您尚未登录。

#1 2015-02-25 14:09:34

paleneutron
会员
注册时间: 2014-11-18
帖子: 10

官方源的goagent各种出错

具体内容我发在了mail list里:
https://groups.google.com/forum/#!topic … DmT5F4sKs0

很奇怪的是,从git上手动拖下来然后用【不推荐】的方式运行反而可以使用。

PS:wiki中有关亚全局代理的设置那一段,似乎没有涉及SSL的?似乎仅仅是复制到 /etc/ca-certificates/trust-source/anchors/并且注册之依旧会被curl报SSL相关的错误

离线

#2 2015-02-25 14:14:54

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,919
个人网站

Re: 官方源的goagent各种出错

你是不是不是使用 systemctl 启动 goagent 的?检查一下 goagent 进程和 /usr/share/goagent/local/certs 的权限。

离线

#3 2015-02-25 16:27:14

paleneutron
会员
注册时间: 2014-11-18
帖子: 10

Re: 官方源的goagent各种出错

百合仙子 说:

你是不是不是使用 systemctl 启动 goagent 的?检查一下 goagent 进程和 /usr/share/goagent/local/certs 的权限。

是用systemctl启动的,进程和文件夹的权限都是nobody.
我觉得问题主要在这两行:

Feb 25 16:18:42 localhost goagent[2036]: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
Feb 25 16:18:42 localhost goagent[2036]: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

离线

#4 2015-02-25 17:33:38

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,919
个人网站

Re: 官方源的goagent各种出错

paleneutron 说:
百合仙子 说:

你是不是不是使用 systemctl 启动 goagent 的?检查一下 goagent 进程和 /usr/share/goagent/local/certs 的权限。

是用systemctl启动的,进程和文件夹的权限都是nobody.
我觉得问题主要在这两行:

Feb 25 16:18:42 localhost goagent[2036]: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
Feb 25 16:18:42 localhost goagent[2036]: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

这两行是正常的。

Feb 24 22:28:05 localhost goagent[742]: IOError: [Errno 13] Permission denied: 'certs/.archlinux.org.crt'

这行才是问题。

权限不等同于所有者。ls -ld /usr/share/goagent/local/certs  看看?

离线

#5 2015-02-25 17:51:19

paleneutron
会员
注册时间: 2014-11-18
帖子: 10

Re: 官方源的goagent各种出错

百合仙子 说:
paleneutron 说:
百合仙子 说:

你是不是不是使用 systemctl 启动 goagent 的?检查一下 goagent 进程和 /usr/share/goagent/local/certs 的权限。

是用systemctl启动的,进程和文件夹的权限都是nobody.
我觉得问题主要在这两行:

Feb 25 16:18:42 localhost goagent[2036]: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
Feb 25 16:18:42 localhost goagent[2036]: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

这两行是正常的。

Feb 24 22:28:05 localhost goagent[742]: IOError: [Errno 13] Permission denied: 'certs/.archlinux.org.crt'

这行才是问题。

权限不等同于所有者。ls -ld /usr/share/goagent/local/certs  看看?

➜  ~  ls -ld /usr/share/goagent/local/certs  
drwxr-xr-x 2 nobody nobody 4096 Feb 25 16:43 /usr/share/goagent/local/certs

我现在单纯的用root启动,日志是这样的

Feb 25 17:48:23 localhost goagent[4659]: ------------------------------------------------------
Feb 25 17:48:23 localhost goagent[4659]: GoAgent Version    : 3.2.3 (python/2.7.9 gevent/1.0 pyopenssl/0.14)
Feb 25 17:48:23 localhost goagent[4659]: Listen Address     : 127.0.0.1:8087
Feb 25 17:48:23 localhost goagent[4659]: GAE Mode           : https
Feb 25 17:48:23 localhost goagent[4659]: GAE APPID          : junhongbillgae|junhongbillgfw1|junhongbillgfw2|junhongbillgfw3|junhongbillgfw4|junhongbillgfw5|junhongbillgfw6|junhongbillgfw7|junhongbillgfw8
Feb 25 17:48:23 localhost goagent[4659]: Pac Server         : http://192.168.0.105:8086/proxy.pac
Feb 25 17:48:23 localhost goagent[4659]: Pac File           : file:///usr/share/goagent/local/proxy.pac
Feb 25 17:48:23 localhost goagent[4659]: ------------------------------------------------------
Feb 25 17:48:24 localhost goagent[4659]: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
Feb 25 17:48:24 localhost goagent[4659]: certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
Feb 25 17:48:24 localhost goagent[4659]: WARNING - [Feb 25 17:48:24] install root certificate failed, Please run as administrator/root/sudo

能生成CA.crt,但是用chrome导入的时候会显示无法解析。
CA.crt 的大小和github的版本生成的几乎一样。

离线

#6 2015-02-25 18:06:30

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,919
个人网站

Re: 官方源的goagent各种出错

paleneutron 说:
➜  ~  ls -ld /usr/share/goagent/local/certs  
drwxr-xr-x 2 nobody nobody 4096 Feb 25 16:43 /usr/share/goagent/local/certs

我现在单纯的用root启动,日志是这样的

你别乱来啊。一会儿用这个用户、一会儿用那个用户,权限会乱的。ls -l /usr/share/goagent/local/certs/.archlinux.org.crt 看看?

另外,你现在到底想怎么运行?

离线

#7 2015-02-25 18:54:55

paleneutron
会员
注册时间: 2014-11-18
帖子: 10

Re: 官方源的goagent各种出错

百合仙子 说:
paleneutron 说:
➜  ~  ls -ld /usr/share/goagent/local/certs  
drwxr-xr-x 2 nobody nobody 4096 Feb 25 16:43 /usr/share/goagent/local/certs

我现在单纯的用root启动,日志是这样的

你别乱来啊。一会儿用这个用户、一会儿用那个用户,权限会乱的。ls -l /usr/share/goagent/local/certs/.archlinux.org.crt 看看?

另外,你现在到底想怎么运行?

➜  ~  ls -l /usr/share/goagent/local/certs/
总用量 0

/usr/share/goagent/local/certs/.archlinux.org.crt 这东西就没存在过……
额……我当然是想用当前用户sudo来运行,但是sudo命令运行或者直接运行然后在弹出的窗口中输入密码都不能生成CA.crt。
所以我才改用root试试看的

离线

#8 2015-02-25 20:45:05

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,919
个人网站

Re: 官方源的goagent各种出错

paleneutron 说:
➜  ~  ls -l /usr/share/goagent/local/certs/
总用量 0

/usr/share/goagent/local/certs/.archlinux.org.crt 这东西就没存在过……
额……我当然是想用当前用户sudo来运行,但是sudo命令运行或者直接运行然后在弹出的窗口中输入密码都不能生成CA.crt。
所以我才改用root试试看的

ls -l 是不显示 . 开头的文件的。

使用 root 权限运行不安全。sudo 不指定 -u 就是 root 权限。

离线

#9 2015-02-25 22:25:39

paleneutron
会员
注册时间: 2014-11-18
帖子: 10

Re: 官方源的goagent各种出错

百合仙子 说:
paleneutron 说:
➜  ~  ls -l /usr/share/goagent/local/certs/
总用量 0

/usr/share/goagent/local/certs/.archlinux.org.crt 这东西就没存在过……
额……我当然是想用当前用户sudo来运行,但是sudo命令运行或者直接运行然后在弹出的窗口中输入密码都不能生成CA.crt。
所以我才改用root试试看的

ls -l 是不显示 . 开头的文件的。

使用 root 权限运行不安全。sudo 不指定 -u 就是 root 权限。

问题是goagent的默认安装位置在 /usr/share/下呀,不提供root权限什么都改不了……也不可能生成证书了

离线

#10 2015-02-25 22:55:36

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,919
个人网站

Re: 官方源的goagent各种出错

paleneutron 说:

问题是goagent的默认安装位置在 /usr/share/下呀,不提供root权限什么都改不了……也不可能生成证书了

你看 goagent 的 service 文件和 install 脚本。local 目录是 nobody 的,而 service 文件就是指定使用 nobody 的身份运行的。

离线

#11 2015-02-26 20:38:29

paleneutron
会员
注册时间: 2014-11-18
帖子: 10

Re: 官方源的goagent各种出错

百合仙子 说:
paleneutron 说:

问题是goagent的默认安装位置在 /usr/share/下呀,不提供root权限什么都改不了……也不可能生成证书了

你看 goagent 的 service 文件和 install 脚本。local 目录是 nobody 的,而 service 文件就是指定使用 nobody 的身份运行的。

/etc/goagent 的所有者是root,用户组是nobody
奇怪的是/usr/lib/systemd/system/goagent.service没找到……看来新版是直接安装到target里去了
service的链接:https://projects.archlinux.org/svntogit/community.git/tree/trunk/goagent.service?h=packages/goagent
install的链接:https://projects.archlinux.org/svntogit/community.git/tree/trunk/goagent.install?h=packages/goagent
看起来都没有问题……

有关CA.crt不被chromium解析的问题我大概找到答案了,对比了github和archlinux版本的proxylib.py可以发现:
虽然在定义的时候二者都使用了一个判断:

self.ca_digest = 'sha1' if sys.platform == 'win32' and sys.getwindowsversion() < (6,) else 'sha256'

但是github版本的在creat_ca函数中并未使用这个属性而是强行指定了'sha1'
ca.sign(key, 'sha1')
archlinux版本:
ca.sign(key, CertUtil.ca_digest)

另一处不同,在check_ca:
            self.ca_thumbprint = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, fp.read()).digest('sha1')

            CertUtil.ca_thumbprint = OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, fp.read()).digest(CertUtil.ca_digest)

虽然不知其中原理,但是我照抄了代码之后,生成的CA.crt确实是可以被chromium识别了……

但是,使用daemon运行的时候依旧是一堆堆的错误,比如:

Feb 26 21:25:49 localhost goagent[1649]: Traceback (most recent call last):
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/lib/python2.7/SocketServer.py", line 599, in process_request_thread
Feb 26 21:25:49 localhost goagent[1649]: self.finish_request(request, client_address)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 904, in finish_request
Feb 26 21:25:49 localhost goagent[1649]: self.RequestHandlerClass(request, client_address, self)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/goagent", line 759, in __init__
Feb 26 21:25:49 localhost goagent[1649]: SimpleProxyHandler.__init__(self, *args, **kwargs)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/lib/python2.7/SocketServer.py", line 655, in __init__
Feb 26 21:25:49 localhost goagent[1649]: self.handle()
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
Feb 26 21:25:49 localhost goagent[1649]: self.handle_one_request()
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 1579, in handle_one_request
Feb 26 21:25:49 localhost goagent[1649]: return BaseHTTPServer.BaseHTTPRequestHandler.handle_one_request(self)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
Feb 26 21:25:49 localhost goagent[1649]: method()
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 1610, in do_METHOD
Feb 26 21:25:49 localhost goagent[1649]: return plugin.handle(self, **action[1])
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 1010, in handle
Feb 26 21:25:49 localhost goagent[1649]: self.do_ssl_handshake(handler)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 996, in do_ssl_handshake
Feb 26 21:25:49 localhost goagent[1649]: certfile = CertUtil.get_cert(handler.host)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 282, in get_cert
Feb 26 21:25:49 localhost goagent[1649]: return CertUtil._get_cert(commonname, sans)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 264, in _get_cert
Feb 26 21:25:49 localhost goagent[1649]: with open(certfile, 'wb') as fp:
Feb 26 21:25:49 localhost goagent[1649]: IOError: [Errno 13] Permission denied: 'certs/.google.com.crt'

似乎作者希望实现的nobody不是那么的好使……

手动,用sudo python2 goagent运行,可以避免这个问题,但是错误依旧多多:

WARNING - [Feb 26 21:31:42] create_ssl_connection to 'www.google.com.hk' with [('64.233.182.90', 443), ('173.194.72.118', 443), ('173.194.127.129', 443), ('64.233.181.90', 443), ('173.194.127.176', 443), ('74.125.207.90', 443), ('74.125.204.82', 443), ('74.125.204.17', 443), ('173.194.127.20', 443), ('173.194.127.31', 443), ('173.194.127.17', 443), ('173.194.127.19', 443), ('173.194.127.15', 443), ('173.194.127.18', 443), ('173.194.127.24', 443), ('173.194.72.139', 443), ('64.233.187.100', 443), ('173.194.127.37', 443), ('173.194.127.131', 443), ('173.194.127.79', 443), ('74.125.23.99', 443)] return ['timed out', "('The handshake operation timed out',)"], try again.       

有能正常使用官方源的goagent的吗?

最近编辑记录 paleneutron (2015-02-26 21:49:33)

离线

#12 2015-02-26 23:09:03

savvvygh
会员
注册时间: 2014-02-16
帖子: 160

Re: 官方源的goagent各种出错

我这里直接pacman安装,改goagent.conf,systemctl start goagent,导入证书,一切正常。
systemctl start goagent是直接用root运行的。

离线

#13 2015-02-27 20:32:39

paleneutron
会员
注册时间: 2014-11-18
帖子: 10

Re: 官方源的goagent各种出错

savvvygh 说:

我这里直接pacman安装,改goagent.conf,systemctl start goagent,导入证书,一切正常。
systemctl start goagent是直接用root运行的。

快疯了

➜  local  sudo -u nobody python2 /usr/share/goagent/local/goagent
WARNING - [Feb 27 20:29:59] *NOTE*, if you want to fix high cpu usage, please decrease [gae]window
------------------------------------------------------
GoAgent Version    : 3.2.3 (python/2.7.9 gevent/1.0 pyopenssl/0.14)
Listen Address     : 127.0.0.1:8087
GAE Mode           : https
GAE APPID          : 
Pac Server         : http://192.168.0.104:8086/proxy.pac
Pac File           : file:///usr/share/goagent/local/proxy.pac
------------------------------------------------------
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
WARNING - [Feb 27 20:29:59] install root certificate failed, Please run as administrator/root/sudo

最后那条warning究竟是什么鬼……明明是用sudo运行的

离线

#14 2015-02-28 18:34:45

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,919
个人网站

Re: 官方源的goagent各种出错

paleneutron 说:

但是,使用daemon运行的时候依旧是一堆堆的错误,比如:

Feb 26 21:25:49 localhost goagent[1649]: Traceback (most recent call last):
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/lib/python2.7/SocketServer.py", line 599, in process_request_thread
Feb 26 21:25:49 localhost goagent[1649]: self.finish_request(request, client_address)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 904, in finish_request
Feb 26 21:25:49 localhost goagent[1649]: self.RequestHandlerClass(request, client_address, self)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/goagent", line 759, in __init__
Feb 26 21:25:49 localhost goagent[1649]: SimpleProxyHandler.__init__(self, *args, **kwargs)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/lib/python2.7/SocketServer.py", line 655, in __init__
Feb 26 21:25:49 localhost goagent[1649]: self.handle()
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle
Feb 26 21:25:49 localhost goagent[1649]: self.handle_one_request()
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 1579, in handle_one_request
Feb 26 21:25:49 localhost goagent[1649]: return BaseHTTPServer.BaseHTTPRequestHandler.handle_one_request(self)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request
Feb 26 21:25:49 localhost goagent[1649]: method()
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 1610, in do_METHOD
Feb 26 21:25:49 localhost goagent[1649]: return plugin.handle(self, **action[1])
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 1010, in handle
Feb 26 21:25:49 localhost goagent[1649]: self.do_ssl_handshake(handler)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 996, in do_ssl_handshake
Feb 26 21:25:49 localhost goagent[1649]: certfile = CertUtil.get_cert(handler.host)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 282, in get_cert
Feb 26 21:25:49 localhost goagent[1649]: return CertUtil._get_cert(commonname, sans)
Feb 26 21:25:49 localhost goagent[1649]: File "/usr/share/goagent/local/proxylib.py", line 264, in _get_cert
Feb 26 21:25:49 localhost goagent[1649]: with open(certfile, 'wb') as fp:
Feb 26 21:25:49 localhost goagent[1649]: IOError: [Errno 13] Permission denied: 'certs/.google.com.crt'

似乎作者希望实现的nobody不是那么的好使……

...

有能正常使用官方源的goagent的吗?

我这里就很正常。

ls -ld /usr/share/goagent/local/certs
ls -l /usr/share/goagent/local/certs/.google.com.crt

输出是什么?

离线

#15 2015-02-28 18:45:21

alanfly
会员
注册时间: 2011-12-16
帖子: 50

Re: 官方源的goagent各种出错

paleneutron 说:
savvvygh 说:

我这里直接pacman安装,改goagent.conf,systemctl start goagent,导入证书,一切正常。
systemctl start goagent是直接用root运行的。

快疯了

➜  local  sudo -u nobody python2 /usr/share/goagent/local/goagent
WARNING - [Feb 27 20:29:59] *NOTE*, if you want to fix high cpu usage, please decrease [gae]window
------------------------------------------------------
GoAgent Version    : 3.2.3 (python/2.7.9 gevent/1.0 pyopenssl/0.14)
Listen Address     : 127.0.0.1:8087
GAE Mode           : https
GAE APPID          : 
Pac Server         : http://192.168.0.104:8086/proxy.pac
Pac File           : file:///usr/share/goagent/local/proxy.pac
------------------------------------------------------
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
WARNING - [Feb 27 20:29:59] install root certificate failed, Please run as administrator/root/sudo

最后那条warning究竟是什么鬼……明明是用sudo运行的

最后那条warning和前面两行的error都不影响使用的,我用源里的每次systemctl自动启动都有这三行。

离线

页脚