通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

YanMingHao · 2022-01-07 10:44:10

用公司网络下载wechat提示
yay wechat
提示
fatal: 无法访问 'https://aur.tuna.tsinghua.edu.cn/wechat-uos.git/'：SSL certificate problem: unable to get local issuer certificate
context: exit status 128
翻阅相关资料有人说更换网络解决
更换手机网络后不提示此错误
出现新的错误

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
==> 错误：无法下载 https://home-store-packages.uniontech.c … _amd64.deb
正在放弃...
-> 生成时出错: wechat-uos

实在是找不到原因了，希望有大佬帮助解决一下

依云 · 2022-01-07 11:02:43

curl -v https://aur.tuna.tsinghua.edu.cn
curl --version

YanMingHao · 2022-01-07 11:27:19

> curl -v https://aur.tuna.tsinghua.edu.cn
* Trying 101.6.15.130:443...
* Connected to aur.tuna.tsinghua.edu.cn (101.6.15.130) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

curl --version
curl 7.80.0 (x86_64-pc-linux-gnu) libcurl/7.80.0 OpenSSL/1.1.1m zlib/1.2.11 brotli/1.0.9 zstd/1.5.1 libidn2/2.3.2 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.46.0
Release-Date: 2021-11-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

看到了同样的问题
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

YanMingHao · 2022-01-07 11:39:43

依云说：

curl -v https://aur.tuna.tsinghua.edu.cn
curl --version

> curl -v https://aur.tuna.tsinghua.edu.cn
* Trying 101.6.15.130:443...
* Connected to aur.tuna.tsinghua.edu.cn (101.6.15.130) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

curl --version
curl 7.80.0 (x86_64-pc-linux-gnu) libcurl/7.80.0 OpenSSL/1.1.1m zlib/1.2.11 brotli/1.0.9 zstd/1.5.1 libidn2/2.3.2 libpsl/0.21.1 (+libidn2/2.3.0) libssh2/1.10.0 nghttp2/1.46.0
Release-Date: 2021-11-10
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets zstd

看到了同样的问题
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

依云 · 2022-01-07 12:27:54

ls -lL /etc/ssl/certs/ca-certificates.crt

看看本地证书文件正常不？

另外你的 curl 有些旧啊。

YanMingHao · 2022-01-07 12:54:31

依云说：

ls -lL /etc/ssl/certs/ca-certificates.crt
看看本地证书文件正常不？
另外你的 curl 有些旧啊。

> ls -lL /etc/ssl/certs/ca-certificates.crt
-r--r--r-- 1 root root 208919 1月 7 09:48 /etc/ssl/certs/ca-certificates.crt

我之前看资料，下载过crt文件
放在curlssl内，然后添加环境变量

> cd curlssl
> ls
aur.archlinux.org-key.pem aur.archlinux.org.pem cacert-2021-10-26.crt cacert.pem

/etc/profile 增加环境变量
export CURL_CA_BUNDLE=/home/yanminghao/curlssl/cacert.pem

还需要看什么排查下，感谢回复了

依云 · 2022-01-07 13:34:21

啥？你不要乱下根证书列表啊。

看看这个命令的输出：
openssl s_client -connect aur.tuna.tsinghua.edu.cn:443 -servername aur.tuna.tsinghua.edu.cn
（输出不动了之后按 Ctrl-C 或者 Ctrl-D 结束）

YanMingHao · 2022-01-07 13:42:35

依云说：

啥？你不要乱下根证书列表啊。
看看这个命令的输出：
openssl s_client -connect aur.tuna.tsinghua.edu.cn:443 -servername aur.tuna.tsinghua.edu.cn
（输出不动了之后按 Ctrl-C 或者 Ctrl-D 结束）

再次万分感谢你的回复

> openssl s_client -connect aur.tuna.tsinghua.edu.cn:443 -servername aur.tuna.tsinghua.edu.cn
CONNECTED(00000003)
depth=0 CN = tuna.tsinghua.edu.cn
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = tuna.tsinghua.edu.cn
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = tuna.tsinghua.edu.cn
verify return:1
---
Certificate chain
0 s:CN = tuna.tsinghua.edu.cn
i:C = EN, CN = UniKNetRootSSLCert 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICujCCAaKgAwIBAgIRANJpqWMo2w0ZCgi9xgYkukowDQYJKoZIhvcNAQELBQAw
LDELMAkGA1UEBhMCRU4xHTAbBgNVBAMMFFVuaUtOZXRSb290U1NMQ2VydCAyMB4X
DTIxMTIxNTAyNDIzMloXDTIyMDMxNTAyNDIzMVowHzEdMBsGA1UEAxMUdHVuYS50
c2luZ2h1YS5lZHUuY24wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANnp/sxJ
cXJ6v3DpVGkiwcq3Gnybc+IdRBLYncNEJH52jKd+dBZ63NdpUQLHyqmzrQODWBpV
wpQdkLAYwRRoXMB7eanY8rgA09AgDOisombuCFhFkJVxI69ZxR8wyfIfD6pi5wvp
UtXYOVY2mg7hOj5XoVwe9F8FtKIF4U3Oo2TrAgMBAAGjaDBmMDcGA1UdEQQwMC6C
FioudHVuYS50c2luZ2h1YS5lZHUuY26CFHR1bmEudHNpbmdodWEuZWR1LmNuMAwG
A1UdEwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqG
SIb3DQEBCwUAA4IBAQCi8rRds1370PGwJtk4HOBZilSUVDQLgLCKImhWgIBeOGVR
GnjF6zBj39tOcaDvhoWqPiH5dn5cMEYks4+LNbGYrrgnBOccXMU/IH9ndpnTECvT
wp6PezsB7Xz+0mA2egQEeiiZQU3Fg7bIQKT0s89usNwdEhyksiBjbx0s7B46M+IA
26sV1oNwZYHLxCxsYty2OMUV7ljP9JqNmYtS11zsDeZjjCCeGhF1+xyPU23FeEAH
/d0tuPEosaTgs1/H20GNtI4Ca3jGlCLDUB9nLQ5Fd2OFm9xjcC9uG/uQVNn29M4I
U4mjVnvzKItyx9IJwmTtMuxeBOijVk2FKGSmlUIi
-----END CERTIFICATE-----
subject=CN = tuna.tsinghua.edu.cn

issuer=C = EN, CN = UniKNetRootSSLCert 2

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1130 bytes and written 406 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: E2D6EBD0964945A565E0036EC884B4D369F8434957A88CA2786A95F236FC1538
Session-ID-ctx:
Resumption PSK: E4C94A9895A02A3356935B5DFDC876C7333663D6B5C0671B9D64DBCE81F864E5B36E4D351E387ADF3F885591B11043B5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - ca ed 67 23 e2 5d 7b d9-15 69 f1 a1 a1 0b 93 54 ..g#.]{..i.....T
0010 - ad e4 33 b8 1d 97 4e d9-1d b4 67 5e 63 16 a7 1d ..3...N...g^c...
0020 - 34 05 5e ad dd 23 71 e3-52 30 d3 7b 9d f1 e9 b8 4.^..#q.R0.{....
0030 - fe 1c 13 36 b9 b2 da 85-56 42 27 33 bd 4b 01 16 ...6....VB'3.K..
0040 - b5 9d 26 ab e6 4a 95 d9-77 64 36 c5 70 cc 20 28 ..&..J..wd6.p. (
0050 - f9 84 01 29 8d 98 96 04-15 f0 b2 aa 3c fa eb c4 ...)........<...
0060 - 33 46 49 4e ce cd 2f c1-26 99 56 f0 67 e2 ce 8a 3FIN../.&.V.g...
0070 - d1 cc 93 56 7e f5 88 91-cf 23 34 0e 82 62 e9 41 ...V~....#4..b.A
0080 - a9 b4 3c 25 5b 2b 5a 63-90 4f 8f 2a a2 5d e5 f3 ..<%[+Zc.O.*.]..
0090 - 27 c0 07 6a 4b 3c bb 75-83 c5 47 21 73 83 c6 0b '..jK<.u..G!s...
00a0 - f8 f7 e9 4b c5 4a a4 4a-3d 56 d0 77 1c 01 2c f7 ...K.J.J=V.w..,.
00b0 - ab da 6f 09 4e 42 7b 9d-e8 f5 03 91 39 6d 12 57 ..o.NB{.....9m.W

Start Time: 1641534096
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 334F93AB4C8B297B7A18724340937FFFDCC3EF13D75DB84247746C0C3FA3FE6D
Session-ID-ctx:
Resumption PSK: 75C9E0785F0B7C23E7A485872AF68B8CC28F716E211F08E412E8150AC1B3553B6E3C963C24DED7DA394F0C8ADFD4584F
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - ca ed 67 23 e2 5d 7b d9-15 69 f1 a1 a1 0b 93 54 ..g#.]{..i.....T
0010 - f7 db 2e e9 b9 9d 63 6d-c3 28 ee 9c 0f 69 81 e3 ......cm.(...i..
0020 - a5 68 f1 11 2d 81 ef 03-4d af c3 5b be 3d 06 bd .h..-...M..[.=..
0030 - 64 59 75 c2 fe e0 3c 9f-18 fd 23 67 27 3f 0f 44 dYu...<...#g'?.D
0040 - df 83 90 c1 4e 02 a8 1b-be 13 a4 8b 23 29 27 20 ....N.......#)'
0050 - 8b 45 39 12 71 91 ae 52-d0 6f f5 7e b2 e2 88 ad .E9.q..R.o.~....
0060 - 34 40 a0 55 e8 75 54 09-f7 02 3a 81 69 e5 5b 5a 4@.U.uT...:.i.[Z
0070 - 0d 46 d0 38 41 47 41 fd-c2 bf ed 1e 7e a0 96 88 .F.8AGA.....~...
0080 - 00 3c 9c 92 55 88 c2 82-28 24 e6 6c d2 26 77 b1 .<..U...($.l.&w.
0090 - 90 d4 5e a8 22 88 d8 25-3e 05 cb 60 66 1f 8b cd ..^."..%>..`f...
00a0 - 8a 78 be 9d c1 8f 8a 7f-e7 a7 46 ab 6b 02 c2 ef .x........F.k...
00b0 - 3d 7b 00 64 25 c2 4f 99-75 88 68 cd ee 9c 22 d3 ={.d%.O.u.h...".

Start Time: 1641534096
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
这是输出结果，我在普通用户下输出

依云 · 2022-01-07 14:08:37

UniKNetRootSSLCert 2 这是谁啊。你的网络上有中间人，替换了 TLS 证书。

YanMingHao · 2022-01-07 14:14:58

依云说：

UniKNetRootSSLCert 2 这是谁啊。你的网络上有中间人，替换了 TLS 证书。

实在抱歉这个我不是很懂，我知道的只有我目前系统上存在v2ray代理不知道跟这个有没有关系， UniKNetRootSSLCert这个有什么办法查看吗或者怎么消除它

依云 · 2022-01-07 15:53:02

v2ray 不会给你乱喂证书啊。

UniKNetRootSSLCert 这个名字在网络上完全搜不到。
你是不是你所在的组织或者 ISP 啥的干的？

YanMingHao · 2022-01-07 16:05:06

依云说：

v2ray 不会给你乱喂证书啊。
UniKNetRootSSLCert 这个名字在网络上完全搜不到。
你是不是你所在的组织或者 ISP 啥的干的？

这个稍后我去问问我们的it部门，如果是公司内部搞的，那我用热点之类的应该会绕过吧？

依云 · 2022-01-07 16:17:16

嗯。不过你得先确定公司允许你这么搞。请不要违反公司规定。

Arch Linux

#1 2022-01-07 10:44:10

通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#2 2022-01-07 11:02:43

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#3 2022-01-07 11:27:19

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#4 2022-01-07 11:39:43

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#5 2022-01-07 12:27:54

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#6 2022-01-07 12:54:31

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#7 2022-01-07 13:34:21

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#8 2022-01-07 13:42:35

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#9 2022-01-07 14:08:37

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#10 2022-01-07 14:14:58

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#11 2022-01-07 15:53:02

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#12 2022-01-07 16:05:06

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

#13 2022-01-07 16:17:16

Re: 通过yay命令安装软件失败，提示git clone失败，更换为手机热点后，提示https下载失败

页脚