从 0 - x509 安装 ubuntu 20.04:每个应用程序上都出现由未知颁发机构签名的证书错误

从 0 - x509 安装 ubuntu 20.04:每个应用程序上都出现由未知颁发机构签名的证书错误

我最近安装了 Ubuntu 20.04。考虑到它发布以来的时间,我认为它会很稳定。安装后,我进入 Snap Store(名为 Ubuntu Software),看到出现了几个新程序,但过了一会儿,只有编辑器选项显示,没有其他内容。

我尝试使用 snap 通过命令行安装 PyCharm,sudo snap install pycharm-community --classic但它给出了这个错误:x509:由未知机构签名的证书。

之后,我决定清除 snap 存储并重新安装它,运行这两个命令后:sudo apt-get update,,sudo apt install snapd我输入这个命令sudo snap install snap-store并再次出现与证书相同的错误。

我不知道发生了什么。我从 0 开始安装

编辑1
输出snap list

No snaps are installed yet. Try 'snap install hello-world'.

输出sudo snap install snap-store

error: cannot install "snap-store": Post
       https://api.snapcraft.io/v2/snaps/refresh: x509: certificate signed by
       unknown authority

答案1

这可能是由于缺少受信任的 CA 证书。

确认原因

测试 #1

openssl s_client -connect api.snapcraft.io:443

确认缺少 CA 证书的响应示例。请参阅带有以下内容的行verify error

$ openssl s_client -connect api.snapcraft.io:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify error:num=20:unable to get local issuer certificate

测试 #2

ls -l /etc/ssl/certs | grep -i digicert

DigiCert CA 证书应显示如下

b1159c4c.0 -> DigiCert_Assured_ID_Root_CA.pem
dd8e9d41.0 -> DigiCert_Global_Root_G3.pem
244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem
3513523f.0 -> DigiCert_Global_Root_CA.pem
607986c7.0 -> DigiCert_Global_Root_G2.pem
7f3d5d1d.0 -> DigiCert_Assured_ID_Root_G3.pem
75d1b2ed.0 -> DigiCert_Trusted_Root_G4.pem
9d04f354.0 -> DigiCert_Assured_ID_Root_G2.pem

如果没有,则需要添加。

解决方案

sudo dpkg-reconfigure ca-certificates
sudo systemctl restart snapd
sudo snap refresh

第一个命令允许您以交互方式添加新的 CA 证书。添加证书的来源通常可以在目录中找到 /usr/share/ca-certificates/mozilla/

如果缺少证书,可以从 https://www.digicert.com/kb/digicert-root-certificates.htm

答案2

我在公司网络中遇到了这个问题,其中安装了 zscaler 防火墙,它通过注入自己的 ROOT CA 进行 SSL 检查,在我的例子中,我以 pem 格式提取了这个自定义根 CA(您可以使用 openssl 或浏览器):

zangetsu@CZ-6FXPQV3:~/zscaler-intermediate-chain$ cat /usr/local/share/ca-certificates/zscaler_root_ca.crt
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIJANu+mC2Jt3uTMA0GCSqGSIb3DQEBCwUAMIGhMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
FTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMMWnNjYWxlciBJbmMuMRgw
FgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRA
enNjYWxlci5jb20wHhcNMTQxMjE5MDAyNzU1WhcNNDIwNTA2MDAyNzU1WjCBoTEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBK
b3NlMRUwEwYDVQQKEwxac2NhbGVyIEluYy4xFTATBgNVBAsTDFpzY2FsZXIgSW5j
LjEYMBYGA1UEAxMPWnNjYWxlciBSb290IENBMSIwIAYJKoZIhvcNAQkBFhNzdXBw
b3J0QHpzY2FsZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qT7STSxZRTgEFFf6doHajSc1vk5jmzmM6BWuOo044EsaTc9eVEV/HjH/1DWzZtcr
fTj+ni205apMTlKBW3UYR+lyLHQ9FoZiDXYXK8poKSV5+Tm0Vls/5Kb8mkhVVqv7
LgYEmvEY7HPY+i1nEGZCa46ZXCOohJ0mBEtB9JVlpDIO+nN0hUMAYYdZ1KZWCMNf
5J/aTZiShsorN2A38iSOhdd+mcRM4iNL3gsLu99XhKnRqKoHeH83lVdfu1XBeoQz
z5V6gA3kbRvhDwoIlTBeMa5l4yRdJAfdpkbFzqiwSgNdhbxTHnYYorDzKfr2rEFM
dsMU0DHdeAZf711+1CunuQIDAQABo4IBCjCCAQYwHQYDVR0OBBYEFLm33UrNww4M
hp1d3+wcBGnFTpjfMIHWBgNVHSMEgc4wgcuAFLm33UrNww4Mhp1d3+wcBGnFTpjf
oYGnpIGkMIGhMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMM
WnNjYWxlciBJbmMuMRgwFgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG
9w0BCQEWE3N1cHBvcnRAenNjYWxlci5jb22CCQDbvpgtibd7kzAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAw0NdJh8w3NsJu4KHuVZUrmZgIohnTm0j+
RTmYQ9IKA/pvxAcA6K1i/LO+Bt+tCX+C0yxqB8qzuo+4vAzoY5JEBhyhBhf1uK+P
/WVWFZN/+hTgpSbZgzUEnWQG2gOVd24msex+0Sr7hyr9vn6OueH+jj+vCMiAm5+u
kd7lLvJsBu3AO3jGWVLyPkS3i6Gf+rwAp1OsRrv3WnbkYcFf9xjuaf4z0hRCrLN2
xFNjavxrHmsH8jPHVvgc1VD0Opja0l/BRVauTrUaoW6tE+wFG5rEcPGS80jjHK4S
pB5iDj2mUZH1T8lzYtuZy0ZPirxmtsk3135+CKNa2OCAhhFjE0xd
-----END CERTIFICATE-----

现在我必须将文件放入/usr/local/share/ca-certificates/文件夹并运行sudo update-ca-certificates

现在另一个问题是 snap,它使用了没有此证书的本地存储的挂载/复制,所以我必须运行:

sudo mount --bind --bind -o nodev,ro /etc/ssl/certs /snap/core22/current/etc/ssl/certs/

作为权宜之计,直到 snap 找到一种方法来管理所有应用程序的根 CA,您可以创建一个在启动时运行的 systemd 挂载文件:

$ cat <<-EOF | sudo tee /etc/systemd/system/snap-core-current-etc-ssl-certs.mount
[Unit]
Description=Mount unit to fix etc ssl certs in core package
After=snapd.service

[Mount]
What=/etc/ssl/certs
Where=/snap/core/current/etc/ssl/certs
Type=none
Options=bind,nodev,ro

[Install]
WantedBy=multi-user.target
EOF
$ systemctl enable snap-core-current-etc-ssl-certs.mount

相关内容