最近公司時常遇到客戶遇到軟體的安裝問題，

有蠻大部分是因為使用 Red Hat Enterprise Linux (RHEL) 6 的版本，

但缺少了必要的根憑證 (Root CA certificate) 所造成的。

來研究一下吧～

如果有註冊 Red Hat 的免費帳號的話，

是可以下載最新版本的 RHEL 來試用，

不過 RHEL 6 是比較舊的版本，我是在 Docker Hub 找了一個映象檔來用：

docker run -it roboxes/rhel6 /bin/bash

試試用 curl 連公司的一個網站，在這個 Docker 映象檔裡是沒有問題的。

注意這 Trend Micro 網站的 server certificate 是被

Entrust Certification Authority – L1K 這個 intermediate CA 所簽發的：

# curl -L -v -I https://files.trendmicro.com

* About to connect() to files.trendmicro.com port 443 (#0)
*   Trying 104.111.210.7... connected
* Connected to files.trendmicro.com (104.111.210.7) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=www.trendmicro.com,O=Trend Micro Inc.,L=Irving,ST=Texas,C=US
* 	start date: Mar 09 08:24:35 2022 GMT
* 	expire date: Apr 05 08:24:35 2023 GMT
* 	common name: www.trendmicro.com
* 	issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: files.trendmicro.com
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 11
Content-Length: 11
< Server: AkamaiNetStorage
Server: AkamaiNetStorage
< Date: Mon, 25 Jul 2022 02:32:37 GMT
Date: Mon, 25 Jul 2022 02:32:37 GMT
< Connection: keep-alive
Connection: keep-alive

<
* Connection #0 to host files.trendmicro.com left intact
* Closing connection #0

打開 /etc/ssl/certs/ca-bundle.crt 看看…

在裡面可以找到 Entrust Root Certification Authority – G2 這個根憑證，

而因為 Entrust Certification Authority – L1K 事實是被

Entrust Root Certification Authority – G2 簽發的，

因此 Entrust G2 > Entrust L1K > Trend Micro 這條憑證鍊是被信任的，

curl 才可以連線成功：

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1246989352 (0x4a538c28)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2
        Validity
            Not Before: Jul  7 17:25:54 2009 GMT
            Not After : Dec  7 17:55:54 2030 GMT
        Subject: C=US, O=Entrust, Inc., OU=See www.entrust.net/legal-terms, OU=(c) 2009 Entrust, Inc. - for authorized use only, CN=Entrust Root Certification Authority - G2
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ba:84:b6:72:db:9e:0c:6b:e2:99:e9:30:01:a7:
                    ......
                    a4:71
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                6A:72:26:7A:D0:1E:EF:7D:E7:3B:69:51:D4:6C:8D:9F:90:12:66:AB
    Signature Algorithm: sha256WithRSAEncryption
         79:9f:1d:96:c6:b6:79:3f:22:8d:87:d3:87:03:04:60:6a:6b:
         ......
         6f:8b:45:f6
-----BEGIN CERTIFICATE-----
MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC
......
VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----

如果把 /etc/ssl/certs/ca-bundle.crt 裡面，

Entrust Root Certification Authority – G2 這個根憑證的部分刪除掉，再執行 curl，

就會出現 Peer certificate cannot be authenticated with known CA certificates 訊息，

因為系統不認得 Entrust Root Certification Authority – G2 這個根憑證：

# curl -L -v -I https://files.trendmicro.com

* About to connect() to files.trendmicro.com port 443 (#0)
*   Trying 104.111.210.7... connected
* Connected to files.trendmicro.com (104.111.210.7) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Certificate is signed by an untrusted issuer: 'CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US'
* NSS error -8172
* Closing connection #0
* Peer certificate cannot be authenticated with known CA certificates
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

回到原本客戶的問題…

客戶的 RHEL 6 可能因為版本較舊的關係，

因此並不包含 Entrust Root Certification Authority – G2 這個根憑證。

要信任這個根憑證的話，需要先下載根憑證 (PEM 格式)，

並把它放到 /etc/pki/ca-trust/source/anchors 目錄下：

cd /tmp
wget https://web.entrust.com/root-certificates/entrust_g2_ca.cer
sudo mkdir -p /etc/pki/ca-trust/source/anchors/
sudo cp entrust_g2_ca.cer /etc/pki/ca-trust/source/anchors/

接著執行  

但這時可能會看到一個錯誤，說 ca-bundle.legacy.crt 裡已經有重複的憑證，

這是因為我在測試用的 RHEL 6 的 Docker 映象檔本來就已經有那個憑證：

# sudo update-ca-trust extract

update-ca-trust: Warning: The dynamic CA configuration feature is in the disabled state
p11-kit: duplicate 'Entrust Root Certification Authority - G2' certificate found in: ca-bundle.legacy.crt

去把 /etc/pki/ca-trust/source/ca-bundle.legacy.crt 裡的

Entrust Root Certification Authority – G2 憑證部分刪除掉，上述的訊息就可以解決了。

不過還得多執行  

允許 RHEL 去動態更新根憑證的信任鍊後，

再執行  

sudo update-ca-trust force-enable
sudo update-ca-trust extract

這時再使用 curl 連線公司網站，因為根憑證已被信任，

又再次可以連上了：

# curl -L -v -I https://files.trendmicro.com

* About to connect() to files.trendmicro.com port 443 (#0)
*   Trying 104.111.210.7... connected
* Connected to files.trendmicro.com (104.111.210.7) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=www.trendmicro.com,O=Trend Micro Inc.,L=Irving,ST=Texas,C=US
* 	start date: Mar 09 08:24:35 2022 GMT
* 	expire date: Apr 05 08:24:35 2023 GMT
* 	common name: www.trendmicro.com
* 	issuer: CN=Entrust Certification Authority - L1K,OU="(c) 2012 Entrust, Inc. - for authorized use only",OU=See www.entrust.net/legal-terms,O="Entrust, Inc.",C=US
> HEAD / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: files.trendmicro.com
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 11
Content-Length: 11
< Server: AkamaiNetStorage
Server: AkamaiNetStorage
< Date: Mon, 25 Jul 2022 02:32:37 GMT
Date: Mon, 25 Jul 2022 02:32:37 GMT
< Connection: keep-alive
Connection: keep-alive

<
* Connection #0 to host files.trendmicro.com left intact
* Closing connection #0

參考資料：

• RHEL/CentOS 6 OpenSSL client compatibility after DST Root CA X3 expiration
• Install CA certificates on Linux systems
• Adding trusted root certificates to the server