0

Bullseye11 5.10.0-8-amd64

按照Docker官方的安装方法,我已经验证安装了这些包

apt-transport-https \
ca-certificates \
curl \
gnupg \
lsb-release

并添加了 GPG 密钥

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

$cat /etc/apt/sources.list.d/docker.list

deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian   bullseye stable

适当的更新

> https://download.docker.com/linux/debian/dists/bullseye/InRelease: No
system certificates available. Try installing ca-certificates. 
> W: Failed to fetch https://download.docker.com/linux/debian/dists/bullseye/InRelease Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification.

我双重验证了 ca-certificates 实际上已安装。我清除了 ca 证书并重新安装。我还强制 ca-certificates 刷新其证书。我已经尝试将 stable 更改为 nightly 以进行测试。同样的错误。

注意:Docker 之前可以正常工作,但这是从 10 开始的 dist-upgrade,而不是全新的 Bullseye 安装。我懒惰地没有安装安装并从新的靶心重新开始,但在这一点上,我有点好奇这里出了什么问题。

我在 Jessie 中发现了一个与 Stretch 升级类似的错误 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=834724

Debian Stretch 上的 Docker gnutls_handshake() 失败

回复:我想出了上述链接并删除了 libgnutls28-dev,但似乎删除并重新安装 libgnutls30 本身是一个坏主意。如果我需要走那么远,还不如核对盒子。

有没有人对我可能检查或试图摆脱这些 ca-certs 有任何其他想法?

编辑:

openssl s_client -crlf -host download.docker.com ?140092635043136:error:2008F002:BIOroutines:BIO_lookup_ex:system lib:../crypto/bio/b_addr.c:730:Name or service not known connect:errno=22

域名系统?它总是 dns ......好吧,不。我使用的是 AWS 内部 DNS,尝试了 cloudflare 和 google。三个都一样的错误。我可以ping download.docker.com

编辑2: curl -v https://download.docker.com/linux/debian

*   Trying 54.192.73.98:443...
* Connected to download.docker.com (54.192.73.98) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.docker.com
*  start date: Feb  1 00:00:00 2021 GMT
*  expire date: Mar  2 23:59:59 2022 GMT
*  subjectAltName: host "download.docker.com" matched cert's "*.docker.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56081edb5770)
> GET /linux/debian HTTP/2
> Host: download.docker.com
> user-agent: curl/7.74.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 302 
< content-type: text/html; charset=utf-8
< content-length: 313
< x-amz-error-code: Found
< x-amz-error-message: Resource Found
< location: /linux/debian/
< date: Mon, 16 Aug 2021 16:49:17 GMT
< server: AmazonS3
< x-cache: Miss from cloudfront
< via: 1.1 51ff0f115ee456a7012153e8567523be.cloudfront.net (CloudFront)
< x-amz-cf-pop: HIO50-C2
< x-amz-cf-id: nMVbmpNRXYZXejJzSrBcd4MDzbdGlP3P4TMkCLhi--EJur5wTcdgGw==
< 
<html>
<head><title>302 Moved Temporarily</title></head>
<body>
<h1>302 Moved Temporarily</h1>
<ul>
<li>Code: Found</li>
<li>Message: Resource Found</li>
<li>RequestId: 9F05J2YJ1W52G9T2</li>
<li>HostId: Ed8JW5Ov0l1Nor+A1iVN8XikOEyJTJV5GZGHisONBmj1K2YTSGb1Np6UQUGwYXlkPp7JBJnXmzk=</li>
</ul>
<hr/>
</body>
</html>
* Connection #0 to host download.docker.com left intact
4

0 回答 0