BLOG | NGINX

关于 NGINX Plus 代码库证书的变动

NGINX-Part-of-F5-horiz-black-type-RGB
Faisal Memon 缩略图
Faisal Memon
Published June 07, 2016

In our ongoing efforts to improve the security of our products, we’ve made a change that affects the way NGINX Plus is installed and updated. We are replacing the self‑signed certificate we previously used to secure the NGINX Plus repository with a certificate from GlobalSign, a well‑known and trusted Certificate Authority (CA). With a CA‑signed certificate, clients can now verify the certificate we present and be assured that the code they are downloading is from NGINX, Inc.

The next time you install or update NGINX Plus, you might see an error such as:

  • On Amazon Linux, CentOS, Oracle Linux, and RHEL:

    curl#60 - "Peer's certificate issuer has been marked as not trusted by the user."
  • On Debian and Ubuntu:

    server certificate verification failed. CAfile: /etc/ssl/nginx/CA.crt CRLfile: none

If you get these errors, you need to update how your package management tool accesses the NGINX Plus repository. Follow the instructions for your OS distribution:

  • Amazon Linux

    # yum install ca-certificates# rm -f /etc/yum.repos.d/nginx-plus-amazon.repo /etc/ssl/nginx/CA.crt
    # wget -O /etc/yum.repos.d/nginx-plus-amazon.repo https://cs.nginx.com/static/files/nginx-plus-amazon.repo
  • CentOS 5.10+ / Oracle Linux 5.10+ / RHEL 5.10+

    # yum install openssl# rm -f /etc/yum.repos.d/nginx-plus-5.repo /etc/ssl/nginx/CA.crt
    # wget -O /etc/yum.repos.d/nginx-plus-5.repo https://cs.nginx.com/static/files/nginx-plus-5.repo
  • CentOS 6.5+ / Oracle Linux 6.5+ / RHEL 6.5+

    # yum install ca-certificates# rm -f /etc/yum.repos.d/nginx-plus-6.repo /etc/ssl/nginx/CA.crt
    # wget -O /etc/yum.repos.d/nginx-plus-6.repo https://cs.nginx.com/static/files/nginx-plus-6.repo
  • CentOS 7.0+ / Oracle Linux 7.0+ / RHEL 7.0+

    # yum install ca-certificates# rm -f /etc/yum.repos.d/nginx-plus-7.repo /etc/ssl/nginx/CA.crt
    # wget -O /etc/yum.repos.d/nginx-plus-7.repo https://cs.nginx.com/static/files/nginx-plus-7.repo
  • Debian 7.0, 8.0

    # apt-get install ca-certificates# rm -f /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx/CA.crt
    # wget -O /etc/apt/apt.conf.d/90nginx https://cs.nginx.com/static/files/90nginx
  • FreeBSD 9.3, 10.1+

    # pkg install ca_root_nss# rm -f /etc/ssl/nginx/CA.crt
  • SLES 12, 12 SP1

    # zypper install ca-certificates# zypper rr nginx-plus
    # zypper addrepo -G -t yum -c 'https://plus-pkgs.nginx.com/sles/12?ssl_clientcert=/etc/ssl/nginx/nginx-repo-bundle.crt&ssl_verify=peer' nginx-plus
  • Ubuntu 12.04 LTS, 14.04 LTS, 15.10, 16.04 LTS

    # apt-get install ca-certificates# rm -f /etc/apt/apt.conf.d/90nginx /etc/ssl/nginx/CA.crt
    # wget -O /etc/apt/apt.conf.d/90nginx https://cs.nginx.com/static/files/90nginx

The instructions at the NGINX Plus Customer Portal have been updated to reflect this change. If you have any questions, please contact our support team.


"This blog post may reference products that are no longer available and/or no longer supported. For the most current information about available F5 NGINX products and solutions, explore our NGINX product family. NGINX is now part of F5. All previous NGINX.com links will redirect to similar NGINX content on F5.com."