英文:
PECL install no releases available
问题
以下是翻译好的部分:
运行 pecl install mongodb-1.4.2
结果产生以下输出:
运行 pecl install mongodb-1.4.2 && docker-php-ext-enable mongodb:
没有可用于包 "pecl.php.net/mongodb" 的发布
安装失败
这可能是证书问题吗?因为如果我尝试使用wget,会得到以下结果:
连接到 pecl.php.net (104.236.228.160:443)
ssl_client: pecl.php.net: 证书验证失败: 证书已过期
PHP 版本
php:7.0
是否有方法修复这个问题,还是我需要等待他们更新证书?
英文:
RUN pecl install mongodb-1.4.2
Resulted in this output:
RUN pecl install mongodb-1.4.2 && docker-php-ext-enable mongodb:
No releases available for package "pecl.php.net/mongodb"
install failed
Could this be a cert issue? because if I try to wget i get following:
Connecting to pecl.php.net (104.236.228.160:443)
ssl_client: pecl.php.net: certificate verification failed: certificate has expired
PHP Version
php:7.0
Is there a way to fix this or do I need to just wait for them to update the cert?
答案1
得分: 4
您的基础镜像太旧,没有适当的证书信息,apk update && apk upgrade
不能解决这个问题。我看不到告诉 pecl 忽略证书的方法,但您可以这样做:
wget --no-check-certificate https://pecl.php.net/get/mongodb-1.4.2.tgz
pecl install --offline ./mongodb-1.4.2.tgz
当然,我建议不要使用这么老的版本,这样就不会有问题。
英文:
Your base image is too old and doesn't have the appropriate certificate information, and apk update && apk upgrade
don't get you there. I don't see any way to tell pecl to ignore certs but you could do:
wget --no-check-certificate https://pecl.php.net/get/mongodb-1.4.2.tgz
pecl install --offline ./mongodb-1.4.2.tgz
Of course, I'd have recommend not using such old versions and then it won't be a problem.
答案2
得分: 1
我成功地通过从 Docker 镜像中删除有问题的证书来解决了这个问题。我也处于一个无法升级 PHP 版本的情况,我需要从 PECL 获取始终保持最新的 timezonedb。
在删除它们后,PECL 正常工作。
阅读 https://github.com/libressl/portable/issues/692#issuecomment-937800309 导致了 https://github.com/openbsd/src/commit/3c95f6f12797ebbdedb8d5f712eb65bd04fe233a
然后,我使用 grep 命令查找了我的 Docker 镜像(php5.6-alpine)中证书的位置并将其删除。
两个文件需要打补丁,另外两个文件是整个证书。
#12 [web base 4/7] RUN grep -r Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ /etc
#12 0.445 /etc/ssl/cert.pem:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
#12 0.754 /etc/ssl/certs/2e5ac55d.0:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
#12 0.754 /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
#12 0.754 /etc/ssl/certs/ca-certificates.crt:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
打补丁 /etc/ssl/certs/ca-certificates.crt
--- /etc/ssl/certs/ca-certificates.crt.ori
+++ /etc/ssl/certs/ca-certificates.crt
@@ -956,27 +956,6 @@
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
-
------BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
打补丁 /etc/ssl/cert.pem
--- cert.pem.ori
+++ cert.pem
@@ -2182,49 +2182,6 @@
gKDWHrO8Dw9TdSmq6h
<details>
<summary>英文:</summary>
I was able to solve this by removing the offending certificate from the docker image. I'm also on a situation where I cannot upgrade the PHP version and I need timezonedb always up-to-date from PECL.
After removing them PECL works normally.
Read https://github.com/libressl/portable/issues/692#issuecomment-937800309 lead to https://github.com/openbsd/src/commit/3c95f6f12797ebbdedb8d5f712eb65bd04fe233a
I then made a grep to see where the cert was on my docker image (php5.6-alpine) and removed it.
Two files required a patch, and two files were the whole certificate.
#12 [web base 4/7] RUN grep -r Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ /etc
#12 0.445 /etc/ssl/cert.pem:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
#12 0.754 /etc/ssl/certs/2e5ac55d.0:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
#12 0.754 /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
#12 0.754 /etc/ssl/certs/ca-certificates.crt:Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
Patch `/etc/ssl/certs/ca-certificates.crt`
--- /etc/ssl/certs/ca-certificates.crt.ori
+++ /etc/ssl/certs/ca-certificates.crt
@@ -956,27 +956,6 @@
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
------BEGIN CERTIFICATE-----
MIIDtzCCAp+gAwIBAgIQDOfg5RfYRv6P5WD8G/AwOTANBgkqhkiG9w0BAQUFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv
Patch `/etc/ssl/cert.pem`
--- cert.pem.ori
+++ cert.pem
@@ -2182,49 +2182,6 @@
gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
-----END CERTIFICATE-----
-### Digital Signature Trust Co.
-=== /O=Digital Signature Trust Co./CN=DST Root CA X3
-Certificate:
- Data:
-
Version: 3 (0x2)
-
Serial Number:
-
44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
- Signature Algorithm: sha1WithRSAEncryption
-
Validity
-
Not Before: Sep 30 21:12:19 2000 GMT
-
Not After : Sep 30 14:01:15 2021 GMT
-
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3
-
X509v3 extensions:
-
X509v3 Basic Constraints: critical
-
CA:TRUE
-
X509v3 Key Usage: critical
-
Certificate Sign, CRL Sign
-
X509v3 Subject Key Identifier:
-
C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
-SHA1 Fingerprint=DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13
-SHA256 Fingerprint=06:87:26:03:31:A7:24:03:D9:09:F1:05:E6:9B:CF:0D:32:E1:BD:24:93:FF:C6:D9:20:6D:11:BC:D6:77:07:39
------BEGIN CERTIFICATE-----
-MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
-AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
-rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
-OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
-xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
-7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
-aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
-HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
-SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
-ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
-AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
-R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
-JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
-Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
------END CERTIFICATE-----
Disig a.s.
=== /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2
Then remove the other two files which are the whole cert `/etc/ssl/certs/2e5ac55d.0` and `/etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem`
These are the final dockerfile lines, I left the grep line intentionally to debug this if some file is renamed
COPY docker/ca-certificates.patch /tmp
COPY docker/cert.pem.patch /tmp
RUN grep -r Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ /etc
RUN apk update && apk upgrade
RUN patch /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.patch &&
patch /etc/ssl/cert.pem /tmp/cert.pem.patch &&
rm /etc/ssl/certs/2e5ac55d.0 &&
rm /etc/ssl/certs/ca-cert-DST_Root_CA_X3.pem
PS: Originally from https://github.com/php/php-src/issues/11486#issuecomment-1626075999 answering here too just in case.
</details>
# 答案3
**得分**: 0
我今天遇到了同样的问题(使用`apcu`包,但包的具体内容并不重要,当发生类似情况时,包不重要)。我决定不再依赖于间歇性的`pecl`工作。我的解决方案基于@alex-howansky的回答:
```Dockerfile
RUN apt-get update -y && apt-get upgrade -y \
&& apt-get install -y ca-certificates \
&& update-ca-certificates \
&& apt install -y --no-install-recommends \
git \
...
wget \
&& apt-get autoremove -y \
&& docker-php-ext-install \
intl \
...
### 解决方案如下。 ###
&& pecl channel-update pecl.php.net \
&& { \
pecl install apcu || ( \
wget --no-check-certificate https://pecl.php.net/get/APCu -O ./apcu_latest.tgz \
&& pecl install --offline ./apcu_latest.tgz \
&& rm ./apcu_latest.tgz \
); \
} \
...
如果pecl install apcu
成功,将使用此命令。这是首选命令,因为在生产环境中不建议绕过SSL检查来处理过期证书,因为这会带来安全风险。
但是,我们不能允许证书故障影响应用程序。因此,如果pecl install apcu
失败,将使用||
之后的命令(下载包 - 在我的情况下是最新版本,安装它并删除已下载的./apcu_latest.tgz
)。
附注:如果需要最新版本,您可以在https://pecl.php.net/上找到最新包版本的链接。只需找到您的包,并查看包页面上的“[最新Tarball]”。
附注2:此处是关于今天问题的报告(证书已经过期多次)。
英文:
I had the same problem today (with apcu
package, but package doesn't matter, when something like this happens). I've decided not to rely on the intermittent pecl
working. My solution is based on @alex-howansky answer:
RUN apt-get update -y && apt-get upgrade -y \
&& apt-get install -y ca-certificates \
&& update-ca-certificates \
&& apt install -y --no-install-recommends \
git \
...
wget \
&& apt-get autoremove -y \
&& docker-php-ext-install \
intl \
...
### SOLUTION IS BELOW. ###
&& pecl channel-update pecl.php.net \
&& { \
pecl install apcu || ( \
wget --no-check-certificate https://pecl.php.net/get/APCu -O ./apcu_latest.tgz \
&& pecl install --offline ./apcu_latest.tgz \
&& rm ./apcu_latest.tgz \
); \
} \
...
If pecl install apcu
is successful, this command is used. This is preferred command, because dealing with expired certificates by bypassing SSL checks is not recommended for production environments, as it poses security risks.
But we cannot allow certificate outages to disrupt the application. So, if pecl install apcu
failed, commands after ||
are used (download package - latest version in my case, install it and remove downloaded ./apcu_latest.tgz
).
PS. You can see link to latest package version (if you need latest) on https://pecl.php.net/. Just find you package and look for "[ Latest Tarball ]" on the package page:
PPS. Here is the report about today's problem (certificate has been expired for the umpteenth time).
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论