我将相同的工作 SSL 客户端密钥/证书和/etc/apt/apt.conf.d/01_https_client_cert规则从(工作)14.04 VM 移植到全新的 16.04 安装。
我能够使用 SSL 客户端证书通过 apt repo 访问,curl但apt-get update出现以下错误:
6% [Working]* Hostname example.com was found in DNS cache
* Trying 11.22.33.44...
* Connected to example.com (11.22.33.44) port 443 (#29)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* error reading X.509 key or certificate file: Error while reading file.
* Closing connection 29
Ign:5 https://example.com/apt release/main all Packages
/etc/apt/apt.conf.d/01_ssl_client_auth在两个系统上都是一样的:
Debug::Acquire::https "true";
Acquire::https::example.com::SslCert "/opt/example/keyring/ssl_client.crt";
Acquire::https::example.com::SslKey "/opt/example/keyring/ssl_client.key";
两台机器上的权限相同:
ubuntu@ubuntu:~$ namei -mo /opt/example/keyring/ssl_client.crt
f: /opt/example/keyring/ssl_client.crt
drwxr-xr-x root root /
drwxr-sr-x ubuntu ubuntu opt
drwxrwsr-x ubuntu ubuntu example
drwxrws--- ubuntu ubuntu keyring
-rw-rw---- ubuntu ubuntu ssl_client.crt
琐事:
删除
01_ssl_client_auth规则将返回预期的403禁止响应(因为 repo 需要客户端证书)curl像这样工作就好了:curl --cert /opt/example/keyring/ssl_client.crt --key /opt/example/keyring/ssl_client.key https://example.com/apt/ Connected to example.com (11.22.33.44) port 443 (#0) found 173 certificates in /etc/ssl/certs/ca-certificates.crt found 697 certificates in /etc/ssl/certs ALPN, offering http/1.1 SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256 server certificate verification OK server certificate status verification SKIPPED common name: *.example.com (matched) server certificate expiration date OK server certificate activation date OK certificate public key: RSA (snip) ALPN, server did not agree to a protocol GET /apt/ HTTP/1.1 Host: example.com User-Agent: curl/7.47.0 Accept: */* HTTP/1.1 200 OK Server: nginx/1.4.6 (Ubuntu) Date: Wed, 18 May 2016 01:18:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive当然
apt-get,curl两者都可以在原始系统上运行,apt.conf.d并且具有相同的认证...
还有什么我应该看的吗?apt-get 中的 crt/key 是否更改为 pem?
答案1
Apt 会尽力放弃权限并以用户身份运行_apt。我不记得这种切换是什么时候发生的,但那是最近的事情(即很可能是在 14.04 之后)。因此,在以与您相同的方式修复了类似的问题(即确保a+rx在我想要_apt使用的证书的所有目录中都可用)后,我认为可以肯定地说您已经正确识别了问题。
答案2
你应该能够找到更多详细信息https://wiki.ubuntu.com/XenialXerus/ReleaseNotes#Apt_1.2
推荐的设置是将证书和密钥复制到不同的目录,并将用户权限更改为
_apt:无组
并配置
apt_transport_https
设置为使用新路径。
Acquire::https::cdn-mirror.insnw.net::CaInfo "/new/path/ca.crt";
Acquire::https::cdn-mirror.insnw.net::SslCert "/new/path.crt";
Acquire::https::cdn-mirror.insnw.net::SslKey "/new/path.key"";