江苏龙网

  1. 主页 > 生活百科 > >

一个因CA根证书过期引起的故障

CA根证书

服务器上的应用服务对外发送的一些https请求都失败了,真相竟然是 。。。
问题10点左右,同事反馈咨询线上的Sentry服务器现在是否正常 。之后去检查Sentry服务,运行正常,但是该应用服务对接的Sentry频道已经很久没有事件进来了 。
感觉不太对劲,再去检查下Sentry worker专用的容器, 发现该Worker服务中中有些错误日志:
E, [2020-06-01T04:02:03.670850 #6] ERROR -- sentry: ** [Raven] Unable to record event with remote Sentry server (Raven::Error - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (certificate has expired)):/usr/local/bundle/gems/sentry-raven-2.7.3/lib/raven/transports/http.rb:34:in `rescue in send_event'/usr/local/bundle/gems/sentry-raven-2.7.3/lib/raven/transports/http.rb:16:in `send_event'/usr/local/bundle/gems/sentry-raven-2.7.3/lib/raven/client.rb:37:in `send_event'/usr/local/bundle/gems/sentry-raven-2.7.3/lib/raven/instance.rb:81:in `send_event'/App/src/worker.rb:26:in `perform'/usr/local/bundle/gems/sidekiq-5.1.3/lib/sidekiq/processor.rb:187:in `execute_job'/usr/local/bundle/gems/sidekiq-5.1.3/lib/sidekiq/processor.rb:169:in `block (2 levels) in process'/usr/local/bundle/gems/sidekiq-5.1.3/lib/sidekiq/middleware/chain.rb:128:in `block in invoke'/usr/local/bundle/gems/sentry-raven-2.7.3/lib/raven/integrations/sidekiq.rb:9:in `call'/usr/local/bundle/gems/sidekiq-5.1.3/lib/sidekiq/middleware/chain.rb:130:in `block in invoke'/usr/local/bundle/gems/sidekiq-5.1.3/lib/sidekiq/middleware/chain.rb:133:in `invoke'E, [2020-06-01T04:02:03.671130 #6] ERROR -- sentry: ** [Raven] Failed to submit event: <no message value>奇怪?sentry-worker在连sentry server 时请求域名的证书过期了?
分析针对上面的错误信息,先去检查了相关调用的域名证书的有效期,发现都在有效期内 。而且印象中都是年初刚更换的 。所以排除了是域名证书问题 。
然后根据错误日志,尝试在自己电脑上用下curl 命令,巧合的很,也遇到了类似的错误.
$ curl https://sentry.xxx.comcurl: (60) SSL certificate problem: certificate has expiredMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above.我又去找了其它一台centos主机,发现curl返回的结果是正常的,从web端和centos客户端curl都成功的看,像是我本机电脑的curl和sentry-worker主机出了问题 。
之后用到网上找到使用openssl命令排查ssl错误的方法:
$ openssl s_client -showcerts -servername sentry.xxx.com -connect sentry.xxx.com:443CONNECTED(00000003)depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Rootverify error:num=10:certificate has expirednotAfter=May 30 10:48:38 2020 GMT---Certificate chain 0 s:/OU=Domain Control Validated/OU=GoGetSSL Wildcard SSL/CN=*.xxx.comi:/C=LV/L=Riga/O=GoGetSSL/CN=GoGetSSL RSA DV CA-----BEGIN CERTIFICATE-----#...省略从上面执行命令返回的内容来看,这里的CA证书AddTrust External CA Root 在May 30 10:48:38 2020 GMT 这个时间过期了 。
上网查了下相关的资料,发现他们官方发过一篇通告:
Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020.
解决方案现在算是找到为什么请求https会出现证书过期的原因了 。接下来看下如何解决:

  1. 修改服务器ca配置
  2. 更新ca库信息
主机(Ubuntu)修改服务器CA配置修改服务器ca证书配置文件:/etc/ca-certificates.conf
sed -i "/AddTrust_External_Root.crt/d" /etc/ca-certificates.conf更新CA库使用update-ca-certificates 该命令用以更新目录/etc/ssl/certs来保存SSL证书,并生成ca-certificates.crt:
$ sudo update-ca-certificates --freshClearing symlinks in /etc/ssl/certs...done.Updating certificates in /etc/ssl/certs...147 added, 0 removed; done.Running hooks in /etc/ca-certificates/update.d...done.重启主机上的应用程序 。
容器(Docker-Alpine OS)容器同主机上的修改差不太多 。修改ca配置文件,之后执行更新命令 。以下以alpine系统为例:
修改配置文件:
sed -i "/AddTrust_External_Root.crt/d" /etc/ca-certificates.conf更新ca证书链:
update-ca-certificates -f -v当然上面的两条命令最好是放在Dockerfile中,你知道,在容器里做的任何修改都是不可靠的(除非挂载了共享或卷)
Dockerfile示例,在CMD之前添加一行:
省略...RUN sed -i "/AddTrust_External_Root.crt/d" /etc/ca-certificates.conf&& update-ca-certificates -f -v


推荐阅读


上一篇:开店怎么吸引顾客十个妙招 淘宝新店如何吸引顾客进店

下一篇:淘宝店铺的规则主要有哪一些 淘宝店的规则和运营模式