Иногда на серверах FreeBSD/Linux возникает ошибка из-за отсутствия корневых сертификатов
Например:
[root@srv /tmp]# fetch https://example.com/file.tar.gz
Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
52886:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:998:
fetch: https://example.com/file.tar.gz: Authentication error
Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
52886:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:998:
fetch: https://example.com/file.tar.gz: Authentication error
Решается установкой порта ca_root_nss
[root@srv /tmp]# cd /usr/ports/security/ca_root_nss && make install clean && ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem
===> License MPL accepted by the user
===> Found saved configuration for ca_root_nss-3.16.1
===> ca_root_nss-3.19 depends on file: /usr/local/sbin/pkg — found
=> nss-3.19.tar.gz doesn‘t seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_RTM/src/nss-3.19.tar.gz
nss-3.19.tar.gz 100% of 6788 kB 304 kBps 00m22s
===> Fetching all distfiles required by ca_root_nss-3.19 for building
===> Extracting for ca_root_nss-3.19
=> SHA256 Checksum OK for nss-3.19.tar.gz.
===> Patching for ca_root_nss-3.19
===> ca_root_nss-3.19 depends on file: /usr/local/bin/perl5.20.2 — found
===> Configuring for ca_root_nss-3.19
===> Building for ca_root_nss-3.19
## Untrusted certificates omitted from this bundle: 23
## Number of certificates: 180
===> Staging for ca_root_nss-3.19
===> Generating temporary packing list
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/share/certs
install -m 0644 /usr/ports/security/ca_root_nss/work/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/share/certs
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl
/bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl/cert.pem.sample
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/openssl
/bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/openssl/cert.pem.sample
====> Compressing man pages (compress-man)
===> Installing for ca_root_nss-3.19
===> Checking if ca_root_nss already installed
===> Registering installation for ca_root_nss-3.19
Installing ca_root_nss-3.19…
********************************* WARNING *********************************
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.
Assessment and verification of trust is the complete responsibility of the
system administrator.
*********************************** NOTE **********************************
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.
This enables SSL Certificate Verification by client software without manual
intervention.
If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.
* /etc/ssl/cert.pem
* /usr/local/etc/ssl/cert.pem
* /usr/local/openssl/cert.pem
***************************************************************************
===> Cleaning for ca_root_nss-3.19
[root@srv19admin /usr/ports/security/ca_root_nss]#
===> License MPL accepted by the user
===> Found saved configuration for ca_root_nss-3.16.1
===> ca_root_nss-3.19 depends on file: /usr/local/sbin/pkg — found
=> nss-3.19.tar.gz doesn‘t seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_19_RTM/src/nss-3.19.tar.gz
nss-3.19.tar.gz 100% of 6788 kB 304 kBps 00m22s
===> Fetching all distfiles required by ca_root_nss-3.19 for building
===> Extracting for ca_root_nss-3.19
=> SHA256 Checksum OK for nss-3.19.tar.gz.
===> Patching for ca_root_nss-3.19
===> ca_root_nss-3.19 depends on file: /usr/local/bin/perl5.20.2 — found
===> Configuring for ca_root_nss-3.19
===> Building for ca_root_nss-3.19
## Untrusted certificates omitted from this bundle: 23
## Number of certificates: 180
===> Staging for ca_root_nss-3.19
===> Generating temporary packing list
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/share/certs
install -m 0644 /usr/ports/security/ca_root_nss/work/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/share/certs
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl
/bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/etc/ssl/cert.pem.sample
/bin/mkdir -p /usr/ports/security/ca_root_nss/work/stage/usr/local/openssl
/bin/ln -sf /usr/local/share/certs/ca-root-nss.crt /usr/ports/security/ca_root_nss/work/stage/usr/local/openssl/cert.pem.sample
====> Compressing man pages (compress-man)
===> Installing for ca_root_nss-3.19
===> Checking if ca_root_nss already installed
===> Registering installation for ca_root_nss-3.19
Installing ca_root_nss-3.19…
********************************* WARNING *********************************
FreeBSD does not, and can not warrant that the certification authorities
whose certificates are included in this package have in any way been
audited for trustworthiness or RFC 3647 compliance.
Assessment and verification of trust is the complete responsibility of the
system administrator.
*********************************** NOTE **********************************
This package installs symlinks to support root certificates discovery by
default for software that uses OpenSSL.
This enables SSL Certificate Verification by client software without manual
intervention.
If you prefer to do this manually, replace the following symlinks with
either an empty file or your site-local certificate bundle.
* /etc/ssl/cert.pem
* /usr/local/etc/ssl/cert.pem
* /usr/local/openssl/cert.pem
***************************************************************************
===> Cleaning for ca_root_nss-3.19
[root@srv19admin /usr/ports/security/ca_root_nss]#
После этого, пробуем:
[root@srv /tmp]# fetch https://example.com/file.tar.gz
file.tar.gz 100% of 5057 kB 377 kBps 00m13s
[root@srv19admin /tmp]#
file.tar.gz 100% of 5057 kB 377 kBps 00m13s
[root@srv19admin /tmp]#
Добавить комментарий