[Linux] 讓 yum 關閉 SSL 驗證,讓它通過 MITM
今天裝好了一台 Cloud Linux 8,
本想在裡面跑 yum 裝一下 net-tools,結果遇到 SSL certificate 問題:
# yum install net-tools AlmaLinux 8.7 - AppStream 0.0 B/s | 0 B 00:08 Errors during downloading metadata for repository 'appstream': - Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8.7/appstream [SSL certificate problem: unable to get local issuer certificate] Error: Failed to download metadata for repo 'appstream': Cannot prepare internal mirrorlist: Curl error (60): Peer certificate cannot be authenticated with given CA certificates for https://mirrors.almalinux.org/mirrorlist/8.7/appstream [SSL certificate problem: unable to get local issuer certificate]
用 openssl 指令連的時候,看到它中間出現了另一個憑證,
應該是公司有在網路裡放了一台 MITM 設備造成的:
# openssl s_client -connect mirrors.almalinux.org:443 CONNECTED(00000003) depth=1 C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = *.almalinux.org verify return:1 --- Certificate chain 0 s:CN = *.almalinux.org i:C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec 1 s:C = TW, ST = Taiwan, L = Taipei, O = MITM Inc., OU = Infosec i:DC = org, DC = us, CN = MITMCA ---
我移不走 MITM 設備,要怎麼讓 yum 成功呢?
一種方法可能是把 MITM 的 Root CA 加入信任清單,
另一種我採用的方法是修改 /etc/yum.conf,將 sslverify
設成 false
:
[main] sslverify=False
改好之後,再執行 yum 就可以成功安裝套件了:
# yum install net-tools ...... Downloading Packages: net-tools-2.0-0.52.20160912git.el8.x86_64.rpm 198 kB/s | 321 kB 00:01 ......
(本頁面已被瀏覽過 380 次)