Skip to content

过期证书

¥Expired Certificates

解决过期证书问题

¥Troubleshooting Expired Certificates Issues

Let's Encrypt 根证书已于 9 月 30 日到期,此更改导致了一些问题。我们在下面解释了可能出现的问题以及如何解决它们。

¥Let's Encrypt Root Certificate expired on September 30th and this change is causing some issues. We explain the possible problems below and also how to solve them.

这不是 Meteor 或 Galaxy 的问题,而是如果你使用 Let's Encrypt 生成的证书,这是一个自然的过程。

¥This is not an issue with Meteor or Galaxy, but a natural process if you are using Let's Encrypt's generated certificates.

无法运行 Meteor 命令

¥Can't run Meteor commands

Galaxy 和所有 Meteor 服务器都使用 Let's Encrypt,该公司在 5 月宣布了此 post 中的一项更改,即 DST Root CA X3 将于 2021 年 9 月 30 日到期。

¥Galaxy and all Meteor servers uses Let's Encrypt, which announced a change in May in this post about DST Root CA X3 expiring on September 30, 2021.

旧版本的 Meteor,更具体地说,任何早于 Meteor v1.9 的版本都附带低于 v10 的 Node.JS 版本,它使用 OpenSSL < 1.0.2。

¥Older versions of Meteor, more specifically anything older than Meteor v1.9 shipped with a Node.JS version below v10, which used OpenSSL < 1.0.2.

如果在运行 Meteor 命令时收到诸如连接错误(证书已过期)之类的错误,则意味着你正在运行早于 v1.9 的 Meteor 版本。

¥If you are getting errors like Connection error (certificate has expired) when running Meteor commands it means that you are running a version of Meteor older than v1.9.

目前的解决方法是使用以下环境变量 NODE_TLS_REJECT_UNAUTHORIZED 运行所有 Meteor 命令,例如在 deploy 命令中:

¥A workaround, for now, is to run all the meteor commands with the following environment variable NODE_TLS_REJECT_UNAUTHORIZED, for example in the deploy command:

bash
NODE_TLS_REJECT_UNAUTHORIZED=0 meteor deploy

另请注意,如果你在本地或任何 CI 管道中运行旧发行版(如 Ubuntu 16 及之前版本),你也可能会遇到此问题。在这种情况下,我们确实建议更新你的发行版或你的本地根证书存储库(具体操作方法因发行版而异)。

¥Also note that if you are running old distributions, like Ubuntu 16 and before, locally, or in any of your CI pipelines you may also face this issue. In this case, we do recommend updating your distribution, or your local repository of root certificates (the how-to of this varies based on your distribution).

这不是 Meteor 或 Galaxy 的问题,而是你正在访问的资源中的 Let's Encrypt 证书的变化。

¥This is not a Meteor or Galaxy issue, but it's a change in the Let's Encrypt certificate in our resources that you are accessing.

请求失败

¥Requests failing

如果你的服务器正在访问外部资源,其中目标主机正在使用 Let's Encrypt 证书,并且你的应用正在运行旧版 Meteor,你还需要将 NODE_TLS_REJECT_UNAUTHORIZED 添加到服务器环境变量中。

¥If your server is accessing external resources where the target host is using Let's Encrypt certificates and your app is running an old Meteor version, you will also need to add NODE_TLS_REJECT_UNAUTHORIZED to your server environment variables.

如果你使用的是 Galaxy,只需将其添加到你的设置文件中即可:

¥If you are using Galaxy, it's as simple as adding this to your settings file:

json
{
  "galaxy.meteor.com": {
    "env": {
      "NODE_TLS_REJECT_UNAUTHORIZED": "0"
    }
  }
}

请注意:我们不建议继续使用此解决方法,因为任何 SSL 证书都将被授权,并且你将使你的应用面临严重的安全问题。最好的选择是将 Meteor 更新到最新版本,或者至少是 Meteor 1.9,因为它是第一个使用 Node.js 12 的版本。

¥Please note: We don't recommend continued use of this workaround, as any SSL certificate is going to be authorized and you are exposing your application to serious security issues. The best option is to update Meteor to latest version, or at least Meteor 1.9 as it is the first using Node.js 12.

你可以查看我们支持的 Meteor 版本列表 此处。如果你的应用不在其中,你应该尽快迁移。

¥You can check our list of supported Meteor versions here. If your applications is not in one of them, you should migrate as soon as possible.

这不是 Meteor 或 Galaxy 的问题,而是你正在访问的外部资源中的 Let's Encrypt 证书的变化。

¥This is not a Meteor or Galaxy issue, but it's a change in the Let's Encrypt certificate in the external resource that you are accessing.

客户端兼容性

¥Client Compatibility

如前所述,Galaxy 会自动为所有客户端颁发 Let's Encrypt 证书。这很容易引起混淆,因为如果你依赖较旧的客户端能够访问你的网站,这将不起作用。

¥As stated before, Galaxy issues Let's Encrypt certificates automatically for all clients. This is source of confusion, as if you are depending on older clients being able to access your website, this won't work.

如果 Let's encrypt 证书对你的客户端不利,你需要从其他提供商处获取其他证书,并将你的自定义证书上传到 Galaxy。

¥If Let's encrypt certificates are not good for your clients you would need to acquire other certificate from a different provider and upload your custom certificate into Galaxy.

你还可以手动生成 Let's Encrypt 证书并上传到 Galaxy,但在 certbot 上指定替代的首选链:

¥You can also generate a Let's Encrypt certificate manually and upload to Galaxy, but specifying an alternative preferred chain on certbot:

sudo certbot certonly --manual --preferred-chain "ISRG Root X1" --preferred-challenges dns

更多信息可从 此处 获取。

¥More info can be obtained here.

如果你使用的是 Galaxy,则需要在生成证书后遵循要求和步骤 此处。Galaxy 仅接受 .pem 格式的自定义证书,与 nginx 使用的格式相同。

¥If you are using Galaxy, you need to follow the requirements and steps here after generating the certificate. Galaxy only accepts custom certs in .pem format, the same as nginx uses.

这不是 Meteor 或 Galaxy 的问题,而是你正在使用的 Let's Encrypt 证书的变化。

¥This is not a Meteor or Galaxy issue, but it's a change in the Let's Encrypt certificate you are using.

已知无法正常工作的客户端

¥Clients Known to be not working

以下是已知不起作用的客户端的简明列表:

¥Here is a succinct list of known to be not working clients:

  • 10.12.1 之前的 Mac OS X。除打包根链的 Firefox 之外的任何浏览器均无法使用。

    ¥Mac OS X prior to 10.12.1. Any browser, except firefox that bundles root chains, won't work.

  • v10 之前的 Node.JS HTTP 请求。这包括 1.9 之前的任何 Meteor 版本(除外)。

    ¥Node.JS HTTP requests prior to v10. This includes any Meteor version prior to 1.9(except).

  • 使用 OpenSSL 1.0.2 及之前版本的任何客户端。

    ¥Any client using OpenSSL 1.0.2 and before.

请注意,这不是一份详尽的清单,而是基于我们的报告和经验。

¥Please note that this is not an exhaustive list, but based on our reports and experience.

这不是 Meteor 或 Galaxy 的问题,而是你正在使用的 Let's Encrypt 证书的变化。

¥This is not a Meteor or Galaxy issue, but it's a change in the Let's Encrypt certificate you are using.