(抱歉格式问题,如果不将这篇文章的大部分内容设置为代码,我就无法发布)
我运行的是 ubuntu 16.04。 openssl 声称站点证书已过期。
openssl s_client -connect api.ipgeolocation.io:443 -showcerts
returns :
depth=4 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
.
.
.
3 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
.
.
.
If I understand correctly:
- its a problem with the root certificate DST Root CA X3
- DST Root CA X3 has been invalid for a few years now ( its a wonder why this only started failing a few days ago, i've been using api.ipgeolocation.io using ssl for over a year without any problems)
- i need to change the cert used by openssl for verifying step 3 (ISRG Root X1) from the one that uses DST Root CA X3 to a self signed one.
i have :
1. downloaded a self signed version cert for ISRG Root X1
( confirmed this using ``` openssl x509 -in /usr/local/share/ca-certificates/ISRGRootX1selfsigned.crt -text -noout``` ).
2.placed it in /usr/local/share/ca-certificates ( its the only file there).
3.edited /etc/ca-certificates.conf and commented out mozilla/ISRG_Root_X1.crt
4. used sudo update-ca-certificates and sudo update-ca-certificates --fresh to rebuild the cert "db".
5. checked the results using :
openssl version -d returns /usr/lib/ssl.
ll /usr/lib/ssl returns certs -> /etc/ssl/certs/.
ll /etc/ssl/certs/ |grep -i isr only returns info about ISRGRootX1selfsigned.pem and ISRGRootX1selfsigned.crt as expected, no other files/certs.
but as stated before, openssl still tries to verify ISRG Root X1 using DST Root CA X3...
so my question is,
how can I further debug this?
:-)
删除/注释掉“/etc/ca-certificates.conf”中的“mozilla/DST_Root_CA_X3.crt” 并使用“update-ca-certificates --fresh”进行重建 解决了问题。 (但我无法解释为什么)。