工单节点使用指南 请用平和的语言准确描述你所遇到的问题 厂商的技术支持和你一样也是有喜怒哀乐的普通人类,尊重是相互的 如果是关于 V2EX 本身的问题反馈,请使用 反馈 节点
这是一个创建于 1819 天前的主题,其中的信息可能已经有所发展或是发生改变。
从 2020-10-16 开始,Solidot 似乎更换了 WoTrus (沃通) 签发的 HTTPS 证书,curl, requests 和 cloudflare 都不信任这个证书。
$ curl -v https://www.solidot.org/ * About to connect() to www.solidot.org port 443 (#0) * Trying 106.75.14.181... * Connected to www.solidot.org (106.75.14.181) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * Server certificate: * subject: CN=*.solidot.org,OU=PositiveSSL Multi-Domain,OU=Domain Control Validated * start date: 10 月 16 00:00:00 2019 GMT * expire date: 10 月 15 23:59:59 2021 GMT * common name: *.solidot.org * issuer: CN=WoTrus DV Server CA,OU=Controlled by Sectigo exclusively for WoTrus CA Limited,O=WoTrus CA Limited,L=Shenzhen,ST=Guangdong,C=CN * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER) * Peer's Certificate issuer is not recognized. * Closing connection 0 curl: (60) Peer's Certificate issuer is not recognized. requests.exceptions.SSLError: HTTPSConnectionPool(host='www.solidot.org', port=443): Max retries exceeded with url: /index.rss (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)'))) 6 条回复 2020-10-19 23:22:53 +08:00
 | 1 Xusually 2020-10-19 22:52:19 +08:00 curl -v https://www.solidot.org/ * Trying 106.75.14.181... * TCP_NODELAY set * Connected to www.solidot.org (106.75.14.181) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: OU=Domain Control Validated; OU=PositiveSSL Multi-Domain; CN=*.solidot.org * start date: Oct 16 00:00:00 2019 GMT * expire date: Oct 15 23:59:59 2021 GMT * subjectAltName: host "www.solidot.org" matched cert's "*.solidot.org" * issuer: C=CN; ST=Guangdong; L=Shenzhen; O=WoTrus CA Limited; OU=Controlled by Sectigo exclusively for WoTrus CA Limited; CN=WoTrus DV Server CA * SSL certificate verify ok. > GET / HTTP/1.1 > Host: www.solidot.org > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 403 Forbidden < Server: nginx < Date: Mon, 19 Oct 2020 14:50:53 GMT < Content-Type: text/html < Content-Length: 146 < Connection: keep-alive < <html> <head><title>403 Forbidden</title></head> <body> <center><h1>403 Forbidden</h1></center> <hr><center>nginx</center> </body> </html> * Connection #0 to host www.solidot.org left intact * Closing connection 0 我这里没什么问题 楼主你是不是在沃通上次出事儿的时候,跟风自己删掉了自己本地对沃通的信任? |
 | 2 guyskk0x0 OP @Xusually 我 Mac 和 Chrome 上也正常,但用 requests,以及服务器上都报 SSL 错误。 |
| 3 Xusually 2020-10-19 22:57:16 +08:00 接上一条,或者你的环境没有更新或者安装比较新的 Root CA 证书? 如果是这样的话,试试看指定一下 ca certs 的路径 |
| 4 Xusually 2020-10-19 23:04:32 +08:00  1 @guyskk0x0 看上去 Solidot 没有把 WoTrus 的整个证书链打包进一个 bundle 里面,你可以尝试去 Comodo 或者 Wotrus 去找一下,一般情况下,上层 CA 的证书链都是有公开提供的。 |
| 5 guyskk0x0 OP |
Select Language