从 postgres 网站获取证书密钥时,我开始遇到错误:
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
#6 0.310 --2021-10-04 20:56:35-- https://www.postgresql.org/media/keys/ACCC4CF8.asc
#6 0.315 Resolving www.postgresql.org (www.postgresql.org)... 87.238.57.232, 72.32.157.230, 217.196.149.50, ...
#6 0.318 Connecting to www.postgresql.org (www.postgresql.org)|87.238.57.232|:443... connected.
#6 0.902 ERROR: The certificate of 'www.postgresql.org' is not trusted.
#6 0.902 ERROR: The certificate of 'www.postgresql.org' has expired.
我尝试使用 来解决这个问题--no-check-certificate,但是在安装 postgres 库时遇到了不同的问题:
apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install -y \
postgresql-client-common postgresql-client-13 \
&& rm -rf /var/lib/apt/lists/*
#9 2.579 404 Not Found [IP: 147.75.85.69 80]
#9 2.606 Fetched 7888 kB in 2s (3486 kB/s)
#9 2.606 Reading package lists...
#9 2.974 W: The repository 'http://apt.postgresql.org/pub/repos/apt -pgdg Release' does not have a Release file.
#9 2.974 E: Failed to fetch http://apt.postgresql.org/pub/repos/apt/dists/-pgdg/main/binary-arm64/Packages 404 Not Found [IP: 147.75.85.69 80]
#9 2.974 E: Some index files failed to download. They have been ignored, or old ones used instead.
还有其他方法可以解决这个问题吗?今天突然开始发生这种情况。
答案1
PostgreSQL.org 使用 LetsEncrypt 签名的证书(我刚刚检查过)并根据根证书进行验证。
该证书已过期。它已被续订,但您的系统中可能没有该 CA 证书,因此您的系统无法验证新的 X1 证书,因此会拒绝它。
http 存储库也会发生同样的情况,据我所知,它会自动进行 HTTPS 升级。我没有看到 apt 报告的此升级,所以我的猜测是它会尝试但会默默失败,并且您会收到“没有此类文件”错误,而实际错误更多是“无法连接以检索文件”。您可以通过以下方式验证指示 apt 忽略无效证书。
但你需要做的是更新您的 CA 证书。您可能会注意到更新中有一个“ca-certificate”包。一旦到位,其他一切都将重新开始工作。
强制安装 ISRG X1 证书
- 得到证书(例如
curl -k https://letsencrypt.org/certs/isrgrootx1.pem > isrgrootx1.pem) - 提取 CRT
openssl crl2pkcs7 -nocrl -certfile isrgrootx1.pem | openssl pkcs7 -print_certs -out isrgrootx1.crt - 将其复制到
/usr/local/share/ca-certificates/ - 跑步
sudo update-ca-certificates。
如果报告有重复的证书,请在 /etc/ssl/certs 中找到并检查它。如果它有“subject=C = US,O = Internet Security Research Group,CN = ISRG Root X1”,那么您已经安装了 ISGR X1 证书,因此问题出在其他地方。
答案2
归功于LSerni 为我指明了正确的方向。我还需要采取一步才能解决我的案例中的问题:明确地禁用mozilla/DST_Root_CA_X3.crt(使用sed,见下文)/etc/ca-certificates.conf。
另外,一个有趣的说明是,我无法使用 重现 Docker 中的错误debian:stretch,但我可以使用 重现它python:3.7.8-stretch。
重现 bug 的命令基本上就是这 3 个:
apt-get update && apt-get install -y lsb-release wget
sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
运行上面的命令将产生输出gpg: no valid OpenPGP data found.,这是根本问题。
图像 ID,用于重现错误:
me@home$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
python 3.7.8-stretch b64658cdf594 14 months ago 902MB
重现错误的输出:
me@home$ docker run -it python:3.7.8-stretch /bin/bash
root@771da843c08d:/# apt-get update && apt-get install -y lsb-release wget
Ign:1 http://deb.debian.org/debian stretch InRelease
Get:2 http://security.debian.org/debian-security stretch/updates InRelease [53.0 kB]
Get:3 http://deb.debian.org/debian stretch-updates InRelease [93.6 kB]
Get:4 http://deb.debian.org/debian stretch Release [118 kB]
Get:5 http://deb.debian.org/debian stretch Release.gpg [3177 B]
Get:6 http://security.debian.org/debian-security stretch/updates/main amd64 Packages [720 kB]
Get:7 http://deb.debian.org/debian stretch/main amd64 Packages [7080 kB]
Fetched 8067 kB in 1s (4448 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
wget is already the newest version (1.18-5+deb9u3).
Suggested packages:
lsb
The following NEW packages will be installed:
distro-info-data lsb-release
0 upgraded, 2 newly installed, 0 to remove and 106 not upgraded.
Need to get 32.9 kB of archives.
After this operation, 78.8 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian stretch/main amd64 distro-info-data all 0.36 [5810 B]
Get:2 http://deb.debian.org/debian stretch/main amd64 lsb-release all 9.20161125 [27.1 kB]
Fetched 32.9 kB in 0s (274 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package distro-info-data.
(Reading database ... 30586 files and directories currently installed.)
Preparing to unpack .../distro-info-data_0.36_all.deb ...
Unpacking distro-info-data (0.36) ...
Selecting previously unselected package lsb-release.
Preparing to unpack .../lsb-release_9.20161125_all.deb ...
Unpacking lsb-release (9.20161125) ...
Setting up distro-info-data (0.36) ...
Setting up lsb-release (9.20161125) ...
root@771da843c08d:/# sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
root@771da843c08d:/# wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
gpg: no valid OpenPGP data found.
显示问题已解决的输出(包括解决步骤):
root@479753dc1044:/# sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
root@479753dc1044:/# # Remove the DST X3 root certificate, per
root@479753dc1044:/# # https://medium.com/geekculture/will-you-be-impacted-by-letsencrypt-dst-root-ca-x3-expiration-d54a018df257
root@479753dc1044:/# sed -i 's/mozilla\/DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/g' /etc/ca-certificates.conf
root@479753dc1044:/# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 1 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@479753dc1044:/# wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
OK
root@479753dc1044:/# apt-get update
Ign:1 http://deb.debian.org/debian stretch InRelease
Hit:2 http://security.debian.org/debian-security stretch/updates InRelease
Hit:3 http://deb.debian.org/debian stretch-updates InRelease
Hit:4 http://deb.debian.org/debian stretch Release
Get:6 http://apt.postgresql.org/pub/repos/apt stretch-pgdg InRelease [81.6 kB]
Get:7 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 Packages [270 kB]
Fetched 352 kB in 1s (220 kB/s)
Reading package lists... Done
应用上述修复后,您可以继续(例如,安装旧的 Postgres 客户端)。
root@479753dc1044:/# apt-get -y install postgresql-client-12
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libpq-dev libpq5 pgdg-keyring postgresql-client-common
Suggested packages:
postgresql-doc-14 postgresql-12 postgresql-doc-12
The following NEW packages will be installed:
pgdg-keyring postgresql-client-12 postgresql-client-common
The following packages will be upgraded:
libpq-dev libpq5
2 upgraded, 3 newly installed, 0 to remove and 104 not upgraded.
Need to get 1823 kB of archives.
After this operation, 6032 kB of additional disk space will be used.
Get:1 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 libpq-dev amd64 14.0-1.pgdg90+1 [135 kB]
Get:2 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 libpq5 amd64 14.0-1.pgdg90+1 [169 kB]
Get:3 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 pgdg-keyring all 2018.2 [10.7 kB]
Get:4 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 postgresql-client-common all 231.pgdg90+1 [91.3 kB]
Get:5 http://apt.postgresql.org/pub/repos/apt stretch-pgdg/main amd64 postgresql-client-12 amd64 12.8-1.pgdg90+1 [1417 kB]
Fetched 1823 kB in 1s (1422 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
(Reading database ... 30604 files and directories currently installed.)
Preparing to unpack .../libpq-dev_14.0-1.pgdg90+1_amd64.deb ...
Unpacking libpq-dev (14.0-1.pgdg90+1) over (9.6.17-0+deb9u1) ...
Preparing to unpack .../libpq5_14.0-1.pgdg90+1_amd64.deb ...
Unpacking libpq5:amd64 (14.0-1.pgdg90+1) over (9.6.17-0+deb9u1) ...
Selecting previously unselected package pgdg-keyring.
Preparing to unpack .../pgdg-keyring_2018.2_all.deb ...
Unpacking pgdg-keyring (2018.2) ...
Selecting previously unselected package postgresql-client-common.
Preparing to unpack .../postgresql-client-common_231.pgdg90+1_all.deb ...
Unpacking postgresql-client-common (231.pgdg90+1) ...
Selecting previously unselected package postgresql-client-12.
Preparing to unpack .../postgresql-client-12_12.8-1.pgdg90+1_amd64.deb ...
Unpacking postgresql-client-12 (12.8-1.pgdg90+1) ...
Setting up libpq5:amd64 (14.0-1.pgdg90+1) ...
Processing triggers for libc-bin (2.24-11+deb9u4) ...
Setting up pgdg-keyring (2018.2) ...
Removing apt.postgresql.org key from trusted.gpg: OK
Setting up libpq-dev (14.0-1.pgdg90+1) ...
Setting up postgresql-client-common (231.pgdg90+1) ...
Setting up postgresql-client-12 (12.8-1.pgdg90+1) ...
update-alternatives: using /usr/share/postgresql/12/man/man1/psql.1.gz to provide /usr/share/man/man1/psql.1.gz (psql.1.gz) in auto mode
答案3
根本原因
正如 LSerni 最近所回答的,根证书过期并引发了一些恶作剧。
以下是 Letscrypt 的官方回答:
平台是否可以验证 Let's Encrypt 证书的主要决定因素是该平台是否信任 ISRG 的“ISRG Root X1”证书。在 2021 年 9 月之前,某些平台即使不包含 ISRG Root X1,也可以验证我们的证书,因为它们信任 IdenTrust 的“DST Root CA X3”证书。从 2021 年 10 月起,只有那些信任 ISRG Root X1 的平台才会验证 Let's Encrypt 证书(Android 除外)。
更多关于https://letsencrypt.org/docs/certificate-compatibility/
所有 debian 版本 >= jessie 都应包含识别 Letsencrypt 所需的证书。 (更新后)
stretch 现在应该已经包含那里列出的 ISRG Root X1 证书。
要更新请尝试使用:
apt update
apt install -y libssl1.0.2 ca-certificates
关于 Postgresql 安装的旁注
请注意,有关文档https://wiki.postgresql.org/wiki/Apt#Quickstart于 2021 年 8 月 20 日更新,指出“apt-key 已弃用”。
您可能想要替换:
wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
经过:
curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg
另外,您不需要在stretch上安装lsb_release,您可以使用/etc/os-release文件,例如:
OS_CODENAME=$(awk -F= '$1=="VERSION_CODENAME" { print $2 ;}' /etc/os-release)