1

我在 Windows 10 企业版机器上运行 Docker Windows(Linux 容器)。我正在使用基于 Debian 的 Docker 映像,并且我的 Windows 桌面正在运行 ZScaler。

我获得了两个证书文件(一个根证书和一个中间证书),我通过将它们放入 /usr/local/share/ca-certificates 目录并运行“update-ca-certificates”来安装它们,这似乎安装了证书。

当我尝试运行 composer diag 时,我得到以下输出:

composer diag
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: OK
Checking https connectivity to packagist: [Composer\Downloader\TransportException] The "https://repo.packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking github.com rate limit: FAIL
[Composer\Downloader\TransportException] The "https://api.github.com/rate_limit" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: <Omitted
Dev Public Key Fingerprint: <Omitted
OK
Checking composer version:

  [Composer\Downloader\TransportException]
  The "https://getcomposer.org/versions" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
  error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
  Failed to enable crypto
  failed to open stream: operation failed


diagnose

有人可以帮我弄清楚如何让它工作吗?

4

1 回答 1

1

就我而言,根证书没有正确安装......企业提供的证书的名称为 .crt 用于中间证书,.cer 用于根证书。update-ca-certificates 没有获取名为 .cer 的证书。重命名根证书并重新运行 update-ca-certificates 安装了根证书并修复了问题。

运行以下命令有助于解决问题:

CONNECTED(00000003)
depth=2 DC = com, DC = my-enterprise, DC = ent, CN = ca-intermediate
verify error:num=2:unable to get issuer certificate
issuer= DC = pvt, DC = my-enterprise, CN = ca-rootauth
verify return:1
depth=1 C = US, ST = US, L = US, O = "my-enterprise ", OU = CTE, CN = my-enterprise.com
issuer= DC = com, DC = my-enterprise, DC = ent, CN = ca-intermediate
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.com
issuer= C = US, ST = US, L = US, O = "my-enterprise ", OU = CTE, CN = my-enterprise.com
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = San Francisco, O = "GitHub, Inc.", CN = *.github.com
   i:C = US, ST = US, L = US, O = "my-enterprise ", OU = CTE, CN = my-enterprise.com

这表明根证书未被识别为有效 CA,并导致我列出了 openssl 识别的证书。我在这里找到了答案: https ://unix.stackexchange.com/questions/97244/list-all-可用的 ssl ca 证书

一旦我列出并验证 CA 受信任列表中不存在 ca-rootauth,那么只需弄清楚为什么两者(根和中间)工作方式不同......

于 2020-04-29T18:06:35.647 回答