您尚未登录。

#1 2022-01-07 10:44:10

YanMingHao
会员
注册时间: 2022-01-07
帖子: 7

通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

用公司网络下载wechat提示
yay wechat
提示
fatal: 无法访问 'https://aur.tuna.tsinghua.edu.cn/wechat-uos.git/':SSL certificate problem: unable to get local issuer certificate
         context: exit status 128
翻阅相关资料有人说更换网络解决
更换手机网络后不提示此错误
出现新的错误

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
==> 错误: 无法下载 https://home-store-packages.uniontech.c … _amd64.deb
    正在放弃...
-> 生成时出错: wechat-uos

实在是找不到原因了,希望有大佬帮助解决一下

离线

#2 2022-01-07 11:02:43

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,961
个人网站

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

curl -v https://aur.tuna.tsinghua.edu.cn
curl --version

离线

#3 2022-01-07 11:27:19

YanMingHao
会员
注册时间: 2022-01-07
帖子: 7

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

> curl -v https://aur.tuna.tsinghua.edu.cn
*   Trying 101.6.15.130:443...
* Connected to aur.tuna.tsinghua.edu.cn (101.6.15.130) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


curl --version
curl 7.80.0 (x86_64-pc-linux-gnu) libcurl/7.80.0 OpenSSL/1.1.1m zlib/1.2.11 brotli/1.0.9 zstd/1.5.1 libidn2/2.3.2 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.46.0
Release-Date: 2021-11-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd


看到了同样的问题
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

离线

#4 2022-01-07 11:39:43

YanMingHao
会员
注册时间: 2022-01-07
帖子: 7

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

依云 说:

curl -v https://aur.tuna.tsinghua.edu.cn
curl --version

> curl -v https://aur.tuna.tsinghua.edu.cn
*   Trying 101.6.15.130:443...
* Connected to aur.tuna.tsinghua.edu.cn (101.6.15.130) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


curl --version
curl 7.80.0 (x86_64-pc-linux-gnu) libcurl/7.80.0 OpenSSL/1.1.1m zlib/1.2.11 brotli/1.0.9 zstd/1.5.1 libidn2/2.3.2 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.46.0
Release-Date: 2021-11-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd


看到了同样的问题
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

离线

#5 2022-01-07 12:27:54

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,961
个人网站

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

ls -lL /etc/ssl/certs/ca-certificates.crt

看看本地证书文件正常不?

另外你的 curl 有些旧啊。

离线

#6 2022-01-07 12:54:31

YanMingHao
会员
注册时间: 2022-01-07
帖子: 7

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

依云 说:

ls -lL /etc/ssl/certs/ca-certificates.crt

看看本地证书文件正常不?

另外你的 curl 有些旧啊。



> ls -lL /etc/ssl/certs/ca-certificates.crt
-r--r--r-- 1 root root 208919  1月  7 09:48 /etc/ssl/certs/ca-certificates.crt

我之前看资料,下载过crt文件
放在curlssl内,然后添加环境变量

> cd curlssl
> ls
aur.archlinux.org-key.pem  aur.archlinux.org.pem  cacert-2021-10-26.crt  cacert.pem

/etc/profile  增加环境变量
export CURL_CA_BUNDLE=/home/yanminghao/curlssl/cacert.pem

还需要看什么排查下,感谢回复了

离线

#7 2022-01-07 13:34:21

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,961
个人网站

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

啥?你不要乱下根证书列表啊。

看看这个命令的输出:
openssl s_client -connect aur.tuna.tsinghua.edu.cn:443 -servername aur.tuna.tsinghua.edu.cn
(输出不动了之后按 Ctrl-C 或者 Ctrl-D 结束)

离线

#8 2022-01-07 13:42:35

YanMingHao
会员
注册时间: 2022-01-07
帖子: 7

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

依云 说:

啥?你不要乱下根证书列表啊。

看看这个命令的输出:
openssl s_client -connect aur.tuna.tsinghua.edu.cn:443 -servername aur.tuna.tsinghua.edu.cn
(输出不动了之后按 Ctrl-C 或者 Ctrl-D 结束)


再次万分感谢你的回复


> openssl s_client -connect aur.tuna.tsinghua.edu.cn:443 -servername aur.tuna.tsinghua.edu.cn
CONNECTED(00000003)
depth=0 CN = tuna.tsinghua.edu.cn
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = tuna.tsinghua.edu.cn
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = tuna.tsinghua.edu.cn
verify return:1
---
Certificate chain
0 s:CN = tuna.tsinghua.edu.cn
   i:C = EN, CN = UniKNetRootSSLCert 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICujCCAaKgAwIBAgIRANJpqWMo2w0ZCgi9xgYkukowDQYJKoZIhvcNAQELBQAw
LDELMAkGA1UEBhMCRU4xHTAbBgNVBAMMFFVuaUtOZXRSb290U1NMQ2VydCAyMB4X
DTIxMTIxNTAyNDIzMloXDTIyMDMxNTAyNDIzMVowHzEdMBsGA1UEAxMUdHVuYS50
c2luZ2h1YS5lZHUuY24wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANnp/sxJ
cXJ6v3DpVGkiwcq3Gnybc+IdRBLYncNEJH52jKd+dBZ63NdpUQLHyqmzrQODWBpV
wpQdkLAYwRRoXMB7eanY8rgA09AgDOisombuCFhFkJVxI69ZxR8wyfIfD6pi5wvp
UtXYOVY2mg7hOj5XoVwe9F8FtKIF4U3Oo2TrAgMBAAGjaDBmMDcGA1UdEQQwMC6C
FioudHVuYS50c2luZ2h1YS5lZHUuY26CFHR1bmEudHNpbmdodWEuZWR1LmNuMAwG
A1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqG
SIb3DQEBCwUAA4IBAQCi8rRds1370PGwJtk4HOBZilSUVDQLgLCKImhWgIBeOGVR
GnjF6zBj39tOcaDvhoWqPiH5dn5cMEYks4+LNbGYrrgnBOccXMU/IH9ndpnTECvT
wp6PezsB7Xz+0mA2egQEeiiZQU3Fg7bIQKT0s89usNwdEhyksiBjbx0s7B46M+IA
26sV1oNwZYHLxCxsYty2OMUV7ljP9JqNmYtS11zsDeZjjCCeGhF1+xyPU23FeEAH
/d0tuPEosaTgs1/H20GNtI4Ca3jGlCLDUB9nLQ5Fd2OFm9xjcC9uG/uQVNn29M4I
U4mjVnvzKItyx9IJwmTtMuxeBOijVk2FKGSmlUIi
-----END CERTIFICATE-----
subject=CN = tuna.tsinghua.edu.cn

issuer=C = EN, CN = UniKNetRootSSLCert 2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1130 bytes and written 406 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: E2D6EBD0964945A565E0036EC884B4D369F8434957A88CA2786A95F236FC1538
    Session-ID-ctx:
    Resumption PSK: E4C94A9895A02A3356935B5DFDC876C7333663D6B5C0671B9D64DBCE81F864E5B36E4D351E387ADF3F885591B11043B5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ca ed 67 23 e2 5d 7b d9-15 69 f1 a1 a1 0b 93 54   ..g#.]{..i.....T
    0010 - ad e4 33 b8 1d 97 4e d9-1d b4 67 5e 63 16 a7 1d   ..3...N...g^c...
    0020 - 34 05 5e ad dd 23 71 e3-52 30 d3 7b 9d f1 e9 b8   4.^..#q.R0.{....
    0030 - fe 1c 13 36 b9 b2 da 85-56 42 27 33 bd 4b 01 16   ...6....VB'3.K..
    0040 - b5 9d 26 ab e6 4a 95 d9-77 64 36 c5 70 cc 20 28   ..&..J..wd6.p. (
    0050 - f9 84 01 29 8d 98 96 04-15 f0 b2 aa 3c fa eb c4   ...)........<...
    0060 - 33 46 49 4e ce cd 2f c1-26 99 56 f0 67 e2 ce 8a   3FIN../.&.V.g...
    0070 - d1 cc 93 56 7e f5 88 91-cf 23 34 0e 82 62 e9 41   ...V~....#4..b.A
    0080 - a9 b4 3c 25 5b 2b 5a 63-90 4f 8f 2a a2 5d e5 f3   ..<%[+Zc.O.*.]..
    0090 - 27 c0 07 6a 4b 3c bb 75-83 c5 47 21 73 83 c6 0b   '..jK<.u..G!s...
    00a0 - f8 f7 e9 4b c5 4a a4 4a-3d 56 d0 77 1c 01 2c f7   ...K.J.J=V.w..,.
    00b0 - ab da 6f 09 4e 42 7b 9d-e8 f5 03 91 39 6d 12 57   ..o.NB{.....9m.W

    Start Time: 1641534096
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 334F93AB4C8B297B7A18724340937FFFDCC3EF13D75DB84247746C0C3FA3FE6D
    Session-ID-ctx:
    Resumption PSK: 75C9E0785F0B7C23E7A485872AF68B8CC28F716E211F08E412E8150AC1B3553B6E3C963C24DED7DA394F0C8ADFD4584F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - ca ed 67 23 e2 5d 7b d9-15 69 f1 a1 a1 0b 93 54   ..g#.]{..i.....T
    0010 - f7 db 2e e9 b9 9d 63 6d-c3 28 ee 9c 0f 69 81 e3   ......cm.(...i..
    0020 - a5 68 f1 11 2d 81 ef 03-4d af c3 5b be 3d 06 bd   .h..-...M..[.=..
    0030 - 64 59 75 c2 fe e0 3c 9f-18 fd 23 67 27 3f 0f 44   dYu...<...#g'?.D
    0040 - df 83 90 c1 4e 02 a8 1b-be 13 a4 8b 23 29 27 20   ....N.......#)'
    0050 - 8b 45 39 12 71 91 ae 52-d0 6f f5 7e b2 e2 88 ad   .E9.q..R.o.~....
    0060 - 34 40 a0 55 e8 75 54 09-f7 02 3a 81 69 e5 5b 5a   4@.U.uT...:.i.[Z
    0070 - 0d 46 d0 38 41 47 41 fd-c2 bf ed 1e 7e a0 96 88   .F.8AGA.....~...
    0080 - 00 3c 9c 92 55 88 c2 82-28 24 e6 6c d2 26 77 b1   .<..U...($.l.&w.
    0090 - 90 d4 5e a8 22 88 d8 25-3e 05 cb 60 66 1f 8b cd   ..^."..%>..`f...
    00a0 - 8a 78 be 9d c1 8f 8a 7f-e7 a7 46 ab 6b 02 c2 ef   .x........F.k...
    00b0 - 3d 7b 00 64 25 c2 4f 99-75 88 68 cd ee 9c 22 d3   ={.d%.O.u.h...".

    Start Time: 1641534096
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
这是输出结果,我在普通用户下输出

离线

#9 2022-01-07 14:08:37

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,961
个人网站

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

UniKNetRootSSLCert 2 这是谁啊。你的网络上有中间人,替换了 TLS 证书。

离线

#10 2022-01-07 14:14:58

YanMingHao
会员
注册时间: 2022-01-07
帖子: 7

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

依云 说:

UniKNetRootSSLCert 2 这是谁啊。你的网络上有中间人,替换了 TLS 证书。

实在抱歉这个我不是很懂,  我知道的只有我目前系统上存在v2ray代理不知道跟这个有没有关系, UniKNetRootSSLCert这个有什么办法查看吗或者怎么消除它

离线

#11 2022-01-07 15:53:02

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,961
个人网站

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

v2ray 不会给你乱喂证书啊。

UniKNetRootSSLCert 这个名字在网络上完全搜不到。
你是不是你所在的组织或者 ISP 啥的干的?

离线

#12 2022-01-07 16:05:06

YanMingHao
会员
注册时间: 2022-01-07
帖子: 7

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

依云 说:

v2ray 不会给你乱喂证书啊。

UniKNetRootSSLCert 这个名字在网络上完全搜不到。
你是不是你所在的组织或者 ISP 啥的干的?

这个稍后我去问问我们的it部门,    如果是公司内部搞的,  那我用热点之类的应该会绕过吧?

离线

#13 2022-01-07 16:17:16

依云
会员
所在地: a.k.a. 百合仙子
注册时间: 2011-08-21
帖子: 8,961
个人网站

Re: 通过yay命令安装软件失败,提示git clone失败,更换为手机热点后,提示https下载失败

嗯。不过你得先确定公司允许你这么搞。请不要违反公司规定。

离线

页脚