the logfiles in /var/log/letsencrypt for more details.

想回答並關閉這個以供將來參考。

原來我們確實有一個代理伺服器搞砸了。我們在工作中遇到了非常有趣的情況(3 家公司,2 家由我公司的一位所有者擁有,與我自己的公司分開)。

事實證明,B 公司的系統管理員多年前在循環 x 中放置了一個代理伺服器,卻完全忘記了它。輸入我公司的系統管理員,他將接管所有公司的整個系統管理員角色。沒有人告訴他關於代理的事情。它在無人知曉的情況下執行了多年。

我這裡是在 CentOS7 中,執行pyspider顯示錯誤:

Exception HTTP 599 Peer's certificate issuer has been marked as not trusted by the user

並使用以下步驟修復它:

更改無效的 libcurl .so 文件:

/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0_openssl

到有效的 libcurl .so 文件:

/usr/lib64/libcurl.so.4 -> libcurl.so.4.3.0

並重新安裝 pycurl:

pip3 uninstall pycurl
export PYCURL_SSL_LIBRARY=nss
export LDFLAGS=-L/usr/local/opt/openssl/lib;export CPPFLAGS=-I/usr/local/opt/openssl/include;pip install pycurl --compile --no-cache-dir

詳細描述參考另一個SO文章

引用自:https://serverfault.com/questions/942238