Установка корневых центров сертификации

Иногда на серверах FreeBSD/Linux возникает ошибка из-за отсутствия корневых сертификатов

[root@srv /tmp]# fetch https://example.com/file.tar.gz
Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
52886:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:998:
fetch: https://example.com/file.tar.gz: Authentication error

Решается установкой порта ca_root_nss

[root@srv /tmp]# cd /usr/ports/security/ca_root_nss && make install clean && ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
===>  License MPL accepted by the user
===>  Found saved configuration for ca_root_nss-3.16.1
===>   ca_root_nss-3.19 depends on file: /usr/local/sbin/pkg - found
=> nss-3.19.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_RTM/src/nss-3.19.tar.gz
nss-3.19.tar.gz                               100% of 6788 kB  304 kBps 00m22s
===> Fetching all distfiles required by ca_root_nss-3.19 for building
===>  Extracting for ca_root_nss-3.19
=> SHA256 Checksum OK for nss-3.19.tar.gz.
===>  Patching for ca_root_nss-3.19
===>   ca_root_nss-3.19 depends on file: /usr/local/bin/perl5.20.2 - found
===>  Configuring for ca_root_nss-3.19
===>  Building for ca_root_nss-3.19
##  Untrusted certificates omitted from this bundle: 23
##  Number of certificates: 180
===>  Staging for ca_root_nss-3.19
===>   Generating temporary packing list
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/share/certs
install  -m 0644 /usr/ports/security/ca_root_nss/work/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/share/certs
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl
/bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl/cert.pem.sample
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/openssl
/bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/openssl/cert.pem.sample
====> Compressing man pages (compress-man)
===>  Installing for ca_root_nss-3.19
===>  Checking if ca_root_nss already installed
===>   Registering installation for ca_root_nss-3.19
Installing ca_root_nss-3.19...
********************************* WARNING *********************************

FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.

Assessment and verification of trust is the complete responsibility of the
system administrator.

*********************************** NOTE **********************************

This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem


===>  Cleaning for ca_root_nss-3.19
[[email protected] /usr/ports/security/ca_root_nss]#

После этого, пробуем:

[root@srv /tmp]# fetch https://example.com/file.tar.gz
file.tar.gz                    100% of 5057 kB  377 kBps 00m13s
[root@srv19admin /tmp]#

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *

Закончите арифметическое действие * Лимит времени истёк. Пожалуйста, перезагрузите CAPTCHA.