如何解决“ SSL证书问题：证书链中的自签名证书”？错误？ [英] How to fix "SSL certificate problem: self signed certificate in certificate chain" error?

问题描述

我有一个基于Linux的Docker容器，如果可以的话：

I have a Linux-based Docker container, where if I do:

curl https://google.com

...然后我得到一个错误：

...then I get an error:

卷曲：（60）SSL证书问题：证书链
中的自签名证书更多详细信息，请参见： https://curl.haxx.se/docs/sslcerts.html

curl: (60) SSL certificate problem: self signed certificate in certificate chain More details here: https://curl.haxx.se/docs/sslcerts.html

对于任何URL都会发生同样的情况-并不是Google的错。

The same happens for any URL - it's not Google that's at fault.

以上引用的链接提出了各种解决方案，除了最后一个解决方案外，似乎没有其他合适的解决方案，建议更新证书存储。但是没有关于如何执行此操作的说明（或者至少没有对我有意义的说明）。

The link referenced above suggests various solutions, none of which seem appropriate apart from perhaps the last one, which suggests updating the certificate store. But there are no instructions on how to do that (or at least, none that make sense to me).

这样做是正确的，如果是这样，怎么做？

Is that the right thing to do, and if so how?

更新：根据要求，结果是：

UPDATE: as requested, here's the result of:

openssl s_client -showcerts -connect www.google.com:443

CONNECTED(00000003)
depth=3 DC = com, DC = forestroot, CN = SHA256RootCA
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
   i:/CN=ssl-decrypt
-----BEGIN CERTIFICATE-----
MIIDXzCCAkegAwIBAgIIXIk3p8xOX/kwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UE
AxMLc3NsLWRlY3J5cHQwHhcNMTgxMjE5MDgxNzAwWhcNMTkwMzEzMDgxNzAwWjBo
...
tq0VAGIoj4+YhO6bktTq3alCRoLstJuuxjVdb1wRkH4YRi0I6ZAB1Cw+M8Lg+2eQ
KuEo
-----END CERTIFICATE-----
 1 s:/CN=ssl-decrypt
   i:/DC=com/DC=bgs/CN=SHA256IssueCA
-----BEGIN CERTIFICATE-----
MIIGzDCCBLSgAwIBAgITEQAADvB9T7mSaacwDQABAAAO8DANBgkqhkiG9w0BAQsF
ADBCMRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDYmdzMRYw
...
1z9f/nkj2XTRyGeACoy0qRd5uXJHp1iGM27l3RFDR9OjrfPV56pOBUYWAlc9Nn+1
Vr3qUZrcCkROrmYisVF4jg==
-----END CERTIFICATE-----
 2 s:/DC=com/DC=MyCompanyServer/CN=SHA256IssueCA
   i:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA
-----BEGIN CERTIFICATE-----
MIIH4zCCBcugAwIBAgITOQAAAAOa4wv9nnK0uQAAAAAAAzANBgkqhkiG9w0BAQsF
ADBIMRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKZm9yZXN0
...
IomErcbcymIWBmN75PVMsk9EMyqDP394jG8+IOK+lVUVX4pxzhdd7eYbqTAwDE1X
bNWcZZkt/w==
-----END CERTIFICATE-----
 3 s:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA
   i:/DC=com/DC=MyCompanyServer/CN=SHA256RootCA
-----BEGIN CERTIFICATE-----
MIIFgzCCA2ugAwIBAgIQULxmYXGJ1aFIlIyCHA4NIzANBgkqhkiG9w0BAQsFADBI
MRMwEQYKCZImiZPyLGQBGRYDY29tMRowGAYKCZImiZPyLGQBGRYKZm9yZXN0cm9v
...
jQBLY0/KIjHywv66GhtVWpexgQcXrLxQP2VHW7eXpsylvwkNU5XNQYzHTB7u+w5C
VunfRLt/7mVWyURcwkOre38tVSByKR4=
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=www.google.com
issuer=/CN=ssl-decrypt
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6556 bytes and written 302 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 723D9976F985887CA5F256EE3C2E7B44B9C98A6B440AAF4E19564AE101F78D00
    Session-ID-ctx:
    Master-Key: C3D8759A753C1D269FF9C00854E59B8C10ABC1E94AFE9F0166486A649FE295ACE1AF5E5BEDB0129E557E781BC860D2FA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1548690163
    Timeout   : 7200 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
    Extended master secret: yes
---
read:errno=0

我从中收集的信息是，该链中有一份证书属于我正在工作的公司（我将其重命名为MyCompanyServer），我想那是

What I gather from this is that there's certificate in this chain belonging to the company I'm working for (which I've renamed MyCompanyServer), and I imagine that's the issue.

我是在想我需要为该证书安装某种密钥吗？这对我来说真是希腊人，所以为新手问题道歉。

Am I right in thinking that I need to install some sort of key for that certificate? This is all greek to me, so apologies for the newbie questions.

推荐答案

可能您没有正确的CA证书

Probably you don't have correct CA certificates available in the container, so TLS connections can't be verified.

尝试安装 ca-certificates 软件包（该软件包可能会的名称不同，这取决于使用的发行版。）

Try to install ca-certificates package (package may have a different name, it depends on the used distribution).

更新：

您的公司检查公司网络中的TLS连接，因此原始证书将替换为您的公司证书。您需要将公司CA证书添加到根CA证书中。

Your company inspects TLS connections in the corporate network, so original certificates are replaced by your company certificates. You need to add your company CA certificate to root CA certificates.

Linux（Ubuntu，Debian）：

Linux (Ubuntu, Debian):

• 将公司的CA证书复制到dir / usr / local / share / ca-certificates /


• run sudo update-ca-certificates

• copy company CA certificate to dir /usr/local/share/ca-certificates/
• run sudo update-ca-certificates

如果您的主机操作系统已经预先配置了CA证书正确（包括公司CA证书），则可以将它们作为卷安装到容器上：

If your host OS has already preconfigured CA certs correctly (company CA certs included), then you can just mount them as a volume to the container:

docker run \
  -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt \
  ...

典型的CA证书位置：

• /etc/ssl/certs/ca-certificates.crt Debian / Ubuntu / Gentoo等。


• / etc / pki / tls /certs/ca-bundle.crt Fedora / RHEL 6


• /etc/ssl/ca-bundle.pem OpenSUSE


• /etc/pki/tls/cacert.pem OpenELEC


• / etc / pki / ca-trust / extract ed / pem / tls-ca-bundle.pem CentOS / RHEL 7

• /etc/ssl/certs/ca-certificates.crt Debian/Ubuntu/Gentoo etc.
• /etc/pki/tls/certs/ca-bundle.crt Fedora/RHEL 6
• /etc/ssl/ca-bundle.pem OpenSUSE
• /etc/pki/tls/cacert.pem OpenELEC
• /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem CentOS/RHEL 7

这篇关于如何解决“ SSL证书问题：证书链中的自签名证书”？错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！