5

解决方案

我使用 Bruno 的帖子来找到解决方案,但觉得它需要更具体,所以这就是我所做的。

  1. 将 cacert.pem下载到我的 ~/.ssh 目录中(我不知道这是否应该去,但我看到有人在尝试找到解决方案时做了类似的事情,所以我把它放在这里)。
  2. 为安装设置环境变量 CURL_CA_BUNDLE。这实际上是失败建议的网站上的第 4 号解决方案。我只是误解了他们在说什么(一个简单的例子可能让我避免了几个小时的困惑)。无论如何,您需要指定.pem文件的完整路径,然后您可以像这样安装然后安装它!$ CURL_CA_BUNDLE=~/.ssh/cacert.pem ruby -e "$(curl -fsSL https://raw.github.com/gist/323731)"

原始问题

我该怎么做

  1. 安装自制软件,或
  2. 使用 SSL 安装 curl 以便我可以安装自制软件?

我在 Mac OSX Leopard 上。

我正在尝试安装 homebrew,但出现以下错误:

$ ruby -e "$(curl -fsSL https://raw.github.com/gist/323731)"
==> This script will install:
/usr/local/bin/brew
/usr/local/Library/Formula/...
/usr/local/Library/Homebrew/...
==> The following directories will be made group writable:
/usr/local/bin
/usr/local/lib
/usr/local/lib/pkgconfig
/usr/local/share/man/man1
/usr/local/share/man/man3

Press enter to continue
==> /usr/bin/sudo /bin/chmod g+w /usr/local/bin /usr/local/lib /usr/local/lib/pkgconfig /usr/local/share/man/man1 /usr/local/share/man/man3
==> Downloading and Installing Homebrew...
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). The default
 bundle is named curl-ca-bundle.crt; you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

gzip: stdin: unexpected end of file
/usr/bin/tar: Child returned status 1
/usr/bin/tar: Error exit delayed from previous errors
Failed during: /bin/bash -o pipefail -c '/usr/bin/curl -sSfL https://github.com/mxcl/homebrew/tarball/master | /usr/bin/tar xz -m --strip 1'

我尝试使用 macports 安装 curl 并指定 +ssl,但这没有用(抱歉,我不记得错误是什么,花了大约一个小时才到那个点,所以我不想做再次)。我从 macports 卸载 curl,然后运行$ whereis curl它什么也没找到。

所以我去了上面错误消息中建议的站点。大多数选项似乎并不适用,但选项 5 有一定意义:

获得更好/不同/更新的 CA 证书包!一种选择是通过在 curl 构建树根目录中运行“make ca-bundle”来提取最近 Firefox 浏览器使用的那个

所以我得到curl 源代码并运行$ ./buildconf, $ ./configure, $ make, $ make ca-bundle, 最后$ sudo make install。我查了一下$ whereis curl,上面写着“/usr/bin/curl”。

但是当我再次运行 homebrew install 命令时(在新的终端窗口中),我得到了上面显示的相同错误。

4

4 回答 4

6

You don't need to recompile cURL, it already has SSL/TLS support, otherwise, it wouldn't display error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

What you need is a bundle of CA certificates such as the server certificate of the server you're trying to talk to is issued by one of those CAs.

The cURL page you link from links to http://curl.haxx.se/docs/caextract.html

You should be able to download the combined PEM bundle and use it. You could force it using curl -fsSL --cacert /path/to/bundle.pem https://... in the command above, or use export CURL_CA_BUNDLE=/path/to/bundle.pem before running the command.

Normally, you'd need a way to trust what's inside this bundle, but there's always an element of "leap of faith" when it comes to importing commercial CAs (in the same way as they would be bundled for you with most browsers).

于 2011-07-03T22:14:07.307 回答
0

the original directions work fine for me in OS X 10.9!
first download and install XQuartz

not sure why I need to place anything into ~/.ssh, but okay

System Preferences
Sharing
"Check" Remote Login
"Click" + to add your user name
then in xquartz type
ssh localhost answer yes to all type exit

download the pem file
save to Downloads
in xquartz type

cd

cp Downloads/cacert.pem .ssh/cacert.pem

the pem file didn't complain that I needed to export the following worked fine

CURL_CA_BUNDLE=~/.ssh/cacert.pem

ruby -e "$(curl -fsSL https://raw.github.com/mxcl/homebrew/go)"

you'll be prompted to install if you have not installed Command line Utilities
click ok and follow prompts
there will be one prompt for YOUR Passsword type carefully and hit enter

brew doctor
brew update
brew doctor
brew search ssl
brew install openssl

"I as a front end UXD type person; happily surprised for no need to DL 2.09 GB xcode.app"

于 2013-11-16T19:10:08.130 回答
0

出于某种原因,原始海报的解决方案对我不起作用。即使使用新的 CA 捆绑包,我在安装过程中仍然遇到 SSL 错误:

期间失败:/bin/bash -o pipefail -c '/usr/bin/curl -sSfL https://github.com/mxcl/homebrew/tarball/master | /usr/bin/tar xz -m --strip 1'

因此,我没有直接执行安装脚本,而是先下载了它,然后将-k开关(或--insecure)添加到它的 curl 命令(在今天的版本中的第 126 行找到),然后运行该修补安装脚本。

首先,无论如何更新 curl 包,使用这个方法,但curl如果你没有wget

cd /usr/share/curl/
sudo curl http://curl.haxx.se/ca/cacert.pem -o cacert.pem
sudo mv curl-ca-bundle.crt old.curl-ca-bundle.crt
sudo mv cacert.pem curl-ca-bundle.crt

然后转到https://github.com/mxcl/homebrew/wiki/installation并复制安装程序脚本链接。

获取安装程序脚本:(将 URL 替换为当前安装程序脚本 URL)

curl -fsSL https://raw.github.com/gist/323731 -o homebrew-install.rb

编辑 homebrew-install.rb:搜索“curl”并添加 -k 开关

最后,运行您的修补脚本:

ruby homebrew-install.rb
于 2011-08-20T13:23:51.810 回答
0

ruby -e "$(curl -k -fsSL https://raw.github.com/Homebrew/homebrew/go/install )" 之所以有效,是因为 -k 允许不安全的 SSL 连接

于 2014-01-18T19:12:17.317 回答