以下狀況最近常發現在 FreeBSD 用戶端要讀取使用 Let's Encrypt. 憑證的網站
$ wget https://example.xx.xx/
Resolving example.xx.xx (example.xx.xx)... xx.xx.xx.xx
Connecting to example.xx.xx (example.xx.xx)|xx.xx.xx.xx|:443... connected.
ERROR: cannot verify example.xx.xx's certificate, issued by 'CN=R3,O=Let\'s Encrypt,C=US':
Issued certificate has expired.
To connect to example.xx.xx insecurely, use `--no-check-certificate'.
$ curl https://example.xx.xx/
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
原因是 client 的 ca root 憑證過期
以freebsd 為例,可以查看 /usr/local/etc/ssl/cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
Signature Algorithm: sha1WithRSAEncryption
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Validity
Not Before: Sep 30 21:12:19 2000 GMT
Not After : Sep 30 14:01:15 2021 GMT
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
略過錯誤的解決方式:
$ wget --no-check-certificate https://example.xx.xx/
$ curl -k https://example.xx.xx/
如果是使用 apache 的 proxypass
請在設定檔加入
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
重啟 apache
留言列表
{{ article.title }}
