category: centoscategory: curlcategory: yum Posted on2021-11-26
今天把几台放了一段时间的单板机开了起来
两台装了rocky linux ,一台装了Ubuntu server 20
树莓派的更新yum显示报错
报CA错误,但是我一想,树莓派节点是没有rtc电池的,没有硬件时间,很可能是因为时间问题导致的这个错误
于是我开始查找如何同步时间,centos8 和 rocky linux 8 都默认不带ntpdate,使用chrony进行时间同步,chrony是一个ntp协议的实现,使用起来更简单
只需要如下配置
systemctl enable chronyd.service systemctl start chronyd.service systemctl status chronyd.service 就可以看到 ● chronyd.service - NTP client/server Loaded: loaded (/usr/lib/systemd/system/chronyd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2018-06-22 11:11:53 UTC; 16h ago Docs: man:chronyd(8) man:chrony.conf(5) Main PID: 270 (chronyd) Tasks: 1 (limit: 11407) CGroup: /system.slice/chronyd.service └─270 /usr/sbin/chronyd这个时候时间还是没有同步到的,我们需要修改配置文件
/etc/chrony.conf
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (//www.pool.ntp.org/join.html). #pool 2.pool.ntp.org iburst //注释掉默认的服务器 server ntp.aliyun.com iburst server ntp.ntsc.ac.cn iburst //添加阿里云和国家授时中心 查看服务 [root@node3 yum.repos.d]# chronyc sourcestats -v 210 Number of sources = 2 .- Number of sample points in measurement set. / .- Number of residual runs with same sign. | / .- Length of measurement set (time). | | / .- Est. clock freq error (ppm). | | | / .- Est. error in freq. | | | | / .- Est. offset. | | | | | | On the -. | | | | | | samples. \ | | | | | | | Name/IP Address NP NR Span Frequency Freq Skew Offset Std Dev ============================================================================== 203.107.6.88 4 3 6 +246.828 4770.108 +217us 566us 114.118.7.161 3 3 6 +500.884 218244 +18ms 1077us此时我们查看下时间是否正确
[root@node3 yum.repos.d]# timedatectl Local time: 五 2021-11-26 02:05:36 UTC Universal time: 五 2021-11-26 02:05:36 UTC RTC time: n/a Time zone: UTC (UTC, +0000) System clock synchronized: yes NTP service: active RTC in local TZ: no [root@node1 ~]# timedatectl Local time: Thu 2021-11-25 21:20:39 EST Universal time: Fri 2021-11-26 02:20:39 UTC RTC time: Fri 2021-11-26 02:20:39 Time zone: America/New_York (EST, -0500) System clock synchronized: yes NTP service: active RTC in local TZ: no时间是对了,但是时区不对,我们设置时区,再查看时间
root@node3 yum.repos.d]# timedatectl set-timezone Asia/Shanghai [root@node3 yum.repos.d]# [root@node3 yum.repos.d]# timedatectl Local time: 五 2021-11-26 10:06:43 CST Universal time: 五 2021-11-26 02:06:43 UTC RTC time: n/a Time zone: Asia/Shanghai (CST, +0800) System clock synchronized: yes NTP service: active RTC in local TZ: noOK,我们再次尝试 yum makecache
[root@node3 yum.repos.d]# yum makecache Rocky Linux 8 - AppStream 4.6 MB/s | 7.0 MB 00:01 Rocky Linux 8 - BaseOS 2.6 MB/s | 2.9 MB 00:01 Rocky Linux 8 - Extras 643 kB/s | 322 kB 00:00 元数据缓存已建立。OK ,问题解决~
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
Here is some details that may help to understand the situation better.
There are 2 machines involved here. One machine acts as a server (lets say Server-1) where play ready is hosted and there is one more machine lets say (Client-1) where we run the packager.
In Server-1 we did following -
- Created a self signed root CA certificate (lets say CA-1).
- Add this to trusted store (via mmc as its a windows machine).
- Generated a client certificate lets say C1.
- Configured C1 in IIS as onToOneMappings.
- Shared the C1 to Client-1.
(Referred - this article for setting this up)
In Client-1 we did following -
- Ran packager with following command (parameters as per the example given) -
packager-win.exe input=h264_baseline_360p_600.mp4,stream=audio,output=audio.mp4 input=h264_baseline_360p_600.mp4,stream=video,output=h264_360p.mp4 --enable_playready_encryption --program_identifier "ae052c33-5ac4-4d84-96c7-ecdc322e3e72" --playready_server_url "//Server-1-IP/PlayReadyNew/rightsmanager.asmx" --client_cert_file "C1.cer" --client_cert_private_key_file "CA-1.pvk" --client_cert_private_key_password "CA-1 password" --ca_file "CA-1.cer" --mpd_output manifest.mpd
Note: Both server and client are in same private network.
With this we get Peer certificate cannot be authenticated with given CA certificates. error as mentioned in the OP.
We used both Windows & Linux machine as client to create the package and getting same error.
As a diagnostic step, we tried following curl command in Client-1
curl -v --cacert CA-1.cer //Server-1-IP/PlayReadyNew/rightsmanager.asmx
and we get following error
for this
* Trying 192.168.1.12... * TCP_NODELAY set * Connected to 192.168.1.12 (192.168.1.12) port 443 (#0) * schannel: SSL/TLS connection with 192.168.1.12 port 443 (step 1/3) * schannel: checking server certificate revocation * schannel: using IP address, SNI is not supported by OS. * schannel: sending initial handshake data: sending 156 bytes... * schannel: sent initial handshake data: sent 156 bytes * schannel: SSL/TLS connection with 192.168.1.12 port 443 (step 2/3) * schannel: failed to receive handshake, need more data * schannel: SSL/TLS connection with 192.168.1.12 port 443 (step 2/3) * schannel: encrypted data got 1221 * schannel: encrypted data buffer: offset 1221 length 4096 * schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted. * Closing connection 0 * schannel: shutting down SSL/TLS connection with 192.168.1.12 port 443 * schannel: clear security context handle curl: (77) schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
Let me know if you need any other information.