如何更新服务器上的 SSL 组件太旧,无法通过 SSL 实际下载包

如何更新服务器上的 SSL 组件太旧,无法通过 SSL 实际下载包

这里似乎有第 22 条军规。将服务器更新到新版本是不可能的。我只需要将 Apache 更新到特定的(旧版本)。

服务器是CentOS 6.3。基本存储库已过时,我必须更新它才能使用保管库存储库。但是,它需要 HTTPS,并且任何时候我yum在更新存储库后尝试运行时都会得到:

https://vault.centos.org/centos/6/os/i386/repodata/repomd.xml: [Errno 14] 建立 ssl 连接时出现问题

显然,我需要更新 yum、openssl 等...但是,当我无法下载软件包时该怎么办yum?有没有办法避免手动构建这些包?

这是 CentOS-Base.repo:(注意:将这些更改为 http 似乎不起作用)

# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
baseurl=https://vault.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=https://vault.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=https://vault.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=https://vault.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
baseurl=https://vault.centos.org/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

答案1

我设法yum通过手动安装所有更新的软件包来正常运行。

首先,我从 CentOS 6.10 库下载了软件包 - 是的,我故意在我的 6.3 服务器上使用 6.10:(注意,该存储库是劣质的,我不得不多次重试这些命令)

wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/yum-3.2.29-81.el6.centos.noarch.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/yum-plugin-fastestmirror-1.1.30-41.el6.noarch.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/yum-utils-1.1.30-41.el6.noarch.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/yum-metadata-parser-1.1.2-16.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/openssl-1.0.1e-57.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/openssl-devel-1.0.1e-57.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/openssl-perl-1.0.1e-57.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/openssl-static-1.0.1e-57.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/curl-7.19.7-53.el6_9.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/libcurl-7.19.7-53.el6_9.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/libcurl-devel-7.19.7-53.el6_9.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/python-urlgrabber-3.9.1-11.el6.noarch.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-3.36.0-8.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-util-3.36.0-1.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-tools-3.36.0-8.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-sysinit-3.36.0-8.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-softokn-3.14.3-23.3.el6_8.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-softokn-freebl-3.14.3-23.3.el6_8.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nspr-4.19.0-1.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/p11-kit-0.18.5-2.el6_5.2.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/p11-kit-trust-0.18.5-2.el6_5.2.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/ca-certificates-2018.2.22-65.1.el6.noarch.rpm

然后我安装了这些软件包:

rpm -Uvh openssl*.rpm
rpm -Uvh ns*.rpm
rpm -Uvh *curl*.rpm
rpm -Uvh python-urlgrabber-3.9.1-11.el6.noarch.rpm
rpm -Uvh yum*.rpm
rpm -Uvh p11*.rpm
rpm -Uvh ca-certificates-2018.2.22-65.1.el6.noarch.rpm

如果有任何关于已安装的软件包的警告,请添加--forcerpm命令中。

最后我跑了yum clean all然后yum install httpd一切又正常了。安装的 Apache 的最新补丁级别。

上面有些包可能不需要。它取决于系统上已安装的内容。例如,如果openssl-perl.i686没有安装,就不要安装它,否则需要安装 Perl 依赖项。

答案2

它对我不起作用,但您可以尝试以下步骤:

创建当前 CentOS-Base.repo 文件的备份

cp -r /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.old

修复基本存储库,将以下内容复制到 /etc/yum.repos.d/CentOS-Base.repo

[C6.10-base]
name=CentOS-6.10 - Base
baseurl=http://linuxsoft.cern.ch/centos-vault/6.10/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=1
metadata_expire=never

[C6.10-updates]
name=CentOS-6.10 - Updates
baseurl=http://linuxsoft.cern.ch/centos-vault/6.10/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=1
metadata_expire=never

[C6.10-extras]
name=CentOS-6.10 - Extras
baseurl=http://linuxsoft.cern.ch/centos-vault/6.10/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=1
metadata_expire=never

[C6.10-contrib]
name=CentOS-6.10 - Contrib
baseurl=http://linuxsoft.cern.ch/centos-vault/6.10/contrib/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=0
metadata_expire=never

[C6.10-centosplus]
name=CentOS-6.10 - CentOSPlus
baseurl=http://linuxsoft.cern.ch/centos-vault/6.10/centosplus/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
enabled=0
metadata_expire=never

清理缓存

yum clean all

更新 ca 证书

yum update ca-certificates

使用正确的存储库恢复 CentOS-Base.repo

# CentOS-Base.repo
#
[base]
name=CentOS-$releasever - Base
baseurl=https://vault.centos.org/6.10/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

# released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=https://vault.centos.org/6.10/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

# additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=https://vault.centos.org/6.10/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

清理缓存

yum clean all

答案3

我遇到了同样的问题,经过多次尝试和错误后,Webserver 的 Docker 成为了解决方案。我建议不要尝试仅更新 Apache。太多的依赖最终会让你绝望。

(我知道这应该放在评论部分,但我没有什么声誉来评论问题。)

答案4

生命周期结束意味着他们已经放弃尝试修复安全漏洞 - 让这台机器暴露在外会给您的服务和网络上的其他人带来风险。即使该网络是互联网。

有时升级不是一个可行的选择 - 如果确实是这种情况,您应该将该服务器包装在一个私有网络上,该网络由在当前平台上运行的代理前置。巧合的是,这也解决了服务器端 SSL 的问题,因为只有代理可以连接,而代理本身可以向客户端提供当前协议。

代理客户端 SSL 连接有点复杂 - 您需要使用 SSL MITM(可以配置 Squid 来执行此操作)。

相关内容