主页 / unix / 问题 / 691247
Accepted
Appleoddity
Asked: 2022-02-19 09:50:29 +0800 CST

如何更新服务器上的 SSL 组件太旧而无法通过 SSL 实际下载包

  • 772

在这里似乎是第 22 个问题。将服务器更新到较新版本是不可能的。我只需要将 Apache 更新到特定的(旧版本)。

服务器是 CentOS 6.3。基本存储库已过时,我必须对其进行更新以使用保险库存储库。yum但是,它需要 HTTPS,并且每当我在更新存储库后尝试运行时,我都会得到:

https://vault.centos.org/centos/6/os/i386/repodata/repomd.xml:[Errno 14] 建立 ssl 连接的问题

显然,我需要更新 yum、openssl 等……但是,当我无法从 through 开始下载软件包时,我该怎么做yum?有没有办法避免手动构建这些包?

这是 CentOS-Base.repo:(注意:将这些更改为 http 似乎不起作用)

# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#

[base]
name=CentOS-$releasever - Base
baseurl=https://vault.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#released updates
[updates]
name=CentOS-$releasever - Updates
baseurl=https://vault.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#additional packages that may be useful
[extras]
name=CentOS-$releasever - Extras
baseurl=https://vault.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#additional packages that extend functionality of existing packages
[centosplus]
name=CentOS-$releasever - Plus
baseurl=https://vault.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

#contrib - packages by Centos Users
[contrib]
name=CentOS-$releasever - Contrib
baseurl=https://vault.centos.org/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
yum ssl

3 个回答

  1. 我遇到了同样的问题,经过多次试验和错误后,Webserver 的 Docker 是解决方案。我建议不要尝试仅更新 Apache。有太多的依赖最终会让你绝望。

    (我知道这应该放在评论部分,但我很少有声誉来评论一个问题。)

    • 0
  2. Best Answer

    我设法yum通过手动安装所有更新的软件包来运行。

    首先,我从 CentOS 6.10 vault 下载了软件包——是的,我故意在我的 6.3 服务器上使用了 6.10:(注意,repo 是劣质的,我不得不多次重试这些命令)

    wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/yum-3.2.29-81.el6.centos.noarch.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/yum-plugin-fastestmirror-1.1.30-41.el6.noarch.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/yum-utils-1.1.30-41.el6.noarch.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/yum-metadata-parser-1.1.2-16.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/openssl-1.0.1e-57.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/openssl-devel-1.0.1e-57.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/openssl-perl-1.0.1e-57.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/openssl-static-1.0.1e-57.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/curl-7.19.7-53.el6_9.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/libcurl-7.19.7-53.el6_9.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/libcurl-devel-7.19.7-53.el6_9.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/python-urlgrabber-3.9.1-11.el6.noarch.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-3.36.0-8.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-util-3.36.0-1.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-tools-3.36.0-8.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-sysinit-3.36.0-8.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-softokn-3.14.3-23.3.el6_8.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nss-softokn-freebl-3.14.3-23.3.el6_8.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/nspr-4.19.0-1.el6.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/p11-kit-0.18.5-2.el6_5.2.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/p11-kit-trust-0.18.5-2.el6_5.2.i686.rpm
wget --no-check-certificate https://vault.centos.org/centos/6.10/os/i386/Packages/ca-certificates-2018.2.22-65.1.el6.noarch.rpm

    然后我安装了软件包:

    rpm -Uvh openssl*.rpm
rpm -Uvh ns*.rpm
rpm -Uvh *curl*.rpm
rpm -Uvh python-urlgrabber-3.9.1-11.el6.noarch.rpm
rpm -Uvh yum*.rpm
rpm -Uvh p11*.rpm
rpm -Uvh ca-certificates-2018.2.22-65.1.el6.noarch.rpm

    如果对已安装的软件包有任何警告,请添加--forcerpm命令中。

    最后,我跑了yum clean all,然后yum install httpd一切又正常了。已安装最新的 Apache 补丁级别。

    上面的某些软件包可能不需要。这取决于系统上已经安装的内容。例如,如果openssl-perl.i686未安装,请不要安装它,否则将需要安装 Perl 依赖项。

    • 0

  3. 生命周期结束意味着他们已经放弃尝试修复安全漏洞——让这台机器暴露在外会给您的服务和网络上的其他所有人带来风险。即使该网络是互联网。

    有时升级不是一个可行的选择——在这种情况下,您应该将此服务器包装在一个私有网络上,该网络由在当前平台上运行的代理提供。巧合的是,这也解决了服务器端 SSL 的问题,因为只有代理可以连接,而代理本身可以为客户端提供当前协议。

    代理客户端 SSL 连接有点复杂——您需要使用 SSL MITM(可以配置 Squid 来执行此操作)。

    • 0

相关问题