Solidot 的 WoTrus 证书不被信任

2020-10-19 22:49:19 +08:00
 guyskk0x0

从 2020-10-16 开始,Solidot 似乎更换了 WoTrus (沃通) 签发的 HTTPS 证书,curl, requests 和 cloudflare 都不信任这个证书。

$ curl -v https://www.solidot.org/
* About to connect() to www.solidot.org port 443 (#0)
*   Trying 106.75.14.181...
* Connected to www.solidot.org (106.75.14.181) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=*.solidot.org,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated
* 	start date: 10 月 16 00:00:00 2019 GMT
* 	expire date: 10 月 15 23:59:59 2021 GMT
* 	common name: *.solidot.org
* 	issuer: CN=WoTrus DV Server CA,OU=Controlled by Sectigo exclusively for WoTrus CA Limited,O=WoTrus CA Limited,L=Shenzhen,ST=Guangdong,C=CN
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
requests.exceptions.SSLError: HTTPSConnectionPool(host='www.solidot.org', port=443): Max retries exceeded with url: /index.rss (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')))
2260 次点击
所在节点    全球工单系统
6 条回复
Xusually
2020-10-19 22:52:19 +08:00
curl -v https://www.solidot.org/
* Trying 106.75.14.181...
* TCP_NODELAY set
* Connected to www.solidot.org (106.75.14.181) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=*.solidot.org
* start date: Oct 16 00:00:00 2019 GMT
* expire date: Oct 15 23:59:59 2021 GMT
* subjectAltName: host "www.solidot.org" matched cert's "*.solidot.org"
* issuer: C=CN; ST=Guangdong; L=Shenzhen; O=WoTrus CA Limited; OU=Controlled by Sectigo exclusively for WoTrus CA Limited; CN=WoTrus DV Server CA
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.solidot.org
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Server: nginx
< Date: Mon, 19 Oct 2020 14:50:53 GMT
< Content-Type: text/html
< Content-Length: 146
< Connection: keep-alive
<
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host www.solidot.org left intact
* Closing connection 0


我这里没什么问题

楼主你是不是在沃通上次出事儿的时候,跟风自己删掉了自己本地对沃通的信任?
guyskk0x0
2020-10-19 22:56:59 +08:00
@Xusually 我 Mac 和 Chrome 上也正常,但用 requests,以及服务器上都报 SSL 错误。
Xusually
2020-10-19 22:57:16 +08:00
接上一条,或者你的环境没有更新或者安装比较新的 Root CA 证书?
如果是这样的话,试试看指定一下 ca certs 的路径
Xusually
2020-10-19 23:04:32 +08:00
@guyskk0x0 看上去 Solidot 没有把 WoTrus 的整个证书链打包进一个 bundle 里面,你可以尝试去 Comodo 或者 Wotrus 去找一下,一般情况下,上层 CA 的证书链都是有公开提供的。
guyskk0x0
2020-10-19 23:08:59 +08:00
Xusually
2020-10-19 23:22:53 +08:00
@guyskk0x0 嗯,那就对了。你去找一下缺失的证书链就行。他们前端服务器没有使用包含完整 CA 链的 cert bundle,同时也没有单独配置 CA cert,就会这样很依赖于客户端的证书完备程度,在服务器上可能出问题。

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/716517

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX