#yyds干货盘点#wget/curl等ca证书失效问题解决办法

1.问题现象

wget https://download.ceph.com/rpm-mimic/el7/noarch/ceph-release-1-0.el7.noarch资源下载神器.rpm

错误日志redis数据库如下:

  • --2022-02-17 11:44:48-- https://download.ceph.com/rpm-mimic/el7/noarch/ceph-release-1-0.el7.noarch.rpm

Resolving download.ceph.com (download.ceph.com)... 158.69.68.124, 2607:5300:201:2000::3:58a1

Connecting to download.ceph.com (downlo资源下载ad.ceph.rediscom)|158.69.68.124|:443... connected.

ERROR: cannot verify download.ceph.com's certificate, issued by 鈥?C=US/O=Let's Encrypt/CN=R3鈥?

Issued certificat电影资源下载e has expirlinux必学的60个命令ed.

To connect to download.ceph.com insecurely, use `--no-check-certificate'.

2.原因分析

证书失效导致资源下载失败
/etc/profile 添加环境变量
export CURL_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
source /etc/profile
去其他的机器拷贝ca-certificates.crt文件
scp root@192.168.103.48:/etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

3.解决办法

首先去其他环境拷贝证书ca-certificates.crt

拷贝以后发现不能用

查看wget版本是否一致

[root@ceph03 ~]# wget -V
GNU Wget 1.14 built on linux-gnu.

+digest +https +ipv6 +iri +large-file +nls +ntlm +opie +ssl/openssl

Wgetrc:
/etc/wgetrc (system)
Locale: /usr/share/locale
Compile: gcc -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/etc/wgetrc"
-DLOCALEDIR="/usr/share/locale" -I. -I../lib -I../lib -O2 -g -pipe
-Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong
--param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic
Link: gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector-strong --param=ssp-buffer-size=4
-grecord-gcc-switches -m64 -mtune=generic -lssl -lcrypto
/usr/lib64/libssl.so /usr/lib64/libcrypto.so /usr/lib64/libz.so
-ldl -lz -lz -lidn -luuid -lpcre ftp-opie.o openssl.o http-ntlm.o
../lib/libgnu.a

Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <hniksic@xemacs.org>.
Please send bug reports and questions to <bug-wget@gnu.org>.

3.1绕过证书

加参数

--no-check-certificate (绕过证书)


                                            #yyds干货盘点#wget/curl等ca证书失效问题解决办法

--ca-certificate=FILE (指定证书位置)

默认证书位置/音乐资源下载etclinux必学的60个命令/pki/tls/cert.pem

3.2证书无法绕过,更新证书

yum install -y ca-certificates //安装证书

发现这样几个文件都发生改变,证书不是由一个文件控制的,而是多资源下载个文件