安装 Azure DevOps 服务器时,在网站设置<generate new self-signed certificate>
中使用了该选项:
安装成功完成后,在服务器上浏览该站点似乎没问题:
但是从 Intranet 中的另一台计算机打开 DevOps 站点会显示以下警告:
“您与此站点的连接无效”
我根据 Microsoft 文档检查配置是否正确:为 Azure DevOps Server 配置 HTTPS。
我该如何解决这个问题以摆脱这个警告?
谢谢
安装 Azure DevOps 服务器时,在网站设置<generate new self-signed certificate>
中使用了该选项:
安装成功完成后,在服务器上浏览该站点似乎没问题:
但是从 Intranet 中的另一台计算机打开 DevOps 站点会显示以下警告:
“您与此站点的连接无效”
我根据 Microsoft 文档检查配置是否正确:为 Azure DevOps Server 配置 HTTPS。
我该如何解决这个问题以摆脱这个警告?
谢谢
我已经安装了Bundle::LWP
,几分钟后我得到了这个
$ perl -MLWP -le "print(LWP->VERSION)"
6.68
听起来不错。但是,运行此脚本
#!/usr/bin/perl
# Example code from Chapter 1 of /Perl and LWP/ by Sean M. Burke
# http://www.oreilly.com/catalog/perllwp/
# [email protected]
require 5;
use strict;
use warnings;
use LWP;
my $browser = LWP::UserAgent->new();
my $response = $browser->get("http://www.oreilly.com/");
die "Couldn't access it: ", $response->status_line
unless $response->is_success;
print $response->header("Server"), "\n";
__END__
给出这个错误:
$ perl a3.pl
Couldn't access it: 501 Protocol scheme 'https' is not supported (LWP::Protocol::https not installed) at a3.pl line 25.
我该如何解决?
我将 pihole 与 Quad9 DoH 的上游 DNS 服务器一起使用。上游 DNS 和 pihole 通过 docker 配置,docker-compose.yml file
上游 DoH 服务器使用cloudflared服务。
version: "3.5"
networks:
network-pihole:
name: "dns-pihole"
driver: bridge
ipam:
driver: default
config:
- subnet: 192.10.0.0/24 #Internal Docker Network between pihole and wirguard, bridged
cloudflared:
image: crazymax/cloudflared:latest
container_name: cloudflared
ports:
- '5053:5053/udp'
- '5053:5053/tcp'
environment:
- "TZ=Europe/Budapest"
- "TUNNEL_DNS_UPSTREAM=https://9.9.9.9/dns-query,https://149.112.112.112/dns-query"
# - "TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query"
restart: unless-stopped
networks:
network-pihole:
ipv4_address: 192.10.0.2
pihole:
container_name: pihole
image: pihole/pihole:latest
ports:
- "53:53/tcp"
- "53:53/udp"
- "80:80/tcp"
- "443:443/tcp"
environment:
- "TZ=Europe/London"
- "PIHOLE_DNS_=192.10.0.2#5053"
dns:
- 127.0.0.1
- 9.9.9.9
# Volumes store your data between container upgrades
volumes:
- "./etc-pihole/:/etc/pihole/"
- "./etc-dnsmasq.d/:/etc/dnsmasq.d/"
cap_add:
- NET_ADMIN
restart: unless-stopped
networks:
network-pihole:
ipv4_address: 192.10.0.3
环境下的cloudflared服务内: . 我将TUNNEL_DNS_UPSTREAM=
设置设置为https://9.9.9.9/dns-query,https://149.112.112.112/dns-query
. 以及dns: to下的pihole服务。9.9.9.9
一切都很好,但是当我浏览到这个和这个cloudflare 检查器时,它说我没有使用 dns over https/secure dns:
但是,如果我使用 cloudflares DoH,我将TUNNEL_DNS_UPSTREAM=
设置设置为dns: to下TUNNEL_DNS_UPSTREAM=https://1.1.1.1/dns-query,https://1.0.0.1/dns-query
的pihole服务,然后再次运行两个 cloudflare 测试,它现在显示:Using DNS over HTTPS (DoH) yes and a green tick for secure dns。1.1.1.1
我不确定为什么这些测试不适用于 Quad9 DoH。还有其他方法可以验证我使用的是 Quad9 DoH 吗?
我什至不确定是否可以使用wireshark 查看数据包以查看dns 查询是否已加密?我对wirehshark很陌生,所以如果这是一种验证Quad9 DoH的方法,那么我不确定我在寻找什么。
这是一个奇怪的问题,(到目前为止)仅针对 plex.tv 网站。我从网络上的各种设备中看到了同样的问题。最终,简单地尝试在我的浏览器中访问https://plex.tv会导致与 TLS 证书相关的安全错误。经过进一步挖掘,似乎服务器为此站点提供了不正确的 TLS 证书(结果不一致):
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:ab:09:ea:f2:c6:3c:f2:d4:4f:60:63:b9:36:5b:40
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
Validity
Not Before: Oct 26 00:00:00 2021 GMT
Not After : Nov 24 23:59:59 2022 GMT
Subject: CN = *.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d0:3e:04:76:d6:d5:53:73:f9:01:21:c0:b5:6f:
3c:07:82:43:c5:c5:43:ba:34:55:47:bc:0e:8b:b5:
ac:f8:70:23:c4:b1:5c:a9:54:ac:9e:f7:e7:a3:7a:
ff:bd:b7:d4:23:33:0b:5c:18:dc:71:2d:ff:e7:9d:
74:5e:28:03:e5:e6:55:de:07:79:9b:d3:80:43:95:
8a:9d:5e:97:33:61:b7:ce:4e:9f:ca:7c:c1:14:b5:
d1:97:aa:1a:96:45:a4:99:7f:8b:92:d0:34:68:a2:
56:d8:d7:c0:e1:4a:bf:4f:73:42:43:b0:31:66:53:
73:fb:b5:12:a6:a9:da:29:67:bc:b8:a1:0f:f0:ff:
1e:fc:92:ac:b4:fa:07:18:f5:a3:b4:19:b2:f4:53:
42:b6:aa:eb:a1:3b:4a:fa:e3:4a:86:84:fc:4a:b3:
a6:c8:fe:64:fa:9f:68:d5:ba:f4:17:63:54:44:7c:
03:57:3b:44:12:c8:ab:b8:e9:ab:28:09:ee:f1:9d:
fa:e2:dd:bd:e3:3c:d6:81:74:1f:6c:90:e0:8e:19:
b3:3c:ba:84:4d:76:6f:9b:a4:68:f9:2b:45:04:4b:
ba:d4:a4:10:e0:c5:f5:8d:c7:22:6a:31:9b:55:57:
b8:cf:4e:99:61:37:9a:76:7a:1f:db:eb:fc:dc:7f:
90:9d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:59:A4:66:06:52:A0:7B:95:92:3C:A3:94:07:27:96:74:5B:F9:3D:D0
X509v3 Subject Key Identifier:
13:8A:D5:41:DB:F8:09:44:45:58:09:2C:8A:60:AB:63:3A:5C:5E:41
X509v3 Subject Alternative Name:
DNS:*.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.sca1b.amazontrust.com/sca1b-1.crl
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Authority Information Access:
OCSP - URI:http://ocsp.sca1b.amazontrust.com
CA Issuers - URI:http://crt.sca1b.amazontrust.com/sca1b.crt
X509v3 Basic Constraints: critical
CA:FALSE
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
Timestamp : Oct 26 09:27:20.701 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:C0:80:22:90:66:67:44:5D:F2:02:CC:
4F:B7:65:7A:B3:85:19:26:3D:1F:75:A1:1D:11:17:0D:
BC:E0:54:5E:EC:02:20:38:E9:B5:AB:13:75:98:CB:EF:
77:EB:65:24:DE:16:8F:3E:CF:3A:1A:53:ED:BB:4F:80:
7D:55:6D:16:55:5F:9D
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 51:A3:B0:F5:FD:01:79:9C:56:6D:B8:37:78:8F:0C:A4:
7A:CC:1B:27:CB:F7:9E:88:42:9A:0D:FE:D4:8B:05:E5
Timestamp : Oct 26 09:27:20.775 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:61:14:E9:12:D0:15:D7:BC:9D:A7:B5:DC:
23:DC:49:F1:11:C9:6C:9E:3D:D7:3E:2D:5B:13:57:3B:
10:EB:8A:77:02:20:32:E2:8F:B4:98:77:99:D8:6E:3B:
2B:84:E3:27:D8:9E:FF:E2:5C:95:B9:9F:2E:47:6F:93:
BD:12:20:CC:F7:CD
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E:
4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6
Timestamp : Oct 26 09:27:20.711 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:7A:28:AA:62:3E:A6:45:B3:43:98:AE:F7:
41:68:5C:BF:CD:90:E8:EB:00:B8:51:C0:69:08:F8:81:
AE:98:12:40:02:21:00:A5:EC:A7:4F:15:F2:4E:E2:8D:
95:19:70:EA:62:F6:4F:88:97:07:38:87:97:4B:53:25:
E0:CB:28:29:C0:19:B3
Signature Algorithm: sha256WithRSAEncryption
16:3f:02:df:0d:04:d4:fd:a4:d7:1b:71:ba:55:ec:3f:8f:2c:
37:89:bb:83:1a:67:93:9b:cc:3a:e5:d2:8a:0a:02:ac:ee:f7:
ed:05:64:11:0f:c5:6f:99:96:85:60:cc:b2:c2:4c:d4:47:db:
8b:8a:25:9b:8d:30:ad:1c:e1:0d:e9:d4:c7:38:b3:a3:6c:a4:
b9:25:20:55:fe:12:5d:5c:95:79:b2:55:f9:74:49:7c:83:20:
b1:1e:e2:0e:2c:33:7d:87:ab:fb:ab:98:44:bd:2b:8c:13:8c:
c7:f1:dc:1d:b3:1b:20:61:72:2d:b7:49:66:ea:be:7f:3a:7b:
52:d5:ba:c6:77:0a:c6:6d:f6:07:dc:fa:78:18:ce:08:22:6a:
95:1a:37:d2:b0:68:d8:f6:0f:0b:74:53:6f:fb:57:61:a2:9f:
de:d3:26:8f:08:f4:d9:bc:6a:27:d8:fc:78:23:04:4a:b8:7c:
c9:e9:ff:06:8d:88:2f:42:d7:d4:19:62:bd:ff:d1:7b:ea:26:
de:be:d6:c0:bd:cc:dc:b8:2f:8e:b9:58:27:b2:e6:bb:60:08:
90:a9:c3:37:98:55:b0:6f:9e:55:a0:57:81:f4:39:71:34:5b:
b1:85:30:a7:0f:23:6b:59:b8:86:4e:05:5e:40:04:36:4b:1e:
d9:4f:8b:11
-----BEGIN CERTIFICATE----- MIIGKzCCBROgAwIBAgIQAasJ6vLGPPLUT2BjuTZbQDANBgkqhkiG9w0BAQsFADBG MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRUwEwYDVQQLEwxTZXJ2ZXIg Q0EgMUIxDzANBgNVBAMTBkFtYXpvbjAeFw0yMTEwMjYwMDAwMDBaFw0yMjExMjQy MzU5NTlaMEUxQzBBBgNVBAMMOioucHJvZC1yb3V0ZS0xYnVuNHFlZWtnOXBhLTIz NTM5NDQ2OC5ldS13ZXN0LTEuY29udm94LnNpdGUwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDQPgR21tVTc/kBIcC1bzwHgkPFxUO6NFVHvA6Ltaz4cCPE sVypVKye9+ejev+9t9QjMwtcGNxxLf/nnXReKAPl5lXeB3mb04BDlYqdXpczYbfO Tp/KfMEUtdGXqhqWRaSZf4uS0DRoolbY18DhSr9Pc0JDsDFmU3P7tRKmqdopZ7y4 oQ/w/x78kqy0+gcY9aO0GbL0U0K2quuhO0r640qGhPxKs6bI/mT6n2jVuvQXY1RE fANXO0QSyKu46asoCe7xnfri3b3jPNaBdB9skOCOGbM8uoRNdm+bpGj5K0UES7rU pBDgxfWNxyJqMZtVV7jPTplhN5p2eh/b6/zcf5CdAgMBAAGjggMUMIIDEDAfBgNV HSMEGDAWgBRZpGYGUqB7lZI8o5QHJ5Z0W/k90DAdBgNVHQ4EFgQUE4rVQdv4CURF WAksimCrYzpcXkEwRQYDVR0RBD4wPII6Ki5wcm9kLXJvdXRlLTFidW40cWVla2c5 cGEtMjM1Mzk0NDY4LmV1LXdlc3QtMS5jb252b3guc2l0ZTAOBgNVHQ8BAf8EBAMC BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMD0GA1UdHwQ2MDQwMqAw oC6GLGh0dHA6Ly9jcmwuc2NhMWIuYW1hem9udHJ1c3QuY29tL3NjYTFiLTEuY3Js MBMGA1UdIAQMMAowCAYGZ4EMAQIBMHUGCCsGAQUFBwEBBGkwZzAtBggrBgEFBQcw AYYhaHR0cDovL29jc3Auc2NhMWIuYW1hem9udHJ1c3QuY29tMDYGCCsGAQUFBzAC hipodHRwOi8vY3J0LnNjYTFiLmFtYXpvbnRydXN0LmNvbS9zY2ExYi5jcnQwDAYD VR0TAQH/BAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHYAKXm+8J45OSHw VnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF8u+zzfQAABAMARzBFAiEAwIAikGZn RF3yAsxPt2V6s4UZJj0fdaEdERcNvOBUXuwCIDjptasTdZjL73frZSTeFo8+zzoa U+27T4B9VW0WVV+dAHUAUaOw9f0BeZxWbbg3eI8MpHrMGyfL956IQpoN/tSLBeUA AAF8u+zzxwAABAMARjBEAiBhFOkS0BXXvJ2ntdwj3EnxEclsnj3XPi1bE1c7EOuK dwIgMuKPtJh3mdhuOyuE4yfYnv/iXJW5ny5Hb5O9EiDM980AdgBByMqx3yJGShDG oToJQodeTjGLGwPr60vHaPCQYpYG9gAAAXy77POHAAAEAwBHMEUCIHooqmI+pkWz Q5iu90FoXL/NkOjrALhRwGkI+IGumBJAAiEApeynTxXyTuKNlRlw6mL2T4iXBziH l0tTJeDLKCnAGbMwDQYJKoZIhvcNAQELBQADggEBABY/At8NBNT9pNcbcbpV7D+P LDeJu4MaZ5ObzDrl0ooKAqzu9+0FZBEPxW+ZloVgzLLCTNRH24uKJZuNMK0c4Q3p 1Mc4s6NspLklIFX+El1clXmyVfl0SXyDILEe4g4sM32Hq/urmES9K4wTjMfx3B2z GyBhci23SWbqvn86e1LVusZ3CsZt9gfc+ngYzggiapUaN9KwaNj2Dwt0U2/7V2Gi n97TJo8I9Nm8aifY/HgjBEq4fMnp/waNiC9C19QZYr3/0XvqJt6+1sC9zNy4L465 WCey5rtgCJCpwzeYVbBvnlWgV4H0OXE0W7GFMKcPI2tZuIZOBV5ABDZLHtlPixE=
-----END CERTIFICATE-----
再次运行相同的命令,我得到略有不同的结果:
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:3c:cd:0c:d9:b4:37:2a:6a:b0:3d:c2:a6:5e:84:9b:27:70:2c
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Illinois, L = Chicago, O = "Trustwave Holdings, Inc.", CN = "Trustwave Organization Validation SHA256 CA, Level 1", emailAddress = [email protected]
Validity
Not Before: Feb 22 12:08:05 2021 GMT
Not After : Mar 24 12:07:05 2022 GMT
Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:d8:3a:5c:1a:07:d2:43:07:e6:4c:60:04:f7:88:
09:4e:1c:80:85:65:b3:52:f8:1a:e1:db:a9:f8:91:
e9:c4:da:d4:11:f7:e0:af:b3:02:ea:e5:b5:7b:48:
3b:c8:f6:21:4f:f4:f2:1c:c6:df:c7:e7:81:fb:b3:
6b:3f:ee:a9:78:a7:1b:15:f6:e2:be:08:92:97:f1:
97:39:49:4a:2c:78:60:c7:c2:c2:5d:77:8a:33:30:
6d:c1:1c:05:d7:7e:1b:52:e4:75:61:39:c4:a8:5d:
96:ab:ef:1d:56:d1:ff:35:f4:43:e2:81:ac:ce:ac:
7c:79:3d:2c:23:fd:cb:24:83:d3:f1:36:46:69:f9:
0e:ff:67:e0:b3:b3:38:ab:39:c3:43:36:2c:c0:22:
0b:fe:bb:1e:a7:e6:ae:d0:39:8b:e1:9d:98:d8:6f:
d3:3d:04:5b:45:e8:b2:a1:e6:15:7b:ef:4b:f5:0d:
c5:89:54:92:05:8a:24:14:52:cc:d5:66:3b:9d:8c:
d5:9f:7c:10:15:a8:8c:eb:57:e6:7b:c5:19:58:f2:
48:01:ee:36:d5:8d:9f:14:3c:26:ba:73:5c:09:68:
67:be:c2:c0:99:af:23:96:4f:18:2e:bc:b5:be:c1:
b3:23:b2:cb:5e:ec:0c:a9:0c:fe:7c:d0:bd:bb:d4:
84:e7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
54:23:E1:8A:6D:76:AA:55:60:A4:00:DC:2B:CC:C4:7E:DE:3A:91:8B
X509v3 Authority Key Identifier:
keyid:CA:CE:1D:18:03:77:1E:1C:F3:7C:58:B2:9A:70:A8:08:80:16:F4:AE
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
CPS: https://certs.securetrust.com/CA
X509v3 Subject Alternative Name:
DNS:*.bankersalmanac.com, DNS:bankersalmanac.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.securetrust.com/OVCA2_L1.crl
Authority Information Access:
OCSP - URI:http://ocsp.securetrust.com/
CA Issuers - URI:http://certs.securetrust.com/issuers/OVCA2_L1.crt
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
Timestamp : Feb 22 18:08:05.907 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:D1:76:7D:FF:E8:3F:BF:B5:02:BF:34:
A1:95:F9:64:FD:4D:F4:E9:66:6A:41:CD:C8:DB:1C:87:
44:37:12:D2:0E:02:21:00:FA:DA:55:1E:85:9C:5F:CF:
60:4A:38:B7:E1:88:A3:A1:5A:A8:BF:3E:B5:CD:CF:2B:
C5:5C:E2:84:B5:AD:B6:7C
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
Timestamp : Feb 22 18:08:05.462 2021 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:78:A7:23:96:7F:4A:5C:F2:3D:03:71:95:
89:88:4C:D8:02:65:6C:D7:0F:F3:30:E4:66:58:FA:73:
84:EA:E0:C6:02:20:4C:C4:A6:04:5F:B3:76:55:D4:A7:
C2:25:E1:EF:C7:0F:67:25:2D:08:A4:4C:55:91:C9:C8:
A1:B8:5F:91:E8:1C
Signature Algorithm: sha256WithRSAEncryption
9a:d0:31:15:2e:c8:d0:b4:63:22:8d:c1:b0:11:44:a3:13:8d:
35:83:1a:5d:52:77:64:29:30:ae:03:fb:80:3a:de:9f:56:4b:
18:a3:99:0a:ad:a4:a6:3e:bb:cf:69:bd:94:3d:35:42:18:6e:
87:10:17:35:5f:a7:32:a8:95:50:d5:68:df:a8:82:52:db:71:
ce:a5:b8:46:b4:bc:db:a6:c0:de:d1:41:25:bc:a5:cf:d8:80:
d2:de:e0:36:ca:c1:ed:e8:4e:9b:26:2b:40:29:7b:be:4a:2e:
52:9b:fe:19:a7:b3:41:01:f9:74:14:3b:2b:cb:2a:2d:9c:af:
bb:8e:8c:43:0b:48:55:04:8b:37:a4:1b:27:3a:2b:92:e8:d0:
42:6d:fb:0a:68:be:fe:8c:71:0e:a2:05:6d:b7:49:7e:75:b6:
d7:dd:42:35:48:e6:00:30:40:7c:66:6b:6b:94:e8:4a:c5:28:
30:28:10:d2:c4:71:61:e8:59:22:d7:b9:53:ab:57:29:4c:22:
35:6e:9b:e1:e8:d7:b3:36:48:8c:94:24:ac:f3:e4:13:75:11:
be:c1:ca:93:0c:18:da:ac:9d:a2:21:1b:6a:ee:dd:de:ed:55:
95:fc:34:9b:94:b3:d8:4c:f1:05:dc:b1:37:1c:21:a9:7b:83:
a7:99:d7:36
-----BEGIN CERTIFICATE-----
MIIGajCCBVKgAwIBAgITBzzNDNm0NypqsD3Cpl6EmydwLDANBgkqhkiG9w0BAQsF
ADCBtTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCElsbGlub2lzMRAwDgYDVQQHEwdD
aGljYWdvMSEwHwYDVQQKExhUcnVzdHdhdmUgSG9sZGluZ3MsIEluYy4xPTA7BgNV
BAMTNFRydXN0d2F2ZSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTSEEyNTYgQ0Es
IExldmVsIDExHzAdBgkqhkiG9w0BCQEWEGNhQHRydXN0d2F2ZS5jb20wHhcNMjEw
MjIyMTIwODA1WhcNMjIwMzI0MTIwNzA1WjBvMR0wGwYDVQQDDBQqLmJhbmtlcnNh
bG1hbmFjLmNvbTEfMB0GA1UEChMWTE5SUyBEYXRhIFNlcnZpY2VzIEx0ZDEPMA0G
A1UEBxMGU3V0dG9uMQ8wDQYDVQQIEwZTdXJyZXkxCzAJBgNVBAYTAkdCMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2DpcGgfSQwfmTGAE94gJThyAhWWz
Uvga4dup+JHpxNrUEffgr7MC6uW1e0g7yPYhT/TyHMbfx+eB+7NrP+6peKcbFfbi
vgiSl/GXOUlKLHhgx8LCXXeKMzBtwRwF134bUuR1YTnEqF2Wq+8dVtH/NfRD4oGs
zqx8eT0sI/3LJIPT8TZGafkO/2fgs7M4qznDQzYswCIL/rsep+au0DmL4Z2Y2G/T
PQRbReiyoeYVe+9L9Q3FiVSSBYokFFLM1WY7nYzVn3wQFaiM61fme8UZWPJIAe42
1Y2fFDwmunNcCWhnvsLAma8jlk8YLry1vsGzI7LLXuwMqQz+fNC9u9SE5wIDAQAB
o4ICtjCCArIwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYw
FAYIKwYBBQUHAwIGCCsGAQUFBwMBMB0GA1UdDgQWBBRUI+GKbXaqVWCkANwrzMR+
3jqRizAfBgNVHSMEGDAWgBTKzh0YA3ceHPN8WLKacKgIgBb0rjBDBgNVHSAEPDA6
MDgGBmeBDAECAjAuMCwGCCsGAQUFBwIBFiBodHRwczovL2NlcnRzLnNlY3VyZXRy
dXN0LmNvbS9DQTAzBgNVHREELDAqghQqLmJhbmtlcnNhbG1hbmFjLmNvbYISYmFu
a2Vyc2FsbWFuYWMuY29tMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuc2Vj
dXJldHJ1c3QuY29tL09WQ0EyX0wxLmNybDB3BggrBgEFBQcBAQRrMGkwKAYIKwYB
BQUHMAGGHGh0dHA6Ly9vY3NwLnNlY3VyZXRydXN0LmNvbS8wPQYIKwYBBQUHMAKG
MWh0dHA6Ly9jZXJ0cy5zZWN1cmV0cnVzdC5jb20vaXNzdWVycy9PVkNBMl9MMS5j
cnQwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdwBvU3asMfAxGdiZAKRRFf93FRwR
2QLBACkGjbIImjfZEwAAAXfK7U8TAAAEAwBIMEYCIQDRdn3/6D+/tQK/NKGV+WT9
TfTpZmpBzcjbHIdENxLSDgIhAPraVR6FnF/PYEo4t+GIo6FaqL8+tc3PK8Vc4oS1
rbZ8AHUAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF3yu1NVgAA
BAMARjBEAiB4pyOWf0pc8j0DcZWJiEzYAmVs1w/zMORmWPpzhOrgxgIgTMSmBF+z
dlXUp8Il4e/HD2clLQikTFWRycihuF+R6BwwDQYJKoZIhvcNAQELBQADggEBAJrQ
MRUuyNC0YyKNwbARRKMTjTWDGl1Sd2QpMK4D+4A63p9WSxijmQqtpKY+u89pvZQ9
NUIYbocQFzVfpzKolVDVaN+oglLbcc6luEa0vNumwN7RQSW8pc/YgNLe4DbKwe3o
TpsmK0Ape75KLlKb/hmns0EB+XQUOyvLKi2cr7uOjEMLSFUEizekGyc6K5Lo0EJt
+wpovv6McQ6iBW23SX51ttfdQjVI5gAwQHxma2uU6ErFKDAoENLEcWHoWSLXuVOr
VylMIjVum+Ho17M2SIyUJKzz5BN1Eb7BypMMGNqsnaIhG2ru3d7tVZX8NJuUs9hM
8QXcsTccIal7g6eZ1zY=
-----END CERTIFICATE-----
更简洁地说,这应该希望能更好地突出我看到的问题:
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.prod-route-1bun4qeekg9pa-235394468.eu-west-1.convox.site
$ openssl s_client -servername plex.tv -connect plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: CN = *.bankersalmanac.com, O = LNRS Data Services Ltd, L = Sutton, ST = Surrey, C = GB
为什么访问 plex.tv 域时会提供 bankalmanac.com 和 convox.site TLS 证书?另外,如果我使用 www 子域,我会得到正确的结果:
$ openssl s_client -servername www.plex.tv -connect www.plex.tv:443 2>/dev/null </dev/null | openssl x509 -text| grep 'Subject:'
Subject: C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = plex.tv
我的本地 ISP(康卡斯特)和 plex.tv 服务器(Cloudflare?AWS?)之间似乎发生了一些奇怪的事情。有谁知道这里发生了什么?我会直接联系 Plex 团队,但我显然无法访问他们的支持论坛来发布这个问题。
今天突然所有的 HTTPS 请求,我的 Ubuntu 14 服务器使用 Let's Encrypt 颁发的 SSL 证书发送到网站,开始失败。cURL 产生的错误是:
curl: (60) SSL certificate problem: certificate has expired
当我使用此命令检查网站证书时:
echo -n | openssl s_client -showcerts -connect website.com:443 -servername website.com
我看到所有证书链都是最新的。
那么为什么我会收到过期错误?如何解决?
注意:这不是如何在 Chrome 中停止从“http://”到“https://”的自动重定向的重复
在 Windows 7 上的 Chrome 93 中:
有没有办法禁用这种极其烦人的行为?
请注意,这里没有 HSTS - 如果我在 chrome://net-internals/#hsts 下查询“example.net”,它会显示“未找到”。即使在没有任何扩展的隐身模式下也会发生这种情况。在 Firefox 中不会发生。
截至昨天,在更新我的 Debian 10+bpo 系统后,每当我尝试git clone
,git fetch
或任何其他依赖网络的 git 操作时,我都会得到fatal: unable to access 'https://domain.example/repo.git': Failed sending HTTP2 data
或fatal: unable to access 'https://domain.example/repo.git': Failed sending HTTP request
,这取决于 git 服务器是否支持 HTTP2。有趣的是,如果我使用git://
or ssh 方案而不是https://
,命令会成功,可能是因为curl
没有使用。我尝试禁用 SSL 验证,git config --global http.sslVerify false
但无济于事。我也尝试重新安装libcurl
, libgnutls
,libnettle
和libhogweed
,但这也无济于事。将git 从降级1:2.29.2-1~bpo10+1
到1:2.20.1-2+deb10u3
也没有用,我正在努力在不破坏系统的情况下降级库。
GIT_CURL_VERBOSE=1 GIT_TRACE2=1 git clone https://github.com/imageworks/pystring.git/
(对于 HTTP2)的输出:
14:48:42.804049 common-main.c:48 version 2.29.2
14:48:42.804073 common-main.c:49 start git clone https://github.com/imageworks/pystring.git/
14:48:42.804104 git.c:445 cmd_name clone (clone)
14:48:42.804316 repository.c:130 worktree /home/user/apps/blender-git/pystring
Cloning into 'pystring'...
14:48:42.807866 run-command.c:735 child_start[0] git remote-https origin https://github.com/imageworks/pystring.git/
14:48:42.809068 common-main.c:48 version 2.29.2
14:48:42.809107 common-main.c:49 start /usr/lib/git-core/git remote-https origin https://github.com/imageworks/pystring.git/
14:48:42.809171 git.c:723 cmd_name _run_dashed_ (clone/_run_dashed_)
14:48:42.809181 run-command.c:735 child_start[0] git-remote-https origin https://github.com/imageworks/pystring.git/
14:48:42.813549 common-main.c:48 version 2.29.2
14:48:42.813565 common-main.c:49 start /usr/lib/git-core/git-remote-https origin https://github.com/imageworks/pystring.git/
14:48:42.813642 repository.c:130 worktree /home/user/apps/blender-git
14:48:42.813660 remote-curl.c:1482 cmd_name remote-curl (clone/_run_dashed_/remote-curl)
14:48:42.813992 http.c:756 == Info: Couldn't find host github.com in the .netrc file; using defaults
14:48:42.817012 http.c:756 == Info: Trying 52.64.108.95:443...
14:48:42.848824 http.c:756 == Info: Connected to github.com (52.64.108.95) port 443 (#0)
14:48:42.872164 http.c:756 == Info: found 414 certificates in /etc/ssl/certs
14:48:42.872268 http.c:756 == Info: ALPN, offering h2
14:48:42.872274 http.c:756 == Info: ALPN, offering http/1.1
14:48:42.905343 http.c:756 == Info: SSL connection using TLS1.3 / ECDHE_RSA_AES_128_GCM_SHA256
14:48:42.905367 http.c:756 == Info: server certificate verification SKIPPED
14:48:42.905374 http.c:756 == Info: server certificate status verification SKIPPED
14:48:42.905614 http.c:756 == Info: common name: github.com (matched)
14:48:42.905624 http.c:756 == Info: server certificate expiration date OK
14:48:42.905649 http.c:756 == Info: server certificate activation date OK
14:48:42.905664 http.c:756 == Info: certificate public key: EC/ECDSA
14:48:42.905669 http.c:756 == Info: certificate version: #3
14:48:42.905715 http.c:756 == Info: subject: C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=github.com
14:48:42.905743 http.c:756 == Info: start date: Thu, 25 Mar 2021 00:00:00 GMT
14:48:42.905749 http.c:756 == Info: expire date: Wed, 30 Mar 2022 23:59:59 GMT
14:48:42.905770 http.c:756 == Info: issuer: C=US,O=DigiCert\, Inc.,CN=DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1
14:48:42.905787 http.c:756 == Info: ALPN, server accepted to use h2
14:48:42.905827 http.c:756 == Info: Using HTTP2, server supports multi-use
14:48:42.905832 http.c:756 == Info: Connection state changed (HTTP/2 confirmed)
14:48:42.905838 http.c:756 == Info: Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
14:48:42.905848 http.c:756 == Info: Failed sending HTTP2 data
14:48:42.905857 http.c:756 == Info: Connection #0 to host github.com left intact
14:48:42.905923 usage.c:64 error unable to access 'https://github.com/imageworks/pystring.git/': Failed sending HTTP2 data
fatal: unable to access 'https://github.com/imageworks/pystring.git/': Failed sending HTTP2 data
14:48:42.905937 usage.c:68 exit elapsed:0.092565 code:128
14:48:42.905944 trace2/tr2_tgt_normal.c:123 atexit elapsed:0.092574 code:128
14:48:42.906771 run-command.c:990 child_exit[0] pid:83401 code:128 elapsed:0.097579
14:48:42.906805 git.c:745 exit elapsed:0.097976 code:128
14:48:42.906834 trace2/tr2_tgt_normal.c:123 atexit elapsed:0.098004 code:128
14:48:42.907086 transport-helper.c:581 exit elapsed:0.103296 code:128
14:48:42.907580 trace2/tr2_tgt_normal.c:123 atexit elapsed:0.103794 code:128
GIT_CURL_VERBOSE=1 GIT_TRACE2=1 git clone https://git.blender.org/blender.git
(对于 HTTP1)的输出:
14:52:36.744018 common-main.c:48 version 2.29.2
14:52:36.744038 common-main.c:49 start git clone https://git.blender.org/blender.git
14:52:36.744051 git.c:445 cmd_name clone (clone)
14:52:36.744198 repository.c:130 worktree /home/user/apps/blender
Cloning into 'blender'...
14:52:36.747829 run-command.c:735 child_start[0] git remote-https origin https://git.blender.org/blender.git
14:52:36.749130 common-main.c:48 version 2.29.2
14:52:36.749146 common-main.c:49 start /usr/lib/git-core/git remote-https origin https://git.blender.org/blender.git
14:52:36.749209 git.c:723 cmd_name _run_dashed_ (clone/_run_dashed_)
14:52:36.749221 run-command.c:735 child_start[0] git-remote-https origin https://git.blender.org/blender.git
14:52:36.753056 common-main.c:48 version 2.29.2
14:52:36.753068 common-main.c:49 start /usr/lib/git-core/git-remote-https origin https://git.blender.org/blender.git
14:52:36.753138 repository.c:130 worktree /home/user/apps
14:52:36.753164 remote-curl.c:1482 cmd_name remote-curl (clone/_run_dashed_/remote-curl)
14:52:36.753479 http.c:756 == Info: Couldn't find host git.blender.org in the .netrc file; using defaults
14:52:36.976470 http.c:756 == Info: Trying 82.94.226.105:443...
14:52:37.283163 http.c:756 == Info: Connected to git.blender.org (82.94.226.105) port 443 (#0)
14:52:37.316727 http.c:756 == Info: found 414 certificates in /etc/ssl/certs
14:52:37.316825 http.c:756 == Info: ALPN, offering h2
14:52:37.316835 http.c:756 == Info: ALPN, offering http/1.1
14:52:38.205929 http.c:756 == Info: SSL connection using TLS1.3 / ECDHE_RSA_AES_256_GCM_SHA384
14:52:38.205945 http.c:756 == Info: server certificate verification SKIPPED
14:52:38.205950 http.c:756 == Info: server certificate status verification SKIPPED
14:52:38.206028 http.c:756 == Info: common name: git.blender.org (matched)
14:52:38.206035 http.c:756 == Info: server certificate expiration date OK
14:52:38.206039 http.c:756 == Info: server certificate activation date OK
14:52:38.206048 http.c:756 == Info: certificate public key: RSA
14:52:38.206052 http.c:756 == Info: certificate version: #3
14:52:38.206061 http.c:756 == Info: subject: CN=git.blender.org
14:52:38.206068 http.c:756 == Info: start date: Sat, 10 Apr 2021 21:01:12 GMT
14:52:38.206073 http.c:756 == Info: expire date: Fri, 09 Jul 2021 21:01:12 GMT
14:52:38.206087 http.c:756 == Info: issuer: C=US,O=Let's Encrypt,CN=R3
14:52:38.206097 http.c:756 == Info: ALPN, server accepted to use http/1.1
14:52:38.206119 http.c:756 == Info: Failed sending HTTP request
14:52:38.206127 http.c:756 == Info: Connection #0 to host git.blender.org left intact
14:52:38.206200 usage.c:64 error unable to access 'https://git.blender.org/blender.git/': Failed sending HTTP request
fatal: unable to access 'https://git.blender.org/blender.git/': Failed sending HTTP request
14:52:38.206216 usage.c:68 exit elapsed:1.453319 code:128
14:52:38.206223 trace2/tr2_tgt_normal.c:123 atexit elapsed:1.453328 code:128
14:52:38.207093 run-command.c:990 child_exit[0] pid:85831 code:128 elapsed:1.457863
14:52:38.207131 git.c:745 exit elapsed:1.458262 code:128
14:52:38.207140 trace2/tr2_tgt_normal.c:123 atexit elapsed:1.458288 code:128
14:52:38.207310 transport-helper.c:581 exit elapsed:1.463514 code:128
14:52:38.207751 trace2/tr2_tgt_normal.c:123 atexit elapsed:1.463956 code:128
输出GIT_TRACE2=1 git clone git://github.com/imageworks/pystring.git/
:
13:30:27.152552 common-main.c:48 version 2.29.2
13:30:27.152566 common-main.c:49 start git clone git://github.com/imageworks/pystring.git/
13:30:27.152577 git.c:445 cmd_name clone (clone)
13:30:27.152720 repository.c:130 worktree /home/user/apps/pystring
Cloning into 'pystring'...
13:30:28.360314 run-command.c:735 child_start[0] git index-pack --stdin -v --fix-thin '--keep=fetch-pack 36506 on wsmb-3fd4' --check-self-contained-and-connected
remote: Enumerating objects: 130, done.
remote: Counting objects: 100% (7/7), done.
remote: Compressing objects: 100% (7/7), done.
13:30:28.361412 common-main.c:48 version 2.29.2
13:30:28.361444 common-main.c:49 start /usr/lib/git-core/git index-pack --stdin -v --fix-thin '--keep=fetch-pack 36506 on wsmb-3fd4' --check-self-contained-and-connected
13:30:28.361509 repository.c:130 worktree /home/user/apps
13:30:28.361581 git.c:445 cmd_name index-pack (clone/index-pack)
remote: Total 130 (delta 2), reused 3 (delta 0), pack-reused 123
Receiving objects: 100% (130/130), 65.18 KiB | 314.00 KiB/s, done.
Resolving deltas: 100% (64/64), done.
13:30:28.781387 git.c:700 exit elapsed:0.420193 code:0
13:30:28.781400 trace2/tr2_tgt_normal.c:123 atexit elapsed:0.420211 code:0
13:30:28.781752 run-command.c:990 child_exit[0] pid:36528 code:0 elapsed:0.421436
13:30:28.781939 run-command.c:735 child_start[1] git rev-list --objects --stdin --not --all --quiet --alternate-refs '--progress=Checking connectivity'
13:30:28.783078 common-main.c:48 version 2.29.2
13:30:28.783095 common-main.c:49 start /usr/lib/git-core/git rev-list --objects --stdin --not --all --quiet --alternate-refs '--progress=Checking connectivity'
13:30:28.783143 repository.c:130 worktree /home/user/apps
13:30:28.783205 git.c:445 cmd_name rev-list (clone/rev-list)
13:30:28.783479 git.c:700 exit elapsed:0.000614 code:0
13:30:28.783486 trace2/tr2_tgt_normal.c:123 atexit elapsed:0.000623 code:0
13:30:28.783702 run-command.c:990 child_exit[1] pid:36533 code:0 elapsed:0.001763
13:30:28.787864 git.c:700 exit elapsed:1.635530 code:0
13:30:28.787898 trace2/tr2_tgt_normal.c:123 atexit elapsed:1.635567 code:0
输出ldd /usr/bin/git
:
linux-vdso.so.1 (0x00007ffcc67ae000)
libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f320a759000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f320a53b000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f320a51a000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f320a510000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f320a34f000)
/lib64/ld-linux-x86-64.so.2 (0x00007f320ab93000)
清除我的gitconfig
也无济于事。
在这一点上,我不知所措,不确定我是否需要更改某些内容或只是等待 git/curl 维护人员解决此问题。
我在 Chrome 中收到错误 NET::ERR_CERT_AUTHORITY_INVALID,即使我将公司的根 CA 导入 Chrome 的信任库(通过设置>证书>权限)。我也在 Firefox 上导入了证书,它工作正常。我什至在系统的信任库中导入了证书,但我发现浏览器使用自己的。我正在使用谷歌浏览器 v88。
在 Windows 上,我在 Chrome 中没有遇到这个问题。