当看似不在 PHPMailer、TLS、Openssl、file_get_contents 中时,LetsEncrypt 证书无效/过期,2021 年 9 月 30 日

我遇到了 PHPMailer 问题,突然说我的证书已过期并拒绝使用 TLS 加密正确连接到端口 587,从 2021 年 10 月 1 日开始.

I had a problem with PHPMailer suddenly saying my certificate had expired and refusing to connect properly to port 587 with TLS encryption, from Oct 1 2021.

将 ssl 标志更改为 not verify_peer 和 verify_peer_name 将临时解决电子邮件问题.

Changing the ssl flags to not verify_peer and not verify_peer_name will temp fix the email issue.

$mail->SMTPOptions = array (
    'ssl' => array(
        'verify_peer'  => false,
        'verify_peer_name'  => false,
        'allow_self_signed' => true
        
    ));

但这不是一个理想的解决方案.

But its not an ideal solution.

如果我通过端口 80 和网络访问同一台服务器,则证书没有任何问题.

If I go to the same server via port 80 and web there is nothing wrong with the certificate.

如果我使用 OpenSSL 命令行连接,它会显示证书已于 2021 年 9 月 30 日过期.

If I connect with OpenSSL command line it says the certificate expired on Sep 30 2021.

这个问题在php命令file_get_contents下也会出现.

This problem also appears under the php command file_get_contents.

注意:这个问题是 PHPMailer 和电子邮件特定的,它提供了关于 PHPMailer 的很好的信息,它不应该被关闭.除了原因和修复方法相似之外,它与 docker 或与其相关的其他问题无关.

NOTE: This issue is PHPMailer and email specific and provides good information about PHPMailer, it should not be closed. It has nothing to do with docker or the other question its associated with other than the cause and fix being similar.

推荐答案

这里的问题是嵌入在 LetsEncrypt 链中的真正过期的权威证书,它确实在 2021 年 9 月 30 日过期.

The issue here is a real expired authority cert embedded in the LetsEncrypt chain which really DID expire on Sep 30 2021.

来自 openssl 博客...在颁发新证书时向 Let’s Encrypt ACME 客户端提供的当前推荐的证书链包含一个中间证书(ISRG Root X1),该证书由旧的 DST Root CA X3 证书签名,该证书于 2021 年 9 月 30 日到期.在某些情况下,OpenSSL 1.0.2 版本会将 Let's Encrypt CA 颁发的证书视为具有过期的信任链.

From the openssl blog ... The currently recommended certificate chain as presented to Let’s Encrypt ACME clients when new certificates are issued contains an intermediate certificate (ISRG Root X1) that is signed by an old DST Root CA X3 certificate that expires on 2021-09-30. In some cases the OpenSSL 1.0.2 version will regard the certificates issued by the Let’s Encrypt CA as having an expired trust chain.

在这里阅读更多...https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

主要影响 OpenSSL 1.0.2.在装有 OpenSSL 1.1.1 的 Mac 上,我没有遇到这个问题.

It mainly affects OpenSSL 1.0.2. On my Mac with OpenSSL 1.1.1 I did not have the issue.

CentOS,我相信其他人已经修复了这个问题......

CentOS, and I'm sure others have provided fixes to this issue ...

备份

cp -i /etc/pki/tls/certs/ca-bundle.crt ~/ca-bundle.crt-backup

将证书添加到黑名单目录

Add certificate to blacklist directory

trust dump --filter "pkcs11:id=%c4%a7%b1%a4%7b%2c%71%fa%db%e1%4b%90%75%ff%c4%15%60%85%89%10" | openssl x509 | sudo tee /etc/pki/ca-trust/source/blacklist/DST-Root-CA-X3.pem

更新根存储

sudo update-ca-trust extract

验证删除

diff ~/ca-bundle.crt-backup /etc/pki/tls/certs/ca-bundle.crt

以上 CentOS 的具体步骤来自这篇文章...https://blog.devgenius.io/rhel-centos-7-fix-for-let-encrypt-change-8af2de587fe4#:~:text=So%2C%20DST%20Root%20CA%20X3%20needs%20to%20be,The%20manual%20steps%20below%20are%20no%20longer%20necessary.

The CentOS specific steps above are from this post ... https://blog.devgenius.io/rhel-centos-7-fix-for-lets-encrypt-change-8af2de587fe4#:~:text=So%2C%20DST%20Root%20CA%20X3%20needs%20to%20be,The%20manual%20steps%20below%20are%20no%20longer%20necessary.

这是一个突然出现的非常疯狂的问题(除非您关注 openSSL 博客)

This is quite a crazy issue that appeared out of nowhere (unless you follow the openSSL blog)

我花了大约 1 天的时间来追踪,一直没有发送电子邮件,也没有出现网站的大部分内容.

Took me approx 1 day to track down, all the while no emails are being sent and large pieces of the web site not appearing.

希望这为人们指明了正确的方向.

Hope this points people in the right direction.

更新:正如@hakre 所指出的,您可能只需要...

UPDATE: As pointed out by @hakre you may be able to get away with just ...

yum upgrade ca-certificates

相关文章