freebsd上用https下载github的包失败了

想从github上下载一个包, 结果fetch居然报错了

root@example:~ # fetch https://github.com/encorehu/django-buddy/archive/master.zipCertificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-134380826280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168:fetch: https://github.com/encorehu/django-buddy/archive/master.zip: Authentication error

一些资料说是github自己更新了ssl连接的某些东西, 英文太多看不懂, 也懒得看.

2016-1-27更新：：：：：正确答案：https://github.com/saltstack/salt-bootstrap/issues/290

deeprave commented on 8 Oct 2014Actually a better (and permanent) solution to this is to:$ pkg install ca_root_nssthen, ln or cp the combined root certificates to /etc/ssl/cert.peme.g.$ ln -s /usr/local/share/certs/ca-root-nss.crt /etc/ssl/cert.pemwhich installs the nss root certificates in a place where fetch(1) can find them.Bypassing security is rarely a good solution.

别人解决的方式是

1. 安装新版的openssl

或者2. 安装DigiCert的安全证书

具体的, 我这个自己解决之后,再 详细补充.

----

补充

3 有资料说要下载 digitcert 数字证书网站的 证书, https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt, 结果哪里知道这个也是要通过https来下载的, 结果根本就下不下来.

root@example:~ # fetch https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crtCertificate verification failed for /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA34380826280:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:1168:fetch: https://www.digicert.com/CACerts/DigiCertHighAssuranceEVCA-1.crt: Authentication error

4. 测试命令, openssl s_client -connect github.com:443

openssl s_client -connect github.com:443

结果滚出一堆:

root@example:~ # openssl s_client -connect github.com:443CONNECTED(00000003)depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV CA-1verify error:num=20:unable to get local issuer certificateverify return:0---Certificate chain 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA---Server certificate-----BEGIN CERTIFICATE-----MIIHOjCCBiKgAwIBAgIQBH++LkveAITSyvjj7P5wWDANBgkqhkiG9w0BAQUFADBpMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQuY29tMSgwJgYDVQQDEx9EaWdpQ2VydCBIaWdoIEFzc3VyYW5jZSBFViBDQS0xMB4XDTEzMDYxMDAwMDAwMFoXDTE1MDkwMjEyMDAwMFowgfAxHTAb.......删了....MRUwEwYDVQQKEwxHaXRIdWIsIEluYy4xEzARBgNVBAMTCmdpdGh1Yi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDt04nDXXByCfMzTxpydNm2WpVQu2hhn/f7Hxnh2gQxrxV8Gn/5c68d5UMrVgkARWlK6MRb38J3UlEZW9Er2TllNqAyGRxBc/sysj2fmOyCWws3ZDkstxCDcs3w6iRL+tmULsOFFTmpOvaI2vQniaaVT4Si.....删了, 觉得安全些...+UMBmgdx9KPDDzZy4MJZC2hbfUoXj9A54mJN8cuEOPyw3c3yKOcq/h48KzVguQXiSdJbwfqNIbQ9oJM+YzDjzS62+TCtNSNWzWbwABZCmuQxK0oEOSbTmbhxUF7rND3/+mx9u8cY//7uAxLWYS5gIZlCbxcf0lkiKSHJB319-----END CERTIFICATE-----subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=548 4th Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.comissuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1---No client certificate CA names sent---SSL handshake has read 4139 bytes and written 447 bytes---New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256Server public key is 2048 bitSecure Renegotiation IS supportedCompression: NONEExpansion: NONESSL-Session:    Protocol  : TLSv1.2    Cipher    : ECDHE-RSA-AES128-GCM-SHA256    Session-ID: FB3AF14B585A4FE1D98556286E5C82FEF788B2BE6FAF83081B742417E05FD90E    Session-ID-ctx:    Master-Key: 14CD0609C660C0896CF5F159517A02A95E5AE43BC47561EEBB49891112271AD50E4DD113D3CFF622985289FD1ED3E7B5    Key-Arg   : None    PSK identity: None    PSK identity hint: None    SRP username: None    Start Time: 1396167645    Timeout   : 300 (sec)    Verify return code: 20 (unable to get local issuer certificate)---HTTP/1.0 408 Request Time-outCache-Control: no-cacheConnection: closeContent-Type: text/html<html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>closed

啥意思, 这一堆, 最后可能是显示了点东西, 408, 请求超时, 浏览器并没有在默认时间里发送完整的请求.

5.临时解决, 现学现用, 用curl url >a.zip解决了下载问题. openssl的问题以后再补充.

参考资料:

http://smyck.net/2014/01/22/freebsd-authentication-error/

https://forums.freebsd.org/viewtopic.php?&t=14051

http://stackoverflow.com/questions/22027418/openssl-python-requests-error-certificate-verify-failed