想从github上下载一个包, 结果fetch居然报错了
root@example:~ # fetch https://github.com/encorehu/django-buddy/archive/master.zip Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 34380826280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168: fetch: https://github.com/encorehu/django-buddy/archive/master.zip: Authentication error
一些资料说是github自己更新了ssl连接的某些东西, 英文太多看不懂, 也懒得看.
2016-1-27更新:::::正确答案:https://github.com/saltstack/salt-bootstrap/issues/290
deeprave commented on 8 Oct 2014 Actually a better (and permanent) solution to this is to: $ pkg install ca_root_nss then, ln or cp the combined root certificates to /etc/ssl/cert.pem e.g. $ ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem which installs the nss root certificates in a place where fetch(1) can find them. Bypassing security is rarely a good solution.
别人解决的方式是
1. 安装新版的openssl
或者2. 安装DigiCert的安全证书
具体的, 我这个自己解决之后,再 详细补充.
----
补充
3 有资料说要下载 digitcert 数字证书网站的 证书, https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt, 结果哪里知道这个也是要通过https来下载的, 结果根本就下不下来.
root@example:~ # fetch https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA 34380826280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168: fetch: https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt: Authentication error
openssl s_client -connect github.com:443
root@example:~ # openssl s_client -connect github.com:443 CONNECTED(00000003) depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV CA-1 verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIHOjCCBiKgAwIBAgIQBH++LkveAITSyvjj7P5wWDANBgkqhkiG9w0BAQUFADBp MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBFViBDQS0xMB4XDTEzMDYxMDAwMDAwMFoXDTE1MDkwMjEyMDAwMFowgfAxHTAb .......删了.... MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt04nDXXByCfMzTxpydNm2WpVQ u2hhn/f7Hxnh2gQxrxV8Gn/5c68d5UMrVgkARWlK6MRb38J3UlEZW9Er2TllNqAy GRxBc/sysj2fmOyCWws3ZDkstxCDcs3w6iRL+tmULsOFFTmpOvaI2vQniaaVT4Si .....删了, 觉得安全些... +UMBmgdx9KPDDzZy4MJZC2hbfUoXj9A54mJN8cuEOPyw3c3yKOcq/h48KzVguQXi SdJbwfqNIbQ9oJM+YzDjzS62+TCtNSNWzWbwABZCmuQxK0oEOSbTmbhxUF7rND3/ +mx9u8cY//7uAxLWYS5gIZlCbxcf0lkiKSHJB319 -----END CERTIFICATE----- subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 --- No client certificate CA names sent --- SSL handshake has read 4139 bytes and written 447 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: FB3AF14B585A4FE1D98556286E5C82FEF788B2BE6FAF83081B742417E05FD90E Session-ID-ctx: Master-Key: 14CD0609C660C0896CF5F159517A02A95E5AE43BC47561EEBB49891112271AD50E4DD113D3CFF622985289FD1ED3E7B5 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1396167645 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- HTTP/1.0 408 Request Time-out Cache-Control: no-cache Connection: close Content-Type: text/html <html><body><h1>408 Request Time-out</h1> Your browser didn't send a complete request in time. </body></html> closed
5.临时解决, 现学现用, 用curl url >a.zip解决了下载问题. openssl的问题以后再补充.
参考资料:
http://smyck.net/2014/01/22/freebsd-authentication-error/
https://forums.freebsd.org/viewtopic.php?&t=14051
http://stackoverflow.com/questions/22027418/openssl-python-requests-error-certificate-verify-failed