我经历了在 Ubuntu (20.04) 上添加新 CA 证书的过程,但相同的步骤在两种环境中的 Debian (10) 上都不起作用,我已经下载了自定义 CA 证书(通过 firefoxabout:certificate页面获取不受信任的证书站点)作为 PEM,然后我使用 openssl 将其转换为 CRT 格式,然后调用update-ca-certificates.
以下是 a 中的步骤Dockerfile:
FROM ubuntu:20.04
RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y curl openssl ca-certificates
COPY src/main/docker/nexus-custom-ca-chain.pem /root/
RUN openssl x509 -in /root/nexus-custom-ca-chain.pem -inform PEM -out /usr/local/share/ca-certificates/custom-root-ca.crt
RUN update-ca-certificates
RUN curl https://nexus-using-custom-cert.custom.org
构建这个 Dockerfile
docker build . --no-cache
会输出:
Step 1/6 : FROM ubuntu:20.04
---> 9140108b62dc
Step 2/6 : RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y curl openssl ca-certificates
---> Running in 2fd506a9b619
[install stuff]
Processing triggers for ca-certificates (20190110ubuntu1.1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Removing intermediate container 2fd506a9b619
---> 57c01aa6180d
Step 3/6 : COPY src/main/docker/nexus-custom-ca-chain.pem /root/
---> e0aa6a44ced1
Step 4/6 : RUN openssl x509 -in /root/nexus-custom-ca-chain.pem -inform PEM -out /usr/local/share/ca-certificates/custom-root-ca.crt
---> Running in 70746b6e16fe
Removing intermediate container 70746b6e16fe
---> de9c98488bde
Step 5/6 : RUN update-ca-certificates
---> Running in 1137779ed67f
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Removing intermediate container 1137779ed67f
---> c834167a52a3
Step 6/6 : RUN curl https://nexus-using-custom-cert.custom.org
---> Running in a8dc2aa55993
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<html>
<body> stuff
</body>
</html>
100 470 100 470 0 0 1492 0 --:--:-- --:--:-- --:--:-- 1487
Removing intermediate container a8dc2aa55993
---> 809e4e5b6ac1
Successfully built 809e4e5b6ac1
但是,如果我改用debian:10(没有其他更改Dockerfile):
FROM debian:10
然后我重建 Docker 镜像:
构建这个 Dockerfile
docker build . --no-cache
会输出:
Step 1/6 : FROM debian:10
---> f6dcff9b59af
Step 2/6 : RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y curl openssl ca-certificates
---> Running in 15d0c69448ed
[install stuff]
Processing triggers for libc-bin (2.28-10) ...
Processing triggers for ca-certificates (20200601~deb10u1) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Removing intermediate container 15d0c69448ed
---> 4bcfe8b5074b
Step 3/6 : COPY src/main/docker/nexus-custom-ca-chain.pem /root/
---> fa53734a536a
Step 4/6 : RUN openssl x509 -in /root/nexus-custom-ca-chain.pem -inform PEM -out /usr/local/share/ca-certificates/custom-root-ca.crt
---> Running in b86813e50a77
Removing intermediate container b86813e50a77
---> 0b0e6aa67d7d
Step 5/6 : RUN update-ca-certificates
---> Running in c18625c31424
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
Removing intermediate container c18625c31424
---> 559636874009
Step 6/6 : RUN curl https://nexus-using-custom-cert.custom.org
---> Running in fcd2e16441fd
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
The command '/bin/sh -c curl https://nexus-using-custom-cert.custom.org' returned a non-zero code: 60
那么,我应该如何添加自定义 ca 证书呢Debian 10? Debianupdate-ca-certificates文档与Ubuntudoc 非常相似;怎么了 ?
先感谢您!
答案1
感谢我的同事@BrettDG,我也能够让它在 Debian 下工作。
总长DR:确保您单独包含信任链中的所有证书,Ubuntu 仅能满足中间证书,Debian 将需要完整的链
我连接的网站具有以下信任链:
MyOrgRootCA
|-> MyOrgIntermediateCA
|-> Website
当我认为我的 PEM 文件nexus-custom-ca-chain.pem具有完整的链时,运行如下:
openssl x509 -in /usr/local/share/ca-certificates/nexus-custom-ca-chain.pem -noout -text
最终显示我只有该链中的站点证书和中介证书 - 所以根证书丢失了
另外,不确定在一个文件中包含多个证书是否是一个好主意;尝试将它们单独拆分到自己的文件中。
这是适用于 Debian 和 Ubuntu 的 Dockerfile
# FROM ubuntu:20:04
FROM debian:10
RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y curl openssl ca-certificates
COPY root.pem /usr/local/share/ca-certificates/root.pem
COPY intermediate.pem /usr/local/share/ca-certificates/intermediate.pem
RUN chmod 644 /usr/local/share/ca-certificates/root.pem /usr/local/share/ca-certificates/intermediate.pem
RUN update-ca-certificates
RUN curl https://nexus-using-custom-cert.custom.org
学过的知识:验证信任链并提供链上的每个证书
在链中的每个证书上,运行输出openssl x509 -noout并查找:
MyOrgRootCA
Issuer: C = CA, ST = Quebec, L = Montreal, O = Org, OU = tools, CN = Org ROOT CA
Subject: C = CA, ST = Quebec, L = Montreal, O = Org, OU = tools, CN = Org ROOT CA
MyOrgIntermediateCA
Issuer: C = CA, ST = Quebec, L = Montreal, O = Org, OU = tools, CN = Org ROOT CA
Subject: C = CA, ST = Quebec, L = Montreal, O = Org, OU = tools, CN = Intermediate ROOT CA
在那里,如果我们curl -v的网站看到:
issuer: C = CA, ST = Quebec, L = Montreal, O = Org, OU = tools, CN = Intermediate ROOT CA
我们知道,提供中级证书和根证书,我们就是黄金。
有用的命令行
详细查看您的证书:
openssl x509 -in mycert.crt -noout -text
从二进制 (DER) 格式转换为 x509 PEM(如所需update-ca-certificates)
openssl x509 -in mycert.crt -inform der -outform PEM -out mycert.crt
从文本 (PEM) 格式转换为二进制(如 Java Keytool 所需)
openssl x509 -in mycert.pem -outform der -out mycert.der