在一台安装了最新版 Ubuntu 20.04 的机器上,Let's Encrypt 颁发的证书被 GnuTLS 拒绝,并且只能被 GnuTLS 拒绝。它们无法与与 GnuTLS 链接的应用程序(例如 Git 和 Lynx)一起使用。它们可以与与其他 TLS 堆栈链接的应用程序(例如 OpenSSL、Firefox 和 Chrome)一起使用。使用其他 CA 颁发的证书的站点可以正常工作。
我很少在这台机器上使用 Let's Encrypt 证书的站点上使用 Git,所以这种情况很可能已经发生了2021 年 9 月 30 日,LE 旧根到期。我不明白为什么最新的 Ubuntu 会出现这样的问题。
例子:
$ git clone https://git.savannah.gnu.org/git/bash.git/
Cloning into 'bash'...
fatal: unable to access 'https://git.savannah.gnu.org/git/bash.git/': server certificate verification failed. CAfile: none CRLfile: none
以下是更多详细信息gnutls-cli --print-cert -p 443 {--sni-hostname=,}git.savannah.gnu.org:
Processed 140 CA certificate(s).
Resolving 'git.savannah.gnu.org:443'...
Connecting to '209.51.188.168:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
- subject `CN=git.savannah.gnu.org', issuer `CN=R3,O=Let's Encrypt,C=US', serial 0x04fb91dc102c76be8ac0ae2d77169d581a7d, RSA key 4096 bits, signed using RSA-SHA256, activated `2022-04-28 09:26:15 UTC', expires `2022-07-27 09:26:14 UTC', pin-sha256="QokL42m6ShyuyTUCH1OtbQRsDL92EWuwFY9wGQM4TGI="
Public Key ID:
sha1:a8b73346c9460221472b9dfa1a1b80b3b5273994
sha256:42890be369ba4a1caec935021f53ad6d046c0cbf76116bb0158f701903384c62
Public Key PIN:
pin-sha256:QokL42m6ShyuyTUCH1OtbQRsDL92EWuwFY9wGQM4TGI=
-----BEGIN CERTIFICATE-----
MIIGaTCCBVGgAwIBAgISBPuR3BAsdr6KwK4tdxadWBp9MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA0MjgwOTI2MTVaFw0yMjA3MjcwOTI2MTRaMB8xHTAbBgNVBAMT
FGdpdC5zYXZhbm5haC5nbnUub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAnxN8JSu/p8zU9d3SV7K82K+wV0GJTaJe1GgtkJCd5GD3v62HtHlvj9W5
ZQ/52R3UFvr5RCsEPNkWy52t2606qk+eTj0YeSWMBI97RUjIDA+FfAT8gGCdt9S8
LMWAv/YLQDWpOhyOLjfEAYti9H8JwY0Wl9v9oD3FvGrYHC87lppe5AIABne0HhO1
L95rP6KryxDBrIk5rn435MxqYakMw0YlTdk7z+xWtMk+27gaWnBxz1XhROUCOs2f
4mAFt6CDo8KrlbNBWajpulOzSV7OE0y8iXKnkh0ufpJoYusF+ujxcNMnaKChoztv
RkUbSy9J3Ql5diuxNQYNHmA3/gJ9/Yt/8y/RdaC0Gl5tdDkpA2OfkDT4icxs2jWw
Kqg3b4mfOmTeGo4jibHSq/o7qFAijGerykyIHd8OnKOSIgbc+5KZFD9mNIT40cBN
xK1PWSmy5oURZVaSaAj3IcaMFLmKsng1a0V4Tj/LY/v7mHJRyBnePvP5ESDAK05S
MYOC+n6/fgkrBwYsQs66MP5qMirbpwsYfAVvJKi4hpskKpzMaIClIcAcHB2Jg833
84z4n1iD2YFrTSxuboQ4nEeo2XvJ81L5JzWg/qpslhtdFa2AaYDyQ94NgyfMKcMD
c5kY8Y6NL+AYXrue3KLvrgHfjdp5o1uTAB+lgdzkUcAXvnfrnHMCAwEAAaOCAoow
ggKGMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUrhEMLJItVCDPBFYcDJU7X+Qnyvgw
HwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBH
MCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wWwYDVR0RBFQwUoIUZ2l0LnNhdmFubmFo
LmdudS5vcmeCF2dpdC5zYXZhbm5haC5ub25nbnUub3Jngg5naXQuc3YuZ251Lm9y
Z4IRZ2l0LnN2Lm5vbmdudS5vcmcwTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYB
BAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5v
cmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgApeb7wnjk5IfBWc59jpXflvld9
nGAK+PlNXSZcJV3HhAAAAYBvtQWDAAAEAwBHMEUCIQCq3KjnGPbwjCPLRopaQg8k
44cSTOPXxwL6j2K3UinJzgIgZCLiSdMQXs+5SCgCco+TepIBuay6rea1EPcYBIgg
RGoAdQDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAYBvtQeHAAAE
AwBGMEQCIE9iQbm55QZA3z4CL10wf61vDTcFytEfqiK4Ih1iOghGAiAVxynyluTl
hjRnRm9+G2jj7pb7Q4zs8V8s4A9hrb2NkTANBgkqhkiG9w0BAQsFAAOCAQEAnQ9q
9ZfZLrvxSE6UJ9rDTEJerFXFLjt6+LjvSKCXU1/qyoOvqkmCXz7dZAEq/5H7Okzr
PIxzJNCmxpo8PdUeJpV++YYs1xMG2vrTG5r+jG1DgWH0/RC+MnChVXTQU+y+8Ckh
b7hOt4m/ddyfIUDQbTTeDJFdCNJVOqbikBXx/bTkTZeel8V6qXMRnwMPKx3SNQCL
r2OQA/C9J/DWGb9LDZUM/DOSl8Y4/FhnSZ2fgUv4nL7IdijvMpWSXwLOqJR+i1fK
OvOmCH39AVGLbpW/7FB2rOq5SONgk2QS97pQU4qzBjWDd97n+pGnpkw+8At0KxRl
cfWgxjtDVqMVBfhgxQ==
-----END CERTIFICATE-----
- Certificate[1] info:
- subject `CN=R3,O=Let's Encrypt,C=US', issuer `CN=ISRG Root X1,O=Internet Security Research Group,C=US', serial 0x00912b084acf0c18a753f6d62e25a75f5a, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-09-04 00:00:00 UTC', expires `2025-09-15 16:00:00 UTC', pin-sha256="jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0="
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
- Certificate[2] info:
- subject `CN=ISRG Root X1,O=Internet Security Research Group,C=US', issuer `CN=DST Root CA X3,O=Digital Signature Trust Co.', serial 0x4001772137d4e942b8ee76aa3c640ab7, RSA key 4096 bits, signed using RSA-SHA256, activated `2021-01-20 19:14:03 UTC', expires `2024-09-30 18:14:03 UTC', pin-sha256="C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M="
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
- Status: The certificate is NOT trusted. The certificate chain uses expired certificate.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate.
机器的时钟是正确的,并且此处列出的证书未过期。但是,颁发者CN=DST Root CA X3,O=Digital Signature Trust Co.在受信任存储区中有一个证书(/etc/ssl/certs/ca-certificates.crt—我已确认 GnuTLS 读取此文件),该证书已于 2021-09-30 过期。
这应该不会有问题,因为不需要此证书来建立信任链:实体CN=ISRG Root X1,O=Internet Security Research Group,C=US在 中有一个自签名证书/etc/ssl/certs/ca-certificates.crt。其他 TLS 实现可以很好地处理它,那么为什么 GnuTLS 无法在我的计算机上解决这个问题?
如何让 GnuTLS 在我的 Ubuntu 20.04 上接受 Let's Encrypt 证书?