跳转到内容
View in the app

A better way to browse. Learn more.
彼岸论坛

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.
欢迎抵达彼岸 彼岸花开 此处谁在 -彼岸论坛

[程序员] picgo 上传图片提示 "unable to verify the first certificate"

发表于

环境描述

服务端

  1. minio + nginx
  2. 域名证书生成来源 https://freessl.cn

客户端

  • picgo (使用 picgo-plugin-s3 插件) picgo 配置如下(部分配置做了脱敏)
{
  "picBed": {
    "uploader": "aws-s3",
    "current": "aws-s3",
    "aws-s3": {
      "accessKeyID": "xxx",
      "secretAccessKey": "xxx",
      "bucketName": "images",
      "uploadPath": "{year}/{month}/{md5}.{extName}",
      "region": "home",
      "endpoint": "https://xxx.top:9000",
      "proxy": "",
      "urlPrefix": "https://xxx.top",
      "urlSuffix": "",
      "pathStyleAccess": true,
      "rejectUnauthorized": true,
      "acl": "public-read",
      "disableBucketPrefixToURL": false
    }
  },
  "picgoPlugins": {
    "picgo-plugin-s3": true
  }
}

问题描述

使用 picgo 上传到使用 minio 搭建的图床提示了如下异常

C:\Users\wuhun\Desktop>picgo -v
1.5.7

C:\Users\wuhun\Desktop>picgo upload 1.png
[PicGo INFO]: Before transform
[PicGo INFO]: Transforming... Current transformer is [path]
[PicGo INFO]: Before upload
[PicGo INFO]: Uploading... Current uploader is [aws-s3]
[PicGo ERROR]: 上传到 S3 存储发生错误,请检查网络连接和配置是否正确
[PicGo ERROR]: Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1677:34)
    at TLSSocket.emit (node:events:519:28)
    at TLSSocket._finishInit (node:_tls_wrap:1076:8)
    at ssl.onhandshakedone (node:_tls_wrap:862:12) {
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
  '$metadata': { attempts: 1, totalRetryDelay: 0 }
}
[PicGo WARN]: failed
[PicGo ERROR]: Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1677:34)
    at TLSSocket.emit (node:events:519:28)
    at TLSSocket._finishInit (node:_tls_wrap:1076:8)
    at ssl.onhandshakedone (node:_tls_wrap:862:12) {
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
  '$metadata': { attempts: 1, totalRetryDelay: 0 }
}

处理过程与发现

  1. 使用谷歌浏览器访问 minio ,浏览器正常信任证书,没有危险警告
  2. 把证书来源换成 阿里云的测试证书 之后,其他配置不变,picgo 可以正常上传图片
  3. 将证书添加到 受信任的根证书颁发机构 后,也还是提示 "UNABLE_TO_VERIFY_LEAF_SIGNATURE"

我的问题

  1. 国内的免费证书现在都只有三个月,阿里云的证书虽然可以正常使用,但临期需要手动更换,之前 1 年有效期的时候还好,三个月有效期的话会比较麻烦。所以,不打算继续使用阿里云的免费证书
  2. 目前使用的证书来源于 https://freessl.cn,这个网站也是我关注的一个技术博主推流的,正好我也有这方便需求,通过 acme.sh 脚本也支持自动更新证书,因此才开始使用它的证书。目前这个网站颁布的证书除了在 picgo 上传图片时出了问题以外,我手上的两台电脑( windows11 ,mac os )都能在谷歌浏览器上正常不报危险警告地访问 minio 的 web 端( minio 的 web 端和 api 端使用的同一个证书),包括我配置在阿里云 cdn 域名的证书也是用的这个网站生成的,但 cdn 是好好的
  3. 想要请教一下各位,出现 "UNABLE_TO_VERIFY_LEAF_SIGNATURE" 的原因是什么以及解决方案

避免被攻击,就不暴露自己的域名了

Featured Replies

No posts to show

创建帐户或登录来提出意见

https://www.cnbian.com/topic/18296/
前往主题列表

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.