我在 CentOS 服务器上尝试了解为什么我无法连接到另一个暴露Let'sEncrypt R3已颁发证书。
# cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
如果我尝试 wget 命令,它最终会超时。
# wget --no-proxy --no-dns-cache --no-check-certificate https://oidc.7shield.eu:32644
--2021-10-15 10:45:05-- https://oidc.7shield.eu:32644/
Resolving oidc.7shield.eu (oidc.7shield.eu)... 51.68.92.220
Connecting to oidc.7shield.eu (oidc.7shield.eu)|51.68.92.220|:32644...
......................................................................
我还尝试直接添加网站 PEM 证书
/etc/pki/ca-trust/source/anchors/
并且做到了
update-ca-trust
根据这个文章,但什么都没改变。
该问题也影响在 Docker 内部网桥上运行的应用程序openjdk:8-jre-alpine
。
如何在整个系统上使连接到上述网站正常工作?我该如何调试它?wget -d 似乎没有显示任何相关信息。
更新
在服务器上使用 openssl 我得到:
# openssl s_client -connect oidc.7shield.eu:32644
socket: Bad file descriptor
connect:errno=9
而在本地运行该命令时,我发现了一些有关该问题的更有趣的东西:
$ openssl s_client -connect oidc.7shield.eu:32644
CONNECTED(00000003)
depth=0 CN = oidc.7shield.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = oidc.7shield.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = oidc.7shield.eu
i:C = US, O = Let's Encrypt, CN = R3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFJTCCBA2gAwIBAgISA97LEnjQ/fWx/tC6FtqV6dqwMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MTQwODQxMzNaFw0yMTEyMTMwODQxMzJaMBoxGDAWBgNVBAMT
D29pZGMuN3NoaWVsZC5ldTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
APLjkOuVBYLafpKAv4u5SLsAXtTaCi0o7O1dF1Ae6Bi5KmZQVX+9bOR1+W7QEanZ
LsMbRXTcqTeafiM57PtgvFRflEL5wPkqcegbYoHxQvU9WaBhSdPHTGf6mL3056S8
STzaXDGmdQ5xlR97FwfOMpHuMmOwXIr7U8/R+0O53x0n2eeyY5onVUALvENj8hoz
d3LF1Z54NUtpLg7e6nZg5M3hWJyNcayc2fmfYb7BBLsf/kHb3Uff8y/Tpv5NvvLH
BLOkI5ZrrxBVxLPzAxOPJVElOn5RdQD0iQsn1wlYX8posyfmHNOtn4LiywHAvvBo
MNarPg2jVFqDV43tlRgz3ckCAwEAAaOCAkswggJHMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQUwSfkx1GaYl5pT/Kfpg35LxJsf/AwHwYDVR0jBBgwFoAUFC6zF7dYVsuu
UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v
cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y
Zy8wGgYDVR0RBBMwEYIPb2lkYy43c2hpZWxkLmV1MEwGA1UdIARFMEMwCAYGZ4EM
AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAXNxDkv7mq0VE
sV6a1FbmEDf71fpH3KFzlLJe5vbHDsoAAAF7467gtgAABAMASDBGAiEAkwTK9uxc
gu95Nxe4S5rLUQnvGbDjmi1Ak/cKEm6Vb1oCIQD5G2rpU7/3hItsV3OAq7eZzUm8
YkgArW+Cc3qNVHMz3AB2APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTj
AAABe+Ou4RkAAAQDAEcwRQIgfmy7a89VvktHpflJx5Sb9QvRyaIKnXaAgDu5M/xg
5UECIQCP0nEwt2conEDnlRIcbrLkBnEI1Jj5XgKebwqiCCKdujANBgkqhkiG9w0B
AQsFAAOCAQEAFj0yWSocIcsQihwp4bTFfGaWKDc1Xlt3P/LjgPAhs7wUsYx1GYsc
AGvxmFtUxGCT88NLp3IyyTBjxKShoZEnRMq2f9o5x+HBtqDc+oj9c5bSlmOO3z4F
F08283ulvQGr01le1/OuJQiQJUzQLXS1m8vzwmhywoLdov4J+WUwLHJssj3coOzj
3MGHY8zZveqGpSEy8pS7aNtRSdZBsqAHmGFmGJd2XWu3t3y+ZixJFf3QVI+Ntm0D
zYNBaMac+qIOf07cq2oDZnfFwCg1293OCT2dILoDK+juUTCSExhxhaa76OLFetkf
rETbgILyA6zTWOh5N05SCfA+ArJ6UTHfLw==
-----END CERTIFICATE-----
subject=CN = oidc.7shield.eu
issuer=C = US, O = Let's Encrypt, CN = R3
---
Acceptable client certificate CA names
CN = oidc.7shield.eu
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:DSA+SHA256:ECDSA+SHA224:RSA+SHA224:DSA+SHA224
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1856 bytes and written 412 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: B0A7CBC3721AE5A83B11D5DAABC0530CC9AF202B79B27DF100EB6341EF2EAEDA
Session-ID-ctx:
Master-Key: 783E822EE7D4504083595A4C4315F411EB0D9761F08D8C7323EFE191FFF0A6B9FEF4F5162E5D33800FD8AA29D2740576
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1634289721
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
read:errno=0