freebsd上用https下载github的包失败了

想从github上下载一个包, 结果fetch居然报错了

root@example:~ # fetch https://github.com/encorehu/django-buddy/archive/master.zip
Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
34380826280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168:
fetch: https://github.com/encorehu/django-buddy/archive/master.zip: Authentication error


一些资料说是github自己更新了ssl连接的某些东西, 英文太多看不懂, 也懒得看.


2016-1-27更新:::::正确答案:https://github.com/saltstack/salt-bootstrap/issues/290

deeprave commented on 8 Oct 2014
Actually a better (and permanent) solution to this is to:

$ pkg install ca_root_nss

then, ln or cp the combined root certificates to /etc/ssl/cert.pem
e.g.
$ ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pem

which installs the nss root certificates in a place where fetch(1) can find them.

Bypassing security is rarely a good solution.


别人解决的方式是

1. 安装新版的openssl

或者2. 安装DigiCert的安全证书


具体的, 我这个自己解决之后,再 详细补充.

----

补充

3 有资料说要下载 digitcert 数字证书网站的 证书, https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt, 结果哪里知道这个也是要通过https来下载的, 结果根本就下不下来.

root@example:~ # fetch https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt
Certificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA
34380826280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168:
fetch: https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt: Authentication error

4. 测试命令, openssl s_client -connect github.com:443

openssl s_client -connect github.com:443

结果滚出一堆:

root@example:~ # openssl s_client -connect github.com:443
CONNECTED(00000003)
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV CA-1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHOjCCBiKgAwIBAgIQBH++LkveAITSyvjj7P5wWDANBgkqhkiG9w0BAQUFADBp
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBDQS0xMB4XDTEzMDYxMDAwMDAwMFoXDTE1MDkwMjEyMDAwMFowgfAxHTAb
.......删了....
MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt04nDXXByCfMzTxpydNm2WpVQ
u2hhn/f7Hxnh2gQxrxV8Gn/5c68d5UMrVgkARWlK6MRb38J3UlEZW9Er2TllNqAy
GRxBc/sysj2fmOyCWws3ZDkstxCDcs3w6iRL+tmULsOFFTmpOvaI2vQniaaVT4Si
.....删了, 觉得安全些...
+UMBmgdx9KPDDzZy4MJZC2hbfUoXj9A54mJN8cuEOPyw3c3yKOcq/h48KzVguQXi
SdJbwfqNIbQ9oJM+YzDjzS62+TCtNSNWzWbwABZCmuQxK0oEOSbTmbhxUF7rND3/
+mx9u8cY//7uAxLWYS5gIZlCbxcf0lkiKSHJB319
-----END CERTIFICATE-----
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1
---
No client certificate CA names sent
---
SSL handshake has read 4139 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: FB3AF14B585A4FE1D98556286E5C82FEF788B2BE6FAF83081B742417E05FD90E
    Session-ID-ctx:
    Master-Key: 14CD0609C660C0896CF5F159517A02A95E5AE43BC47561EEBB49891112271AD50E4DD113D3CFF622985289FD1ED3E7B5
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1396167645
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
HTTP/1.0 408 Request Time-out
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed

啥意思, 这一堆, 最后可能是显示了点东西, 408, 请求超时, 浏览器并没有在默认时间里发送完整的请求.


5.临时解决, 现学现用, 用curl url >a.zip解决了下载问题. openssl的问题以后再补充.


参考资料:

http://smyck.net/2014/01/22/freebsd-authentication-error/

https://forums.freebsd.org/viewtopic.php?&t=14051

http://stackoverflow.com/questions/22027418/openssl-python-requests-error-certificate-verify-failed


你可能感兴趣的:(github,https,fetch,OpenSSL,失败)