Certificate-Authority

升級ubuntu包後CA文件消失

  • September 9, 2015

我有 2 年沒有升級的 ubuntu 12.04 伺服器。在我們決定對其進行升級之前,它一直執行良好。

升級後(apt-get upgrade)CA 文件/usr/share/ca-certificates/mozilla/Entrust.net_Secure_Server_CA.crt消失,程序無法訪問Entrust Certification Authority - L1C.

知道為什麼會這樣嗎?

這是日誌:

ubuntu@ip-10-67-192-40:~$ curl -i https://api.demo.com/ #works ubuntu@ip-10-67-192-40:~$ file /etc/ssl/certs/5f267794.0 /etc/ssl/certs/5f267794.0: symbolic link to Entrust.net_Secure_Server_CA.pem' ubuntu@ip-10-67-192-40:~$ file /etc/ssl/certs/Entrust.net_Secure_Server_CA.pem /etc/ssl/certs/Entrust.net_Secure_Server_CA.pem: symbolic link to /usr/share/ca-certificates/mozilla/Entrust.net_Secure_Server_CA.crt' ubuntu@ip-10-67-192-40:~$ file /usr/share/ca-certificates/mozilla/Entrust.net_Secure_Server_CA.crt /usr/share/ca-certificates/mozilla/Entrust.net_Secure_Server_CA.crt: PEM certificate ubuntu@ip-10-67-192-40:~$ sudo update-ca-certificates Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d....done. root@ip-10-67-192-40:~# apt-get update; apt-get upgrade ubuntu@ip-10-67-192-40:~$ curl -i https://api.demo.com/ #dosen't work

看起來這是相關的變更日誌條目:

ca-certificates (20140927) unstable; urgency=medium

 * Update Mozilla certificate authority bundle to version 2.1.
 [...]
   The following certificate authorities were removed (-):
   - "Entrust.net Secure Server CA"
 [...]

-- Michael Shuler <michael@pbandjelly.org>  Sat, 27 Sep 2014 15:14:00 -0500

快速了解一下 DDGing,我發現這個 mozilla 錯誤要求刪除,並引用了另一個錯誤,這表明有問題的 CA 證書已被棄用,已刪除所有信任位,因此已從 NSS 中刪除。

鑑於該證書已於 2011 年從 NSS(Firefox 6)中刪除,並且可能在此之前的某個時候已被棄用,我想說現在為您嘗試訪問的站點獲取新證書已經過去了。

引用自:https://serverfault.com/questions/710277