[Linux] 讓 yum 關閉 SSL 驗證,讓它通過 MITM

[Linux] 讓 yum 關閉 SSL 驗證,讓它通過 MITM

今天裝好了一台 Cloud Linux 8,

本想在裡面跑 yum 裝一下 net-tools,結果遇到 SSL certificate 問題:

# yum install net-tools

AlmaLinux 8.7 - AppStream                                                                                      0.0  B/s |   0  B     00:08
Errors during downloading metadata for repository 'appstream':
  - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8.7/appstream [SSL certificate problem: unable to get local issuer certificate]
Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8.7/appstream [SSL certificate problem: unable to get local issuer certificate]

 

用 openssl 指令連的時候,看到它中間出現了另一個憑證,

應該是公司有在網路裡放了一台 MITM 設備造成的:

# openssl s_client -connect mirrors.almalinux.org:443

CONNECTED(00000003)
depth=1 C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.almalinux.org
verify return:1
---
Certificate chain
 0 s:CN = *.almalinux.org
   i:C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec
 1 s:C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec
   i:DC = org, DC = us, CN = MITMCA
---

 

我移不走 MITM 設備,要怎麼讓 yum 成功呢?

一種方法可能是把 MITM 的 Root CA 加入信任清單,

另一種我採用的方法是修改 /etc/yum.conf,將  sslverify 設成  false :

[main]
sslverify=False

 

改好之後,再執行 yum 就可以成功安裝套件了:

# yum install net-tools

......
Downloading Packages:
net-tools-2.0-0.52.20160912git.el8.x86_64.rpm   198 kB/s | 321 kB     00:01
......

 

(本頁面已被瀏覽過 377 次)

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料