V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
工单节点使用指南
• 请用平和的语言准确描述你所遇到的问题
• 厂商的技术支持和你一样也是有喜怒哀乐的普通人类,尊重是相互的
• 如果是关于 V2EX 本身的问题反馈,请使用 反馈 节点
guyskk0x0
V2EX  ›  全球工单系统

Solidot 的 WoTrus 证书不被信任

  •  
  •   guyskk0x0 · 132 天前 · 696 次点击
    这是一个创建于 132 天前的主题,其中的信息可能已经有所发展或是发生改变。

    从 2020-10-16 开始,Solidot 似乎更换了 WoTrus (沃通) 签发的 HTTPS 证书,curl, requests 和 cloudflare 都不信任这个证书。

    $ curl -v https://www.solidot.org/
    * About to connect() to www.solidot.org port 443 (#0)
    *   Trying 106.75.14.181...
    * Connected to www.solidot.org (106.75.14.181) port 443 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * Server certificate:
    * 	subject: CN=*.solidot.org,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
    * 	start date: 10 月 16 00:00:00 2019 GMT
    * 	expire date: 10 月 15 23:59:59 2021 GMT
    * 	common name: *.solidot.org
    * 	issuer: CN=WoTrus DV Server CA,OU=Controlled by Sectigo exclusively for WoTrus CA Limited,O=WoTrus CA Limited,L=Shenzhen,ST=Guangdong,C=CN
    * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
    * Peer's Certificate issuer is not recognized.
    * Closing connection 0
    curl: (60) Peer's Certificate issuer is not recognized.
    
    requests.exceptions.SSLError: HTTPSConnectionPool(host='www.solidot.org', port=443): Max retries exceeded with url: /index.rss (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')))
    
    6 条回复    2020-10-19 23:22:53 +08:00
    Xusually
        1
    Xusually   132 天前
    curl -v https://www.solidot.org/
    * Trying 106.75.14.181...
    * TCP_NODELAY set
    * Connected to www.solidot.org (106.75.14.181) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    * CAfile: /etc/ssl/cert.pem
    CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    * subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=*.solidot.org
    * start date: Oct 16 00:00:00 2019 GMT
    * expire date: Oct 15 23:59:59 2021 GMT
    * subjectAltName: host "www.solidot.org" matched cert's "*.solidot.org"
    * issuer: C=CN; ST=Guangdong; L=Shenzhen; O=WoTrus CA Limited; OU=Controlled by Sectigo exclusively for WoTrus CA Limited; CN=WoTrus DV Server CA
    * SSL certificate verify ok.
    > GET / HTTP/1.1
    > Host: www.solidot.org
    > User-Agent: curl/7.64.1
    > Accept: */*
    >
    < HTTP/1.1 403 Forbidden
    < Server: nginx
    < Date: Mon, 19 Oct 2020 14:50:53 GMT
    < Content-Type: text/html
    < Content-Length: 146
    < Connection: keep-alive
    <
    <html>
    <head><title>403 Forbidden</title></head>
    <body>
    <center><h1>403 Forbidden</h1></center>
    <hr><center>nginx</center>
    </body>
    </html>
    * Connection #0 to host www.solidot.org left intact
    * Closing connection 0


    我这里没什么问题

    楼主你是不是在沃通上次出事儿的时候,跟风自己删掉了自己本地对沃通的信任?
    guyskk0x0
        2
    guyskk0x0   132 天前
    @Xusually 我 Mac 和 Chrome 上也正常,但用 requests,以及服务器上都报 SSL 错误。
    Xusually
        3
    Xusually   132 天前
    接上一条,或者你的环境没有更新或者安装比较新的 Root CA 证书?
    如果是这样的话,试试看指定一下 ca certs 的路径
    Xusually
        4
    Xusually   132 天前   ❤️ 1
    @guyskk0x0 看上去 Solidot 没有把 WoTrus 的整个证书链打包进一个 bundle 里面,你可以尝试去 Comodo 或者 Wotrus 去找一下,一般情况下,上层 CA 的证书链都是有公开提供的。
    guyskk0x0
        5
    guyskk0x0   132 天前
    Xusually
        6
    Xusually   132 天前   ❤️ 1
    @guyskk0x0 嗯,那就对了。你去找一下缺失的证书链就行。他们前端服务器没有使用包含完整 CA 链的 cert bundle,同时也没有单独配置 CA cert,就会这样很依赖于客户端的证书完备程度,在服务器上可能出问题。
    关于   ·   帮助文档   ·   FAQ   ·   API   ·   我们的愿景   ·   广告投放   ·   感谢   ·   实用小工具   ·   3214 人在线   最高记录 5497   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 20ms · UTC 13:52 · PVG 21:52 · LAX 05:52 · JFK 08:52
    ♥ Do have faith in what you're doing.