[Windows] 解決 chocolatey 無法建立 HTTPS 連線下載套件的問題

[Windows] 解決 chocolatey 無法建立 HTTPS 連線下載套件的問題

Comments 0 Comment

今天想要用 Chocolatey 更新一下軟體套件時,遇到了奇怪的錯誤,

說想要更新的套件 greenshot 找不到,就算換成其他的套件名稱也都一樣,

這也太奇怪了,不久前才用 Chocolatey 裝好的呀:

C:>choco upgrade greenshot
Upgrading the following packages:
greenshot
By upgrading you accept licenses for the packages.
greenshot was not found with the source(s) listed.
If you specified a particular version and are receiving this message, it is pos
sible that the package name exists but the version does not.
Version: ""; Source(s): "https://chocolatey.org/api/v2/"

 

choco 指令有個 -d 的選項,可以秀出一些除錯資訊,

執行之後看到多出一個 Could not establish trust relationship for the SSL/TLS 的訊息:

C:>choco upgrade -d greenshot
Upgrading the following packages:
greenshot
By upgrading you accept licenses for the packages.
[NuGet] An error occurred while loading packages from 'https://chocolatey.org/ap
i/v2/': The underlying connection was closed: Could not establish trust relation
ship for the SSL/TLS secure channel.
greenshot was not found with the source(s) listed.
If you specified a particular version and are receiving this message, it is pos
sible that the package name exists but the version does not.
Version: ""; Source(s): "https://chocolatey.org/api/v2/"

 

從這篇找到了一些線索…

Could not establish trust relationship for the SSL/TLS secure channel

看起來是想要連 https://chocolatey.org/ 這個網站時,

網站的 SSL 憑證有問題,所以被擋下來了~

直接用 IE 打開 https://chocolatey.org/,果真跳出了憑證有問題的訊息:

20160804_125510

 

點下 Continue to this website 之後,可以在上方看到 Certificate error:

20160804_125543   

 

點一下 Certificate error,提示說這個網站的憑證並不是由一個信任的 CA 發出來的:

20160804_125754

 

點下 View certificates 看一下這個憑證的內容…

咦,憑證的發行者是 IWSVASUBCA,有點眼熟…

這個 IWSVA 是公司裡的網頁過濾閘道,猜想是不是它為了要攔截 HTTPS 連線,

所以即時產生出一個給 IE 看的 https://chocolatey.org 的憑證,再用自己的 CA 幫這個憑證蓋章,

但因為這個自己的 CA 可能是 self-signed,所以不被信任:

20160804_125904

 

到 Ceritifcation Path 分頁看一下,跟猜測的不完全一樣,但差不多意思了,

chocolatey.org 的憑證是 IWSVASUBCA 這個 Sub CA 蓋章的,

而 IWSVASUBCA 的憑證是由一個 self-signed Root CA (TMINTCA01) 來蓋章的,

因此以這個信任鏈來說,最上面的 Root CA 是不被信任的 (有個叉叉): 

20160804_130344 

 

點一下最上層的 Root CA  (TMINTCA01) ,按下 View Certificate 鈕,

果然這個 Root CA 憑證是 self-signed,而且是不被信任的:

20160804_130357

 

按下 Install Ceritificate 鈕,可以將這個 Root CA 憑證匯入信任鏈中:

20160804_130015

 

我們選擇將它加到 Trusted Root Ceritification Authorities 區域,

表示我們會永遠信任這個 Root CA 憑證 (以及其所發出來的憑證):

20160804_130034

 

按下 Finish:

20160804_130039  

 

接著就匯入完成了:

 20160804_130439

 

重開 IE 再連到 https://chocolatey.org,不再有錯誤訊息:

20160804_130556    

 

 最後重新執行 choco upgrade,這次就沒有再出現找不到來源的錯誤了:


C:>choco upgrade greenshot
Upgrading the following packages:
greenshot
By upgrading you accept licenses for the packages.
greenshot v1.2.8.12 is the latest version available based on your source(s).
Chocolatey upgraded 0/1 packages. 0 packages failed.
See the log for details (C:ProgramDatachocolateylogschocolatey.log).

 

參考資料:

IWSVA: About HTTPS Decryption

Generating Certificate Authority (CA) private keys and certificates in InterScan Web Security Virtual Appliance (IWSVA)

 

(本頁面已被瀏覽過 1,702 次)

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料