fire/fox
火狐狸
火狐狸
  • UID32624
  • 注册日期2010-04-21
  • 最后登录2022-12-11
  • 发帖数157
  • 经验149枚
  • 威望0点
  • 贡献值162点
  • 好评度9点
  • 社区居民
  • 忠实会员
阅读:1944回复:5

无法更新,提示连接不安全

楼主#
更多 发布于:2018-09-24 20:05
帮助--关于,可以检查到有更新,但是更新失败,直接从官网下载安装包,提示连接不安全,如图。
以前一直正常的。最近两个版本就这样了,系统和网络设置从没变更过。

图片:捕获1.PNG




图片:捕获.PNG

aaaa007cn
千年狐狸
千年狐狸
  • UID23968
  • 注册日期2008-05-03
  • 最后登录2022-03-07
  • 发帖数1924
  • 经验1138枚
  • 威望1点
  • 贡献值232点
  • 好评度164点
1楼#
发布于:2018-09-24 20:26
这个证书错误一般和浏览器本身无关
要么是你被 MITM 中间人攻击了
要么是你那里的 DNS 解析出了错

查了下
segment.io 是解析到 aws 云的
download.mozilla.org 也是部署在 aws 云

瞎猜一下
你之前有没有手动设置过 download.mozilla.org 的 HOSTS?
nslookup download.mozilla.org 和 ping download.mozilla.org 的结果分别是什么
fire/fox
火狐狸
火狐狸
  • UID32624
  • 注册日期2010-04-21
  • 最后登录2022-12-11
  • 发帖数157
  • 经验149枚
  • 威望0点
  • 贡献值162点
  • 好评度9点
  • 社区居民
  • 忠实会员
2楼#
发布于:2018-09-25 00:59
从未手动设置过 download.mozilla.org 的 HOSTS
一直用的是谷歌DNS,刚才改成其他,可以更新了,https://www.mozilla.org/zh-CN/firefox/all/ 官网也可以直接下载,但奇怪的是,download.mozilla.org 仍然是 ping 不通的:
# nslookup download.mozilla.org
DNS request timed out.
    timeout was 2 seconds.
服务器:  UnKnown
Address:  fe80::1
 
非权威应答:
名称:    bouncer-bouncer-elb.prod.mozaws.net
Addresses:  34.212.44.210
          54.187.93.250
          52.35.227.82
Aliases:  download.mozilla.org
 
 
# ping download.mozilla.org
正在 Ping bouncer-bouncer-elb.prod.mozaws.net [18.214.197.113] 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
 
18.214.197.113 的 Ping 统计信息:
    数据包: 已发送 = 4,已接收 = 0,丢失 = 4 (100% 丢失)
yfdyh000
千年狐狸
千年狐狸
  • UID29079
  • 注册日期2009-06-07
  • 最后登录2022-05-18
  • 发帖数2262
  • 经验1390枚
  • 威望0点
  • 贡献值52点
  • 好评度139点
  • 社区居民
  • 最爱沙发
  • 忠实会员
3楼#
发布于:2018-09-25 02:02
fire/fox:从未手动设置过 download.mozilla.org 的 HOSTS
一直用的是谷歌DNS,刚才改成其他,可以更新了,https://www.mozilla.org/zh-CN/firefox/all/ 官网也可以直接下载,但奇怪的是...
回到原帖
我这里一样,服务器禁PING。访问 https://18.214.197.113/ 看到正确的证书(域名相符),没有问题。
fire/fox
火狐狸
火狐狸
  • UID32624
  • 注册日期2010-04-21
  • 最后登录2022-12-11
  • 发帖数157
  • 经验149枚
  • 威望0点
  • 贡献值162点
  • 好评度9点
  • 社区居民
  • 忠实会员
4楼#
发布于:2018-09-25 16:28
我这里直接打开 https://18.214.197.113/ 也是提示连接不安全,无法打开。
但是直接打开 https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=zh-CN 可以下载安装包。
问题只解决了一半,更换 DNS 可以下载和更新,但仍是不安全连接,
aaaa007cn
千年狐狸
千年狐狸
  • UID23968
  • 注册日期2008-05-03
  • 最后登录2022-03-07
  • 发帖数1924
  • 经验1138枚
  • 威望1点
  • 贡献值232点
  • 好评度164点
5楼#
发布于:2018-09-25 21:20
能不能 ping 通不是关键
用 ping 命令主要是看看实际连接的 ip 是什么,是不是和 nslookup 返回的一样

从你的返回结果来看
windows 的 dns 服务器设置的是 fe80::1
所以这是网关的 ipv6 地址?
nslookup 返回结果没什么问题
download.mozilla.org CNAME 指向 bouncer-bouncer-elb.prod.mozaws.net,然后 bouncer-bouncer-elb.prod.mozaws.net 解析到 3 个 ip
ping 连接的是 18.214.197.113 这个 ip,虽然不在 nslookup 返回的 3 个 ip 中,但也不算意外

用 openssl 或者 curl 可以验证这个 ip 上的证书确实是签给 download.mozilla.org 的
$ echo | openssl s_client -connect 18.214.197.113:443 -servername download.mozilla.org 2>/dev/null | openssl x509 -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:c1:d2:a4:f7:32:0f:02:b2:a2:91:49:6e:ea:f5:fb
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
        Validity
            Not Before: Nov 30 00:00:00 2016 GMT
            Not After : Feb  3 12:00:00 2020 GMT
        Subject: C = US, ST = California, L = Mountain View, O = Mozilla Corporation, OU = Cloud Services, CN = download.mozilla.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:9f:41:ab:33:f2:35:15:70:fe:3c:1e:cb:f4:
                    d4:00:18:20:bc:e0:ce:3f:d7:94:76:58:8a:1d:5e:
                    59:e4:0d:29:d9:1b:6e:76:bd:12:37:6a:72:5d:d1:
                    8c:25:ee:5b:74:60:24:25:48:b7:e4:79:72:7e:ab:
                    4f:3a:9c:5d:1f:83:70:9d:36:e1:26:1a:f3:16:ba:
                    a1:7a:14:c8:1d:fd:eb:2e:fb:e4:4a:c9:17:f5:83:
                    67:ee:11:73:ef:6d:db:d2:44:6d:1c:da:4d:8a:8a:
                    3f:55:db:ce:ec:ac:08:92:84:29:79:5b:38:0d:9a:
                    8d:2c:6c:eb:09:9a:db:fc:e3:04:8c:5a:74:8c:a8:
                    5e:9b:32:32:cd:e1:61:3e:9f:d9:5b:88:a3:29:dd:
                    f9:b9:b7:74:df:fa:12:99:7d:d0:76:da:53:b3:d4:
                    70:a0:4d:9d:dc:00:bf:74:05:29:12:3d:08:5b:55:
                    95:23:fd:6a:cb:34:22:d8:0b:b0:0f:19:1d:07:ec:
                    28:4b:1a:ab:f7:4e:36:93:d6:4d:84:6f:4b:0e:e3:
                    bc:53:48:5f:e4:7c:81:42:ea:32:70:2a:d6:34:a8:
                    bf:7e:93:c4:59:d9:37:12:35:36:e6:64:cd:b2:f6:
                    bc:a7:41:5d:8d:df:5b:69:a7:d3:6a:57:16:71:ba:
                    49:75
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2

            X509v3 Subject Key Identifier: 
                FC:0B:AC:80:6B:24:ED:3F:DC:C6:15:25:7C:FA:AF:E3:9E:66:1E:64
            X509v3 Subject Alternative Name: 
                DNS:download.mozilla.org, DNS:bouncer-bouncer.prod.mozaws.net, DNS:bouncer-bouncer-elb.prod.mozaws.net
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl3.digicert.com/ssca-sha2-g5.crl

                Full Name:
                  URI:http://crl4.digicert.com/ssca-sha2-g5.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114412.1.1
                  CPS: https://www.digicert.com/CPS
                Policy: 2.23.140.1.2.2

            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com
                CA Issuers - URI:http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
    Signature Algorithm: sha256WithRSAEncryption
         d7:b1:88:dc:dd:cb:ad:25:8e:6c:10:5d:92:b8:d8:7e:e4:af:
         16:51:d0:83:0b:3f:d8:5d:1b:1c:4f:37:63:2f:a4:a3:b0:6e:
         fd:2f:84:f5:f3:e6:47:0d:1b:29:f1:f8:cb:d2:2d:e5:48:c3:
         d9:19:1b:d5:39:9f:ff:3a:64:5a:30:7f:ec:51:ad:a5:c2:e5:
         f7:21:13:bf:ee:c2:5b:cf:94:a2:92:3f:a9:a6:00:bd:79:06:
         70:9c:e8:bf:4d:91:0b:cb:64:66:df:37:d8:f7:81:a1:ef:40:
         6e:ed:b6:f8:30:b5:9d:d2:55:4d:e3:6a:01:7a:55:39:92:ef:
         37:a8:ea:70:2c:c7:b9:00:65:e5:e3:ce:11:a5:68:76:d7:68:
         9e:fe:8b:77:b2:4a:11:ff:8b:a2:b9:d6:11:d9:86:6c:14:4d:
         80:ac:94:55:a8:55:4e:5f:62:cb:7b:30:7e:c0:d7:ef:fc:54:
         7f:88:27:6e:9b:c2:03:b9:5a:21:cb:3b:b8:1c:e0:38:eb:10:
         da:35:ee:6e:9a:41:aa:fa:25:f8:8c:5a:97:5a:ae:2c:d7:6d:
         e8:b6:58:e7:bf:85:a4:7d:46:27:5d:77:78:d9:6b:50:07:41:
         7f:2d:2f:b4:8e:a6:75:fc:43:a6:65:d8:10:46:51:c2:26:b8:
         8e:75:a4:df
-----BEGIN CERTIFICATE-----
MIIFizCCBHOgAwIBAgIQBcHSpPcyDwKyopFJbur1+zANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTYxMTMwMDAwMDAwWhcN
MjAwMjAzMTIwMDAwWjCBkDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3Ju
aWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxHDAaBgNVBAoTE01vemlsbGEgQ29y
cG9yYXRpb24xFzAVBgNVBAsTDkNsb3VkIFNlcnZpY2VzMR0wGwYDVQQDExRkb3du
bG9hZC5tb3ppbGxhLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALmfQasz8jUVcP48Hsv01AAYILzgzj/XlHZYih1eWeQNKdkbbna9Ejdqcl3RjCXu
W3RgJCVIt+R5cn6rTzqcXR+DcJ024SYa8xa6oXoUyB396y775ErJF/WDZ+4Rc+9t
29JEbRzaTYqKP1XbzuysCJKEKXlbOA2ajSxs6wma2/zjBIxadIyoXpsyMs3hYT6f
2VuIoynd+bm3dN/6Epl90HbaU7PUcKBNndwAv3QFKRI9CFtVlSP9ass0ItgLsA8Z
HQfsKEsaq/dONpPWTYRvSw7jvFNIX+R8gULqMnAq1jSov36TxFnZNxI1NuZkzbL2
vKdBXY3fW2mn02pXFnG6SXUCAwEAAaOCAiEwggIdMB8GA1UdIwQYMBaAFA+AYRyC
MWHVLyjnjUY4tCzhxtniMB0GA1UdDgQWBBT8C6yAayTtP9zGFSV8+q/jnmYeZDBl
BgNVHREEXjBcghRkb3dubG9hZC5tb3ppbGxhLm9yZ4IfYm91bmNlci1ib3VuY2Vy
LnByb2QubW96YXdzLm5ldIIjYm91bmNlci1ib3VuY2VyLWVsYi5wcm9kLm1vemF3
cy5uZXQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
c3NjYS1zaGEyLWc1LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNlcnQuY29t
L3NzY2Etc2hhMi1nNS5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZngQwBAgIw
fAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkq
hkiG9w0BAQsFAAOCAQEA17GI3N3LrSWObBBdkrjYfuSvFlHQgws/2F0bHE83Yy+k
o7Bu/S+E9fPmRw0bKfH4y9It5UjD2Rkb1Tmf/zpkWjB/7FGtpcLl9yETv+7CW8+U
opI/qaYAvXkGcJzov02RC8tkZt832PeBoe9Abu22+DC1ndJVTeNqAXpVOZLvN6jq
cCzHuQBl5ePOEaVodtdonv6Ld7JKEf+LornWEdmGbBRNgKyUVahVTl9iy3swfsDX
7/xUf4gnbpvCA7laIcs7uBzgOOsQ2jXubppBqvol+Ixal1quLNdt6LZY57+FpH1G
J113eNlrUAdBfy0vtI6mdfxDpmXYEEZRwia4jnWk3w==
-----END CERTIFICATE-----


$ curl https://download.mozilla.org/ --resolve download.mozilla.org:443:18.214.197.113 -v
* Added download.mozilla.org:443:18.214.197.113 to DNS cache
* Hostname download.mozilla.org was found in DNS cache
*   Trying 18.214.197.113...
* TCP_NODELAY set
* Connected to download.mozilla.org (18.214.197.113) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=Mountain View; O=Mozilla Corporation; OU=Cloud Services; CN=download.mozilla.org
*  start date: Nov 30 00:00:00 2016 GMT
*  expire date: Feb  3 12:00:00 2020 GMT
*  subjectAltName: host "download.mozilla.org" matched cert's "download.mozilla.org"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: download.mozilla.org
> User-Agent: curl/7.52.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Content-Type: text/html; charset=utf-8
< Date: Tue, 25 Sep 2018 12:54:53 GMT
< Location: http://www.mozilla.org/
< Content-Length: 46
< Connection: keep-alive
< 
<a href="http://www.mozilla.org/">Found</a>.

* Curl_http_done: called premature == 0
* Connection #0 to host download.mozilla.org left intact

注意证书的 CN(Common Name)字串

至于直接访问 https://18.214.197.113/ 提示证书错误
这是因为证书只签给了 download.mozilla.org、bouncer-bouncer.prod.mozaws.net、bouncer-bouncer-elb.prod.mozaws.net 这仨域名
和访问用的 ip 18.214.197.113 不一样
所以错误 Error code: SSL_ERROR_BAD_CERT_DOMAIN
一般证书也不会直接签给 ip

那么你现在网关上设置了哪个上游 DNS?
改回 Google DNS 看看解析到了哪个 ip 导致变成 segment.io 的证书?
游客

返回顶部