虚拟 Ubuntu 18.04 上的服务器证书验证失败

2024-9-21 • tag-icon

我有两台 Ubuntu 18.04 机器。一台基于bento/ubuntu-18.04流浪盒和一台笔记本电脑。

从昨天起，当我尝试克隆存储库时，虚拟机将显示证书错误。

vagrant@mybox:~$ git clone https://somehostedgitrepo/myrepo.git/
Cloning into 'myrepo'...
fatal: unable to access 'https://somehostedgitrepo/myrepo.git/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

在我的笔记本电脑上它仍然有效。

当我确认

openssl s_client -connect somehostedgitrepo:443

显示证书已过期

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=10:certificate has expired
notAfter=Jun  4 11:04:38 2035 GMT
CONNECTED(00000005)
---
Certificate chain
 0 s:CN =somehostedgitrepo
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgISAzIS8MDFK/RLB5bSwMulrF77MA0GCSqGSIb3DQEBCwUA
...
JJzXxLHT6RkWXPDM9wyTnQl14gC6Mtp+S3IbBbGoidnnOw==
-----END CERTIFICATE-----
subject=CN = somehostedgitrepo

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4586 bytes and written 402 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
....

在我的笔记本电脑上

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = somehostedgitrepo
verify return:1
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = somehostedgitrepo
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgISAzIS8MDFK/RLB5bSwMulrF77MA0GCSqGSIb3DQEBCwUA
...

请注意，在我的虚拟机上，输出的顶部显示

notAfter=Jun  4 11:04:38 2035 GMT

我注意到文件中存在差异/etc/ca-certificates.conf

diff ca-certificates.conf /etc/ca-certificates.conf
46c46
< mozilla/DST_Root_CA_X3.crt
---
> !mozilla/DST_Root_CA_X3.crt
``

When update that line on my virtual machine to match that `!mozilla/DST_Root_CA_X3.crt` then `apt-get update && apt-get install ca-certificates` and reboot it is working again.

What is going on here? Why did it suddenly start failing yesterday on my VM? Why is Ubuntu on the VM different and more strict?

相关内容