00m.Ru
28Май/150

Установка корневых центров сертификации

Иногда на серверах FreeBSD/Linux возникает ошибка из-за отсутствия корневых сертификатов
Например:

[root@srv /tmp]# fetch https://example.com/file.tar.gz
Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
52886:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:998:
fetch: https://example.com/file.tar.gz: Authentication error

Решается установкой порта ca_root_nss

[root@srv /tmp]# cd /usr/ports/security/ca_root_nss && make install clean && ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
===>  License MPL accepted by the user
===>  Found saved configuration for ca_root_nss-3.16.1
===>   ca_root_nss-3.19 depends on file: /usr/local/sbin/pkg - found
=> nss-3.19.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_RTM/src/nss-3.19.tar.gz
nss-3.19.tar.gz                               100% of 6788 kB  304 kBps 00m22s
===> Fetching all distfiles required by ca_root_nss-3.19 for building
===>  Extracting for ca_root_nss-3.19
=> SHA256 Checksum OK for nss-3.19.tar.gz.
===>  Patching for ca_root_nss-3.19
===>   ca_root_nss-3.19 depends on file: /usr/local/bin/perl5.20.2 - found
===>  Configuring for ca_root_nss-3.19
===>  Building for ca_root_nss-3.19
##  Untrusted certificates omitted from this bundle: 23
##  Number of certificates: 180
===>  Staging for ca_root_nss-3.19
===>   Generating temporary packing list
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/share/certs
install  -m 0644 /usr/ports/security/ca_root_nss/work/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/share/certs
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl
/bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl/cert.pem.sample
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/openssl
/bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/openssl/cert.pem.sample
====> Compressing man pages (compress-man)
===>  Installing for ca_root_nss-3.19
===>  Checking if ca_root_nss already installed
===>   Registering installation for ca_root_nss-3.19
Installing ca_root_nss-3.19...
********************************* WARNING *********************************

FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.

Assessment and verification of trust is the complete responsibility of the
system administrator.

*********************************** NOTE **********************************

This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.

This enables SSL Certificate Verification by client software without manual
intervention.

If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.

  * /etc/ssl/cert.pem
  * /usr/local/etc/ssl/cert.pem
  * /usr/local/openssl/cert.pem

***************************************************************************

===>  Cleaning for ca_root_nss-3.19
[[email protected] /usr/ports/security/ca_root_nss]#

После этого, пробуем:

[root@srv /tmp]# fetch https://example.com/file.tar.gz
file.tar.gz                    100% of 5057 kB  377 kBps 00m13s
[root@srv19admin /tmp]#
Поделись:
  • Добавить ВКонтакте заметку об этой странице
  • Мой Мир
  • Facebook
  • Twitter
  • LiveJournal
  • MySpace
  • В закладки Google
  • Google Buzz
  • БобрДобр
  • Сто закладок
  • Блог Я.ру
  • Одноклассники
Комментарии (0) Пинги (0)

Пока нет комментариев.


Leave a comment

Закончите арифметическое действие * Лимит времени истёк. Пожалуйста, перезагрузите CAPTCHA.

Нет обратных ссылок на эту запись.