Debian
將自定義 CA 證書添加到 Ubuntu 20.04 工作正常,但在 Debian 上失敗
我經歷了在 Ubuntu (20.04) 上添加新 CA 證書的過程,但相同的步驟在兩種環境中的 Debian (10) 上都不起作用,我已經下載了自定義 CA 證書(通過 Firefox
about:certificate頁面獲取不受信任的證書站點)作為 PEM,然後我使用 openssl 將其轉換為 CRT 格式,然後呼叫update-ca-certificates.以下是 a 中的步驟
Dockerfile:FROM ubuntu:20.04 RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y curl openssl ca-certificates COPY src/main/docker/nexus-custom-ca-chain.pem /root/ RUN openssl x509 -in /root/nexus-custom-ca-chain.pem -inform PEM -out /usr/local/share/ca-certificates/custom-root-ca.crt RUN update-ca-certificates RUN curl https://nexus-using-custom-cert.custom.org建構這個 Dockerfile
docker build . --no-cache會輸出:
Step 1/6 : FROM ubuntu:20.04 ---> 9140108b62dc Step 2/6 : RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y curl openssl ca-certificates ---> Running in 2fd506a9b619 [install stuff] Processing triggers for ca-certificates (20190110ubuntu1.1) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. Removing intermediate container 2fd506a9b619 ---> 57c01aa6180d Step 3/6 : COPY src/main/docker/nexus-custom-ca-chain.pem /root/ ---> e0aa6a44ced1 Step 4/6 : RUN openssl x509 -in /root/nexus-custom-ca-chain.pem -inform PEM -out /usr/local/share/ca-certificates/custom-root-ca.crt ---> Running in 70746b6e16fe Removing intermediate container 70746b6e16fe ---> de9c98488bde Step 5/6 : RUN update-ca-certificates ---> Running in 1137779ed67f Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. Removing intermediate container 1137779ed67f ---> c834167a52a3 Step 6/6 : RUN curl https://nexus-using-custom-cert.custom.org ---> Running in a8dc2aa55993 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<html> <body> stuff </body> </html> 100 470 100 470 0 0 1492 0 --:--:-- --:--:-- --:--:-- 1487 Removing intermediate container a8dc2aa55993 ---> 809e4e5b6ac1 Successfully built 809e4e5b6ac1但是,如果我
debian:10改用(沒有其他更改Dockerfile):FROM debian:10我重建了 Docker 映像:
建構這個 Dockerfile
docker build . --no-cache會輸出:
Step 1/6 : FROM debian:10 ---> f6dcff9b59af Step 2/6 : RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y curl openssl ca-certificates ---> Running in 15d0c69448ed [install stuff] Processing triggers for libc-bin (2.28-10) ... Processing triggers for ca-certificates (20200601~deb10u1) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. Removing intermediate container 15d0c69448ed ---> 4bcfe8b5074b Step 3/6 : COPY src/main/docker/nexus-custom-ca-chain.pem /root/ ---> fa53734a536a Step 4/6 : RUN openssl x509 -in /root/nexus-custom-ca-chain.pem -inform PEM -out /usr/local/share/ca-certificates/custom-root-ca.crt ---> Running in b86813e50a77 Removing intermediate container b86813e50a77 ---> 0b0e6aa67d7d Step 5/6 : RUN update-ca-certificates ---> Running in c18625c31424 Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. Removing intermediate container c18625c31424 ---> 559636874009 Step 6/6 : RUN curl https://nexus-using-custom-cert.custom.org ---> Running in fcd2e16441fd % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. The command '/bin/sh -c curl https://nexus-using-custom-cert.custom.org' returned a non-zero code: 60那麼,我應該怎麼做才能添加自定義 ca 證書
Debian 10呢?Debian文件與docupdate-ca-certificates非常相似;Ubuntu怎麼了 ?先感謝您!
所以感謝我的同事@BrettDG,我也能夠讓它在 Debian 下工作。
TLDR:確保您在信任鏈中單獨包含所有證書,Ubuntu 可以只滿足中間體,Debian 將需要完整的鏈
我要連接的網站具有以下信任鏈:
MyOrgRootCA |-> MyOrgIntermediateCA |-> Website當我在想我的名為 PEM 的文件
nexus-custom-ca-chain.pem有完整的鏈時,還有一系列:openssl x509 -in /usr/local/share/ca-certificates/nexus-custom-ca-chain.pem -noout -text最終表明我在這個鏈中只有站點證書和中間證書 - 所以缺少根證書
此外,不確定在 1 個文件中包含多個證書是否是個好主意;嘗試將它們單獨拆分到自己的文件中。
這是適用於 Debian 和 Ubuntu 的 Dockerfile
# FROM ubuntu:20:04 FROM debian:10 RUN apt update && DEBIAN_FRONTEND=noninteractive apt install -y curl openssl ca-certificates COPY root.pem /usr/local/share/ca-certificates/root.pem COPY intermediate.pem /usr/local/share/ca-certificates/intermediate.pem RUN chmod 644 /usr/local/share/ca-certificates/root.pem /usr/local/share/ca-certificates/intermediate.pem RUN update-ca-certificates RUN curl https://nexus-using-custom-cert.custom.org經驗教訓:驗證信任鏈並提供鏈上的每一個證書
在鏈中的每個證書上,執行
openssl x509 -noout輸出並查找:MyOrgRootCA Issuer: C = CA, ST = Quebec, L = Montreal, O = Org, OU = tools, CN = Org ROOT CA Subject: C = CA, ST = Quebec, L = Montreal, O = Org, OU = tools, CN = Org ROOT CAMyOrgIntermediateCA Issuer: C = CA, ST = Quebec, L = Montreal, O = Org, OU = tools, CN = Org ROOT CA Subject: C = CA, ST = Quebec, L = Montreal, O = Org, OU = tools, CN = Intermediate ROOT CA那裡,如果當我們在我們
curl -v的網站上看到:issuer: C = CA, ST = Quebec, L = Montreal, O = Org, OU = tools, CN = Intermediate ROOT CA我們知道,提供中間證書和根證書,我們是黃金。
有用的命令行
詳細查看您的證書:
openssl x509 -in mycert.crt -noout -text從二進制 (DER) 格式轉換為 x509 PEM(根據需要
update-ca-certificates)openssl x509 -in mycert.crt -inform der -outform PEM -out mycert.crt從文本 (PEM) 格式轉換為二進制(如 Java Keytool 所願)
openssl x509 -in mycert.pem -outform der -out mycert.der