从 0 - x509 安装 ubuntu 20.04：每个应用程序上都出现由未知颁发机构签名的证书错误

Question 1

这可能是由于缺少受信任的 CA 证书。

确认原因

测试 #1

openssl s_client -connect api.snapcraft.io:443

确认缺少 CA 证书的响应示例。请参阅带有以下内容的行verify error：

$ openssl s_client -connect api.snapcraft.io:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify error:num=20:unable to get local issuer certificate

测试 #2

ls -l /etc/ssl/certs | grep -i digicert

DigiCert CA 证书应显示如下

b1159c4c.0 -> DigiCert_Assured_ID_Root_CA.pem
dd8e9d41.0 -> DigiCert_Global_Root_G3.pem
244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem
3513523f.0 -> DigiCert_Global_Root_CA.pem
607986c7.0 -> DigiCert_Global_Root_G2.pem
7f3d5d1d.0 -> DigiCert_Assured_ID_Root_G3.pem
75d1b2ed.0 -> DigiCert_Trusted_Root_G4.pem
9d04f354.0 -> DigiCert_Assured_ID_Root_G2.pem

如果没有，则需要添加。

解决方案

sudo dpkg-reconfigure ca-certificates
sudo systemctl restart snapd
sudo snap refresh

第一个命令允许您以交互方式添加新的 CA 证书。添加证书的来源通常可以在目录中找到 /usr/share/ca-certificates/mozilla/

如果缺少证书，可以从 https://www.digicert.com/kb/digicert-root-certificates.htm

Answer

这可能是由于缺少受信任的 CA 证书。

确认原因

测试 #1

openssl s_client -connect api.snapcraft.io:443

确认缺少 CA 证书的响应示例。请参阅带有以下内容的行verify error：

$ openssl s_client -connect api.snapcraft.io:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify error:num=20:unable to get local issuer certificate

测试 #2

ls -l /etc/ssl/certs | grep -i digicert

DigiCert CA 证书应显示如下

b1159c4c.0 -> DigiCert_Assured_ID_Root_CA.pem
dd8e9d41.0 -> DigiCert_Global_Root_G3.pem
244b5494.0 -> DigiCert_High_Assurance_EV_Root_CA.pem
3513523f.0 -> DigiCert_Global_Root_CA.pem
607986c7.0 -> DigiCert_Global_Root_G2.pem
7f3d5d1d.0 -> DigiCert_Assured_ID_Root_G3.pem
75d1b2ed.0 -> DigiCert_Trusted_Root_G4.pem
9d04f354.0 -> DigiCert_Assured_ID_Root_G2.pem

如果没有，则需要添加。

解决方案

sudo dpkg-reconfigure ca-certificates
sudo systemctl restart snapd
sudo snap refresh

第一个命令允许您以交互方式添加新的 CA 证书。添加证书的来源通常可以在目录中找到 /usr/share/ca-certificates/mozilla/

如果缺少证书，可以从 https://www.digicert.com/kb/digicert-root-certificates.htm

Question 2

我在公司网络中遇到了这个问题，其中安装了 zscaler 防火墙，它通过注入自己的 ROOT CA 进行 SSL 检查，在我的例子中，我以 pem 格式提取了这个自定义根 CA（您可以使用 openssl 或浏览器）：

zangetsu@CZ-6FXPQV3:~/zscaler-intermediate-chain$ cat /usr/local/share/ca-certificates/zscaler_root_ca.crt
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIJANu+mC2Jt3uTMA0GCSqGSIb3DQEBCwUAMIGhMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
FTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMMWnNjYWxlciBJbmMuMRgw
FgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRA
enNjYWxlci5jb20wHhcNMTQxMjE5MDAyNzU1WhcNNDIwNTA2MDAyNzU1WjCBoTEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBK
b3NlMRUwEwYDVQQKEwxac2NhbGVyIEluYy4xFTATBgNVBAsTDFpzY2FsZXIgSW5j
LjEYMBYGA1UEAxMPWnNjYWxlciBSb290IENBMSIwIAYJKoZIhvcNAQkBFhNzdXBw
b3J0QHpzY2FsZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qT7STSxZRTgEFFf6doHajSc1vk5jmzmM6BWuOo044EsaTc9eVEV/HjH/1DWzZtcr
fTj+ni205apMTlKBW3UYR+lyLHQ9FoZiDXYXK8poKSV5+Tm0Vls/5Kb8mkhVVqv7
LgYEmvEY7HPY+i1nEGZCa46ZXCOohJ0mBEtB9JVlpDIO+nN0hUMAYYdZ1KZWCMNf
5J/aTZiShsorN2A38iSOhdd+mcRM4iNL3gsLu99XhKnRqKoHeH83lVdfu1XBeoQz
z5V6gA3kbRvhDwoIlTBeMa5l4yRdJAfdpkbFzqiwSgNdhbxTHnYYorDzKfr2rEFM
dsMU0DHdeAZf711+1CunuQIDAQABo4IBCjCCAQYwHQYDVR0OBBYEFLm33UrNww4M
hp1d3+wcBGnFTpjfMIHWBgNVHSMEgc4wgcuAFLm33UrNww4Mhp1d3+wcBGnFTpjf
oYGnpIGkMIGhMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMM
WnNjYWxlciBJbmMuMRgwFgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG
9w0BCQEWE3N1cHBvcnRAenNjYWxlci5jb22CCQDbvpgtibd7kzAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAw0NdJh8w3NsJu4KHuVZUrmZgIohnTm0j+
RTmYQ9IKA/pvxAcA6K1i/LO+Bt+tCX+C0yxqB8qzuo+4vAzoY5JEBhyhBhf1uK+P
/WVWFZN/+hTgpSbZgzUEnWQG2gOVd24msex+0Sr7hyr9vn6OueH+jj+vCMiAm5+u
kd7lLvJsBu3AO3jGWVLyPkS3i6Gf+rwAp1OsRrv3WnbkYcFf9xjuaf4z0hRCrLN2
xFNjavxrHmsH8jPHVvgc1VD0Opja0l/BRVauTrUaoW6tE+wFG5rEcPGS80jjHK4S
pB5iDj2mUZH1T8lzYtuZy0ZPirxmtsk3135+CKNa2OCAhhFjE0xd
-----END CERTIFICATE-----

现在我必须将文件放入/usr/local/share/ca-certificates/文件夹并运行sudo update-ca-certificates

现在另一个问题是 snap，它使用了没有此证书的本地存储的挂载/复制，所以我必须运行：

sudo mount --bind --bind -o nodev,ro /etc/ssl/certs /snap/core22/current/etc/ssl/certs/

作为权宜之计，直到 snap 找到一种方法来管理所有应用程序的根 CA，您可以创建一个在启动时运行的 systemd 挂载文件：

$ cat <<-EOF | sudo tee /etc/systemd/system/snap-core-current-etc-ssl-certs.mount
[Unit]
Description=Mount unit to fix etc ssl certs in core package
After=snapd.service

[Mount]
What=/etc/ssl/certs
Where=/snap/core/current/etc/ssl/certs
Type=none
Options=bind,nodev,ro

[Install]
WantedBy=multi-user.target
EOF
$ systemctl enable snap-core-current-etc-ssl-certs.mount

Answer

我在公司网络中遇到了这个问题，其中安装了 zscaler 防火墙，它通过注入自己的 ROOT CA 进行 SSL 检查，在我的例子中，我以 pem 格式提取了这个自定义根 CA（您可以使用 openssl 或浏览器）：

zangetsu@CZ-6FXPQV3:~/zscaler-intermediate-chain$ cat /usr/local/share/ca-certificates/zscaler_root_ca.crt
-----BEGIN CERTIFICATE-----
MIIE0zCCA7ugAwIBAgIJANu+mC2Jt3uTMA0GCSqGSIb3DQEBCwUAMIGhMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8GA1UEBxMIU2FuIEpvc2Ux
FTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMMWnNjYWxlciBJbmMuMRgw
FgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRA
enNjYWxlci5jb20wHhcNMTQxMjE5MDAyNzU1WhcNNDIwNTA2MDAyNzU1WjCBoTEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExETAPBgNVBAcTCFNhbiBK
b3NlMRUwEwYDVQQKEwxac2NhbGVyIEluYy4xFTATBgNVBAsTDFpzY2FsZXIgSW5j
LjEYMBYGA1UEAxMPWnNjYWxlciBSb290IENBMSIwIAYJKoZIhvcNAQkBFhNzdXBw
b3J0QHpzY2FsZXIuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qT7STSxZRTgEFFf6doHajSc1vk5jmzmM6BWuOo044EsaTc9eVEV/HjH/1DWzZtcr
fTj+ni205apMTlKBW3UYR+lyLHQ9FoZiDXYXK8poKSV5+Tm0Vls/5Kb8mkhVVqv7
LgYEmvEY7HPY+i1nEGZCa46ZXCOohJ0mBEtB9JVlpDIO+nN0hUMAYYdZ1KZWCMNf
5J/aTZiShsorN2A38iSOhdd+mcRM4iNL3gsLu99XhKnRqKoHeH83lVdfu1XBeoQz
z5V6gA3kbRvhDwoIlTBeMa5l4yRdJAfdpkbFzqiwSgNdhbxTHnYYorDzKfr2rEFM
dsMU0DHdeAZf711+1CunuQIDAQABo4IBCjCCAQYwHQYDVR0OBBYEFLm33UrNww4M
hp1d3+wcBGnFTpjfMIHWBgNVHSMEgc4wgcuAFLm33UrNww4Mhp1d3+wcBGnFTpjf
oYGnpIGkMIGhMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFpzY2FsZXIgSW5jLjEVMBMGA1UECxMM
WnNjYWxlciBJbmMuMRgwFgYDVQQDEw9ac2NhbGVyIFJvb3QgQ0ExIjAgBgkqhkiG
9w0BCQEWE3N1cHBvcnRAenNjYWxlci5jb22CCQDbvpgtibd7kzAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAw0NdJh8w3NsJu4KHuVZUrmZgIohnTm0j+
RTmYQ9IKA/pvxAcA6K1i/LO+Bt+tCX+C0yxqB8qzuo+4vAzoY5JEBhyhBhf1uK+P
/WVWFZN/+hTgpSbZgzUEnWQG2gOVd24msex+0Sr7hyr9vn6OueH+jj+vCMiAm5+u
kd7lLvJsBu3AO3jGWVLyPkS3i6Gf+rwAp1OsRrv3WnbkYcFf9xjuaf4z0hRCrLN2
xFNjavxrHmsH8jPHVvgc1VD0Opja0l/BRVauTrUaoW6tE+wFG5rEcPGS80jjHK4S
pB5iDj2mUZH1T8lzYtuZy0ZPirxmtsk3135+CKNa2OCAhhFjE0xd
-----END CERTIFICATE-----

现在我必须将文件放入/usr/local/share/ca-certificates/文件夹并运行sudo update-ca-certificates

现在另一个问题是 snap，它使用了没有此证书的本地存储的挂载/复制，所以我必须运行：

sudo mount --bind --bind -o nodev,ro /etc/ssl/certs /snap/core22/current/etc/ssl/certs/

作为权宜之计，直到 snap 找到一种方法来管理所有应用程序的根 CA，您可以创建一个在启动时运行的 systemd 挂载文件：

$ cat <<-EOF | sudo tee /etc/systemd/system/snap-core-current-etc-ssl-certs.mount
[Unit]
Description=Mount unit to fix etc ssl certs in core package
After=snapd.service

[Mount]
What=/etc/ssl/certs
Where=/snap/core/current/etc/ssl/certs
Type=none
Options=bind,nodev,ro

[Install]
WantedBy=multi-user.target
EOF
$ systemctl enable snap-core-current-etc-ssl-certs.mount

从 0 - x509 安装 ubuntu 20.04：每个应用程序上都出现由未知颁发机构签名的证书错误

答案1

确认原因

测试 #1

测试 #2

解决方案

答案2

相关内容