从 opensuse_zh 源安装 wps-office,报证书 issuer 错误

ryan@MiWiFi-RM1800-srv:~> sudo zypper install wps-office       
正在加载软件源数据...
正在读取已安装的软件包...
正在解决软件包依赖关系...

将安装以下 1 个新软件包:
  wps-office

1 个软件包将新装.
总下载大小:7.4 MiB。已缓存:0 B。 操作完成后,将使用额外的 8.0 MiB。
继续吗? [y/n/v/...? 显示全部选项] (y): y
正在撷取 软件包 wps-office-11.1.0.9662-lp152.5.1.x86_64                                             (1/1),   7.4 MiB(解压后   8.0 MiB)
正在检索: wps-office-11.1.0.9662-lp152.5.1.x86_64.rpm ..............................................................[完毕 (643.6 KiB/s)]

正在检查文件冲突: ................................................................................................................[完毕]
(1/1) 正在安装:wps-office-11.1.0.9662-lp152.5.1.x86_64 ...........................................................................[完毕]
正在运行:wps-office-11.1.0.9662-lp152.5.1-wps-office.sh.in.txt  (wps-office, /var/adm/update-scripts)
Downloading binary data from https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm (200+ mb), it may take some time.

01/03 11:49:13 [NOTICE] Downloading 1 item(s)

01/03 11:49:13 [ERROR] CUID#7 - Download aborted. URI=https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm
Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm
  -> [SocketCore.cc:1015] errorCode=1 SSL/TLS handshake failure:  `not signed by known authorities or invalid' `issuer is not known'

01/03 11:49:13 [NOTICE] Download GID#1b4ae80c7d699f20 not complete: //tmp/wps-office_11.1.0.9662-1_x86_64/wps-office-11.1.0.9662-1.x86_64.rpm

Download Results:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
1b4ae8|ERR |       0B/s|//tmp/wps-office_11.1.0.9662-1_x86_64/wps-office-11.1.0.9662-1.x86_64.rpm

Status Legend:
(ERR):error occurred.

aria2 will resume download if the transfer is restarted.
If there are any errors, then see the log file. See '-l' option in help/man page for details.
cmd.Run() failed with exit status 1
exit status 1
命令退出,状态 1。
中止、重试、还是忽略呢? [a/r/i] (a): 
安装/移除以下软件包期间或之后发生问题:
安装已按指示中止。
请参考以上错误消息汲取灵感。

我从错误信息中拷贝出 wps-office 下载链接,手动下载安装没问题:

wget https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm
sudo zypper install wps-office-11.1.0.9662-1.x86_64.rpm 

奇怪的是我手动测试,发现 wget/curl 都能正常下载这个 rpm,只有 aria2c 一下载就报错。

测试日志如下:

ryan@MiWiFi-RM1800-srv:~/temp> aria2c https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm --ca-certificate /etc/ssl/ca-bundle.pem 

01/03 12:11:48 [NOTICE] Downloading 1 item(s)

01/03 12:11:48 [ERROR] CUID#7 - Download aborted. URI=https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm
Exception: [AbstractCommand.cc:351] errorCode=1 URI=https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm
  -> [SocketCore.cc:1015] errorCode=1 SSL/TLS handshake failure:  `not signed by known authorities or invalid' `issuer is not known'

01/03 12:11:48 [NOTICE] GID 为 21b0257cc9d6f2aa 的下载项未完成:

下载结果:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
21b025|ERR |       0B/s|https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm

状态标识:
(ERR):发生错误。

传输重启之后,aria2 将继续下载。
如果发生任何错误,请参阅日志文件。要了解详细信息,请在 help/man 页面中参阅 “-l” 选项。
ryan@MiWiFi-RM1800-srv:~/temp> wget https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm--2021-01-03 12:11:52--  https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm
正在连接 127.0.0.1:8889... 已连接。
已发出 Proxy 请求,正在等待回应... 200 OK
长度:312553010 (298M) [application/x-redhat-package-manager]
正在保存至: “wps-office-11.1.0.9662-1.x86_64.rpm”

wps-office-11.1.0.9662-1.x86_64.rp   3%[=>                                                            ]  11.80M  2.29MB/s  剩余 2m 3s   ^C

ryan@MiWiFi-RM1800-srv:~/temp> curl -o wps-office.rpm https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  1  298M    1 5007k    0     0  2347k      0  0:02:10  0:00:02  0:02:08 2346k^C

你说的情况像是:

@ryan4yin

我用 aria2c 1.35 运行下载命令没问题啊

/usr/bin/aria2c -c -x 16 -o wps-office-11.1.0.9662-1.x86_64.rpm https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm 

你的 aria2c 版本是什么?运行 aria2c -v 看看。

版本号:


(base) ryan@localhost:~/temp> aria2c -v
aria2 版本 1.33.1
Copyright (C) 2006, 2017 Tatsuhiro Tsujikawa

本程序为自由软件;您可自由再版或修改它,惟须遵守 GNU 通用公共许可证,
第 2 版或更新版本(依您所愿)的条款,以自由软件基金会发布的版本为准。

我们本着希望有用的态度发行此软件,但 * 从未做出任何保证 *,甚至不暗示对
于适销性或对某一特定用途的适用性的保证。参见 GNU 通用公共许可证以获取
更多信息。

** 配置 **
已开启的特性: Async DNS, BitTorrent, Firefox3 Cookie, GZip, HTTPS, Message Digest, Metalink, XML-RPC, SFTP
哈希算法: sha-1, sha-224, sha-256, sha-384, sha-512, md5, adler32
库: zlib/1.2.11 libxml2/2.9.7 sqlite3/3.28.0 GnuTLS/3.6.7 nettle GMP/6.1.2 c-ares/1.15.0-20200117 libssh2/1.8.0
编译器: gcc 7.5.0
  built by  x86_64-suse-linux-gnu
  on        Jan  9 2019 13:47
系统: Linux 5.3.18-lp152.57-default #1 SMP Fri Dec 4 07:27:58 UTC 2020 (7be5551) x86_64

报告问题至 https://github.com/aria2/aria2/issues
访问 https://aria2.github.io/

我今天重新试了下下载,可以正常下载了,但是有个 warning:

(base) ryan@localhost:~/temp> aria2c https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm

01/04 14:58:10 [NOTICE] Downloading 1 item(s)

01/04 14:58:10 [WARN] aria2c had to connect to the other side using an unknown TLS protocol. The integrity and confidentiality of the connection might be compromised.
Peer: wdl1.cache.wps.cn (125.94.49.244:443)

01/04 14:58:10 [WARN] aria2c had to connect to the other side using an unknown TLS protocol. The integrity and confidentiality of the connection might be compromised.
Peer: wdl1.cache.wps.cn (125.94.49.244:443)
[#76be57 26MiB/298MiB(8%) CN:1 DL:3.4MiB ETA:1m19s]^C                                                                                                                                                                  
01/04 14:58:14 [NOTICE] 正在关闭程序... 再按 Ctrl-C 可紧急停止

01/04 14:58:14 [NOTICE] GID 为 76be575ce27a3f22 的下载项未完成:/home/ryan/temp/wps-office-11.1.0.9662-1.x86_64.rpm

下载结果:
gid   |stat|avg speed  |path/URI
======+====+===========+=======================================================
76be57|INPR|   3.5MiB/s|/home/ryan/temp/wps-office-11.1.0.9662-1.x86_64.rpm

状态标识:
(INPR):正在下载。

传输重启之后,aria2 将继续下载。
如果发生任何错误,请参阅日志文件。要了解详细信息,请在 help/man 页面中参阅 “-l” 选项。

警告内容:[WARN] aria2c had to connect to the other side using an unknown TLS protocol. The integrity and confidentiality of the connection might be compromised. Peer: wdl1.cache.wps.cn

@marguerite

搜到了这个:https://unix.stackexchange.com/questions/502763/aria2c-had-to-connect-to-the-other-side-using-an-unknown-tls-protocol-why

看起来是 tls1.3 的问题,升到 1.35 就不会出错了,我试一下。

确实是,wps.cn 已经上 tls1.3 了,我是 Leap 版本,aria2c 现在才 1.33,对 tls1.3 的支持有问题。

我用 curl 测试了一下:

(base) ryan@localhost:~/temp> curl -vvv https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm
*   Trying 125.94.49.244:443...
* TCP_NODELAY set
* Connected to wdl1.cache.wps.cn (125.94.49.244) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2

aria2 好像没有类似 curl 的 --tls-max 1.2 这样的参数,没有办法降低 tls 版本。

这个只能升级 aria2 来解决了。

===

curl 的 --tls-max 1.2 可以降低 tls 版本:

(base) ryan@localhost:~/temp> curl -vvv --tls-max 1.2 https://wdl1.cache.wps.cn/wps/download/ep/Linux2019/9662/wps-office-11.1.0.9662-1.x86_64.rpm
*   Trying 125.94.49.244:443...
* TCP_NODELAY set
* Connected to wdl1.cache.wps.cn (125.94.49.244) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2

确实,aria2 只有 —min-tls-version=TLSv1.2

network:utilities 源里有 15.2 可用的 1.35 版本

@marguerite 这个我刚刚试了,有问题,包版本是 1.35,装完跑 aria2c -v 仍然显示 1.33

我使用的安装命令:

sudo zypper addrepo https://download.opensuse.org/repositories/network:/utilities/openSUSE_Leap_15.2/ network:utilities
sudo zypper refreshsh
sudo zypper install aria2-1.35.0-lp152.154.4.x86_6486_64

然后跑 aria2c -v,输出仍然是 1.33:

(base) ryan@localhost:~> which aria2c 
/usr/bin/aria2c

(base) ryan@localhost:~> aria2c -v
aria2 版本 1.33.1
Copyright (C) 2006, 2017 Tatsuhiro Tsujikawa

本程序为自由软件;您可自由再版或修改它,惟须遵守 GNU 通用公共许可证,
第 2 版或更新版本(依您所愿)的条款,以自由软件基金会发布的版本为准。

我们本着希望有用的态度发行此软件,但 * 从未做出任何保证 *,甚至不暗示对
于适销性或对某一特定用途的适用性的保证。参见 GNU 通用公共许可证以获取
更多信息。

** 配置 **
已开启的特性: Async DNS, BitTorrent, Firefox3 Cookie, GZip, HTTPS, Message Digest, Metalink, XML-RPC, SFTP
哈希算法: sha-1, sha-224, sha-256, sha-384, sha-512, md5, adler32
库: zlib/1.2.11 libxml2/2.9.7 sqlite3/3.28.0 GnuTLS/3.6.7 nettle GMP/6.1.2 c-ares/1.15.0-20200117 libssh2/1.8.0
编译器: gcc 7.5.0
  built by  x86_64-suse-linux-gnu
  on        Jan  9 2019 13:47
系统: Linux 5.3.18-lp152.57-default #1 SMP Fri Dec 4 07:27:58 UTC 2020 (7be5551) x86_64

报告问题至 https://github.com/aria2/aria2/issues
访问 https://aria2.github.io/

@marguerite

@ryan4yin 是不是 libaria2 没更新?

谢谢,我升级成风滚草后没出过问题了

1赞