Wget 下载 HTTPS 文件 resovle 错误

2015-12-29 18:20:03 +08:00
 ekeyme
wget(1.11.4) --ca-certificate=$myhttpca https://nodejs.org/dist/v5.3.0/node-v5.3.0-linux-x64.tar.gz

其中 $myhttpca 文件来之 https://github.com/bagder/ca-bundle/blob/master/ca-bundle.crt 的至今最新版。
出现 一下错误

Resolving nodejs.org... 104.20.22.46, 104.20.23.46, 2400:cb00:2048:1::6814:162e, ...
Connecting to nodejs.org|104.20.22.46|:443... connected.
ERROR: certificate common name `*.nodejs.org' doesn't match requested host name `nodejs.org'.
To connect to nodejs.org insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.

而但我转到另外一台比较新的服务器, wget 时(版本 1.12 ,不需要用 ca 文件),则没有出错。

已经纠结了一个下午,不太懂 SSL 认证的原理,感觉是 wget 版本的原因,在旧服务器(上面),上直接 wget --ca.... https://github.com/... 的文件是不会出错的。只要 https 服务端的 ip 有变化就会出问题了。望解释,太纠结了谢谢大家!

6829 次点击
所在节点    Linux
9 条回复
plqws
2015-12-29 18:22:51 +08:00
debian 7 和 8 的 tls 似乎都有 bug ,不知道楼主是什么发行版
zealot0630
2015-12-29 18:33:28 +08:00
看了一下 nodejs 服务器的证书,应该是你的服务器不支持 X509v3 Subject Alternative Name 引起的问题。

服务器证书有
X509v3 Subject Alternative Name:
DNS:*.nodejs.org, DNS:nodejs.org

你的 wget 不认 引起了问题
zealot0630
2015-12-29 18:36:08 +08:00
PS: 使用命令
openssl s_client -connect nodejs.org:443 -showcerts | openssl x509 -noout -text
可以查看服务器证书
znlab
2015-12-29 22:32:23 +08:00
可能是 SNI 导致的: https://en.wikipedia.org/wiki/Server_Name_Indication

很多老版本的 HTTP 工具 /库不支持 SNI
ekeyme
2015-12-30 09:18:42 +08:00
@plqws

发行版是 CentOS release 5.7 (Final)
Linux version 2.6.18-274.7.1.el5 (mockbuild@builder10.centos.org) (Red Hat 4.1.2-51)) #1 SMP Thu Oct 20 16:21:01 EDT 2011
ekeyme
2015-12-30 10:51:11 +08:00
@zealot0630 Thx 。我用你给的命令查看了一下,但我不会看这个结果。但是我看到了 X509v3 Subject Alternative Name: 关键词输出,想必是服务器支持 SAN 的

```
depth=3 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
verify return:1
depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
verify return:1
depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.nodejs.org
verify return:1
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4d:46:ea:c0:d8:04:b6:90:07:55:7d:18:e0:27:ea:4d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Validity
Not Before: Nov 8 00:00:00 2015 GMT
Not After : Aug 22 23:59:59 2017 GMT
Subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.nodejs.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:c4:88:d6:f5:ce:38:af:f6:3a:7b:73:ed:43:81:
4a:d2:01:8e:91:2b:f1:af:3d:f7:8f:83:42:a6:89:
ed:4e:15:77:80:c1:9e:29:0b:ee:a2:38:80:ad:29:
d1:66:c2:eb:74:bc:0f:40:ae:15:61:66:2b:b1:3a:
2f:05:2b:c2:19:eb:ab:2d:83:25:c9:1b:26:88:a2:
be:4d:8e:eb:95:6f:bc:f1:57:ff:01:10:ab:6c:ca:
f5:5f:07:92:f8:28:34:ef:9a:41:7b:ff:f9:d1:46:
b1:e0:86:77:3d:63:2e:f1:db:03:de:19:a6:57:9e:
4d:fe:40:b5:a5:da:53:24:98:72:03:73:4b:89:96:
23:53:fd:33:f4:91:b2:11:ca:55:a7:a8:79:76:38:
9e:d4:23:b7:2a:11:7a:74:d2:18:1b:29:ca:ce:ec:
99:35:97:c3:83:24:2b:b5:1f:5d:4d:38:61:32:01:
5c:a4:f1:e1:32:35:51:91:3f:42:c9:87:00:de:b7:
94:1b:13:d0:de:44:46:f4:0b:cc:d9:3e:46:89:7f:
4a:bc:05:6d:f2:aa:72:ac:ee:ee:e0:aa:7d:41:09:
e0:15:89:b2:69:d4:03:f2:d0:c7:8c:60:19:6a:25:
1b:b0:6a:65:20:5e:17:99:70:14:30:a9:2e:ed:41:
2f:7a:be:b9:e8:46:69:59:56:cc:b5:24:41:dd:3c:
d8:70:dc:2b:7f:63:1c:be:71:19:03:e0:58:13:bb:
ff:68:7c:0e:6a:d5:77:81:01:36:92:3d:1e:8d:cc:
b7:1a:8d:72:d2:b6:3a:11:4b:4f:b7:fd:e1:59:40:
ab:1e:7d:4b:89:3e:61:b1:35:f2:e3:59:31:e1:ec:
87:ba:d1:48:cf:0e:69:ed:38:d8:ba:fc:ec:32:44:
d3:fc:da:8d:a9:7e:49:45:7a:77:b0:c2:19:ae:61:
5a:70:05:95:e7:69:21:af:20:ce:a3:8e:2a:18:57:
10:7e:ff:41:37:63:38:83:33:75:10:d7:c9:2b:a2:
c2:91:18:cb:8b:91:0a:1d:cb:c1:86:31:fb:9a:20:
b6:fc:2a:74:9e:e5:37:8d:fd:27:21:7a:bc:59:91:
d2:6d:80:70:7e:6d:ce:3d:3b:c1:c5:98:73:ef:cb:
59:6e:b2:09:e1:ca:09:1b:29:2d:9f:2f:2d:37:10:
5d:b8:de:30:86:9f:81:76:64:ae:04:d6:e8:bc:85:
d9:1a:e9:e7:26:b6:5a:25:04:0e:a9:56:68:d4:42:
57:60:93:92:77:8e:00:3c:28:35:ee:c9:c6:d6:4c:
3c:13:ff:3c:2c:46:20:7a:4e:42:e4:95:c1:43:e8:
d8:3f:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:90:AF:6A:3A:94:5A:0B:D8:90:EA:12:56:73:DF:43:B4:3A:28:DA:E7

X509v3 Subject Key Identifier:
70:31:95:88:4E:E0:A4:68:5B:C2:18:1A:DC:D8:EB:A9:4B:85:2D:E0
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.7
CPS: https://secure.comodo.com/CPS
Policy: 2.23.140.1.2.1

X509v3 CRL Distribution Points:
URI:http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl

Authority Information Access:
CA Issuers - URI:http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
OCSP - URI:http://ocsp.comodoca.com

X509v3 Subject Alternative Name:
DNS:*.nodejs.org, DNS:nodejs.org
Signature Algorithm: sha256WithRSAEncryption
59:ba:c0:76:35:ab:3e:3a:54:3b:28:94:98:f1:e9:48:26:85:
93:39:b3:74:4a:e4:e9:02:dd:42:cd:c7:5e:97:72:f5:64:0f:
1d:57:43:f5:f2:61:d6:fc:b0:49:ea:9e:a1:a8:8b:d7:41:de:
67:79:4c:9e:8f:42:ec:5d:15:d7:e7:32:40:4c:ae:68:88:1e:
fd:37:70:65:07:86:fd:cb:ec:86:5a:55:58:f6:4a:ce:1a:64:
ea:ed:1f:f1:68:f4:73:ee:83:5f:b1:7f:9f:40:a4:59:c1:48:
db:6a:55:e4:6a:96:36:90:ea:ad:e8:f9:cd:37:d9:8e:26:fb:
c9:e6:43:c7:fc:55:12:0b:87:e1:cd:7f:19:9e:7e:a2:0b:28:
7c:99:ab:a8:fc:0a:ba:cb:a8:79:90:b7:17:ca:8d:77:2e:10:
25:0e:86:46:c8:95:99:43:22:da:cb:2d:a6:3e:90:40:a6:a8:
d3:40:67:2c:4b:5b:9b:f1:bb:df:c0:cd:d0:4f:90:f0:2e:83:
12:e6:65:d0:f8:87:1e:17:d9:6d:e8:b6:62:48:c7:6c:e7:e9:
b3:ee:14:21:97:96:02:14:c3:58:bd:46:c5:9a:51:bc:e9:39:
d7:21:e6:74:70:fd:c7:b3:fb:c2:f7:e6:52:ae:ef:76:2c:ab:
eb:32:ea:21

```
ekeyme
2015-12-30 13:40:20 +08:00
@znlab ,非常好的提示,谢谢。
我的老服务器上的 wget ( open ssl 0.9.8e; SNI 是 0.9.8f 才支持)是不支持 SNI 的,本来还真以为我现在出现 wget 不了就是 SNI 这个原因。
后来在新服务器上 同样 wget https://sni.velox.ch/ ;结果都是不支持 SNI 的。从你给的 wiki 也可知 wget before 1.14 是不支持 SNI 的,因此 两个服务器上的 wget 都是不支持 SNI 的;但根据 openssl 的版本给的信息,新服务器上 OpenSSL 1.0.1e-fips 11 Feb 2013 支持 SNI ;

现在问题就是是不是由于 wget 支不支持 SNI 与 openssl 支不支持 SNI 之间的配合,而造成了我 题本 中出现的问题呢?又感觉好像不是 SNI 的问题,还有可能有其他的方向嘛?可否给点方向就好。非常感谢!
zealot0630
2015-12-30 18:52:25 +08:00
@ekeyme nodejs 服务器根本就没配置 SNI 你的客户端也不需要支持 SNI

是你老版本的 wget 不支持 X509v3 Subject Alternative Name 引起的异常
zealot0630
2015-12-30 18:52:49 +08:00
也可能是 openssl 不支持 X509v3 Subject Alternative Name

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/246996

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX