起因是因为我想要用 xml-rpc 连接我的 dokuwiki 进行编辑。网站使用 https,自签名的证书,前面做了以下步骤
(require 'gnutls)
(add-to-list 'gnutls-trustfiles "/Users/strong/.doom.d/trust.crt")
(require 'dokuwiki)
(setq dokuwiki-xml-rpc-url "https://my.website")
然后提示 x509 证书不匹配。接着我直接修改了 tls-program
(setq tls-program '("openssl s_client -connect %h:%p -CAfile /Users/strong/.doom.d/trust.crt"))
openssl 在命令行下已经验证通过。 但是我还是连不上,提示
Debugger entered--Lisp error: (error "The x509 certificate does not match \"x.x.x.x\"")
gnutls-boot(#<process tls> gnutls-x509pki (:complete-negotiation t :priority "SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" :hostname "x.x.x.x" :loglevel 0 :min-prime-bits 3072 :trustfiles ("/Users/strong/.doom.d/trust.crt" "/etc/ssl/cert.pem") :crlfiles nil :keylist nil :verify-flags nil :verify-error t :callbacks nil))
gnutls-negotiate(:process #<process tls> :type gnutls-x509pki :hostname "x.x.x.x")
open-gnutls-stream("tls" #<buffer babel.el> "x.x.x.x" 443 nil)
(progn (open-gnutls-stream "tls" (current-buffer) "x.x.x.x" 443 nil))
eval((progn (open-gnutls-stream "tls" (current-buffer) "x.x.x.x" 443 nil)) t)
最后我发现 emacs 可能是用内置的 gnutls 验证的,于是拿 gnutls-cli 测试,在命令行下验证不通过。奇怪的是,我用 github 的证书去验证,同样失败
➜ .doom.d gnutls-cli --x509cafile=github.crt www.github.com -p 443
|<1>| There was a non-CA certificate in the trusted list: C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=github.com.
Processed 1 CA certificate(s).
Resolving 'www.github.com:443'...
Connecting to '192.30.255.112:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
- subject `CN=github.com,O=GitHub\, Inc.,L=San Francisco,ST=California,C=US', issuer `CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x0557c80b282683a17b0a114493296b79, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-05-05 00:00:00 UTC', expires `2022-05-10 12:00:00 UTC', pin-sha256="4PhpWPCTGkqmmjRFussirzvNSi4LjL7WWhUSAVFIXDc="
Public Key ID:
sha1:b255b18a964ca1367988026d549ef9ba71493bf3
sha256:e0f86958f0931a4aa69a3445bacb22af3bcd4a2e0b8cbed65a15120151485c37
Public Key PIN:
pin-sha256:4PhpWPCTGkqmmjRFussirzvNSi4LjL7WWhUSAVFIXDc=
- Certificate[1] info:
- subject `CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x04e1e7a4dc5cf2f36dc02b42b85d159f, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-10-22 12:00:00 UTC', expires `2028-10-22 12:00:00 UTC', pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate..
➜ .doom.d echo $?
1