我的 FreeBSD 11 给出:
[root@freebsd11 ~]# pkg install perl
Updating FreeBSD repository catalogue...
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.freebsd.org/FreeBSD:11:amd64/latest/meta.txz: Authentication error
repository FreeBSD has no meta file, using default settings
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.freebsd.org/FreeBSD:11:amd64/latest/packagesite.pkg: Authentication error
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
Certificate verification failed for /O=Digital Signature Trust Co./CN=DST Root CA X3
34406394360:error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed:/usr/src/crypto/openssl/ssl/s3_clnt.c:1269:
pkg: https://pkg.freebsd.org/FreeBSD:11:amd64/latest/packagesite.txz: Authentication error
Unable to update repository FreeBSD
Error updating repositories!
我认为这是由证书过期引起的,但我不知道如何修复它。
答案1
答案2
是的,Let's Encrypt 历史上使用的 DST Root CA X3 证书已于一年半前过期;看https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/并如链接所示https://letsencrypt.org/2020/12/21/extending-android-compatibility.html。 (我们在几个 Stack 上有大约一百个问题——据我记得,unix、apple、security、SF、SU、SO,也许还有更多——大多数在一两周内,但有些在 2 或 3 个月后出现;你是吗?到外星度假?)
openssl version检查您拥有的 OpenSSL(程序: do )和 ca_root_nss (程序包)的版本。如果您的根 CA 早于 2017 年左右,您的信任文件中可能没有 ISRG 根(可能是软件包提供的 /usr/local/share/certs/ca-root-nss.crt),需要添加它-- 可能您需要下载到较新的系统,然后复制到您废弃的系统;它必须是 PEM 格式,但如果您获得 DER,只需使用openssl x509 -inform der -outform pem <this >that它进行转换,可以选择添加-text -fingerprint以获得有用的人类可读的序言。
如果您的 OpenSSL 版本低于 1.1.0,并且您的信任文件中具有现已废弃的 DST-X3 根(您几乎肯定会为 2020 年之前构建的系统执行此操作),则需要将其删除(使用任何方便的编辑器)以避免 OpenSSL LE 页面提到的错误。
与往常一样,在修改任何关键文件之前,请先保存该文件的备份。一旦您的系统开始工作,请查看是否有包含这些更改的官方 ca_root_nss 更新,如果有,请使用它而不是手动修补程序。