我遇到了一个奇怪的问题,一个网站的 SSL 证书只影响一个电脑 Windows 7 操作系统。该网站在其他 Win 7 计算机上运行良好,没有错误,提取有效证书。我既不是该网站的所有者也不是该网站的管理员,但由于该网站在所有其他计算机上都运行良好,我怀疑这不是该网站的问题。“问题计算机”是一台 Win 7 机器,每个 Win 7 用户和每个浏览器(或至少 IE10、Chrome 和 Firefox)都会发生错误。 我应该补充一点,当我用 USB 密钥将这台“问题电脑”启动到 Ubuntu 时,会提取一个有效的证书。
该域有私人和公共用户,因此我宁愿不在这里使用真实域。相反,我将使用 Microsoft 的一个虚假域 ( contoso.com) 来说明问题。证书似乎适用于*.contoso.com,但它仅在我尝试访问 时出现https://a.contoso.com。当我访问 时https://b.contoso.com,我获得了一个不同的有效证书,该证书也适用于*.contoso.com。
编辑:从原始帖子中删除了证书错误的浏览器/Win 7 图像,以支持下面的 openssl 输出。
自证书于 2014 年 12 月 10 日到期以来,这个问题一直存在。我尝试进入 certmgr.msc > 受信任的根证书颁发机构 > 证书,删除当前用户和计算机帐户的所有 GeoTrust 证书。重启后出现了新的 GeoTrust Global CA 证书,但这并没有解决问题。同样,无论使用哪种浏览器,此问题只会影响一台计算机上的所有用户。此外,如果这些域用户登录到另一台计算机,也不会受到影响。
以下是我尝试过的一些其他解决方案:
- 重新启动(当然)。
- 使用 inetcpl.cpl > 内容中的清除 SSL 状态按钮
- 使用这台“问题计算机”从几个不同的公共 WiFi 网络访问该网站。
- 用于
certutil -setreg chain\ChainCacheResyncFiletime @now使当前 CRL 缓存条目无效,按照http://blogs.technet.com/b/pki/archive/2007/09/13/how-to-refresh-the-crl-cache-on-windows-vista.aspx - 使用工作计算机上的“证书”>“详细信息”框中的“复制到文件”按钮将工作证书复制到一个文件,然后我将该文件传输到已过期证书的计算机上并安装到该计算机上。+重新启动,没有运气。
我是否正确地假设这是单台计算机的问题,而不是托管该页面的网站的问题?如果这是正确的,是否有办法强制这台计算机放弃过期的证书并获取所有其他计算机正在获取的新证书?
更新:我似乎部分正确地假设了这不是托管页面的网站的问题。我假设这是计算机本身的问题,但现在看来这似乎只是安装在这台“问题计算机”上的 Win 7 操作系统的问题。我得出这个结论是因为其他运行 Win 7 的计算机会提取有效证书,并且这台“问题计算机”在从 USB 密钥启动到 Ubuntu 时会提取有效证书。只有当这台“问题计算机”启动到 Win 7 时,过期证书才会出现。有了这些知识,有没有比我上面列出的方法(全部失败)更成功地从 Win 7 中删除过期证书的方法?
提前致谢。
编辑:这是“问题计算机”上的输出openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout,使用 Win 7 操作系统中的 Cygwin。请注意有效性显示证书到期日期的属性Dec 10 21:59:20 2014 GMT:
$ openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout
depth=1 C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 113752 (0x1bc58)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA
Validity
Not Before: Oct 8 16:20:07 2012 GMT
Not After : Dec 10 21:59:20 2014 GMT
Subject: serialNumber=ibWVTrZnhDvyhydnlXKodqBj0Azl-unn, C=US, ST=Colorado, L=Denver, O=ContosoCompany, OU=ContosoDepartment, CN=*.contoso.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:df:41:d1:5b:bd:00:68:2c:5e:72:65:39:b6:ac:
7d:67:46:64:f9:c7:07:93:89:80:bd:27:77:f0:40:
6f:61:3b:58:96:bc:cb:a3:f9:40:ad:63:27:b3:e3:
fb:c6:87:dc:c8:af:9e:0e:79:c4:e2:09:31:34:e8:
c4:2a:7c:77:f1:88:41:c3:b3:b4:88:50:d0:3b:c9:
34:ac:61:e2:4d:a1:cd:6d:4e:db:73:25:eb:b7:f7:
82:95:2d:48:10:f7:78:25:a8:c8:05:a0:bd:07:6b:
7c:b9:09:e4:73:1a:ae:b7:8b:cd:9a:ef:58:39:70:
c3:20:5d:ab:8e:f0:c3:fc:96:d9:07:80:e1:88:e8:
b3:83:18:1c:ba:28:9b:a6:45:7f:0f:98:9b:cb:53:
29:c6:9e:d5:9c:26:40:bd:81:0d:bc:b3:06:90:9a:
a3:25:98:bb:b1:b3:0d:e6:7f:4e:93:8e:ee:b4:de:
15:3c:45:ac:1f:41:3d:e1:5e:de:3c:bb:ce:97:40:
fa:10:43:1a:bc:44:2a:55:fe:c2:e0:e0:6a:c3:17:
08:a6:ca:51:de:44:0a:c0:28:32:58:a4:f5:1a:ed:
c0:8f:40:22:6a:05:1a:9c:2c:20:39:24:83:10:36:
a0:49:79:4b:50:9e:ea:e7:5d:d2:57:54:a5:a3:24:
6b:2d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:*.contoso.com, DNS:contoso.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl
X509v3 Subject Key Identifier:
EE:49:78:68:84:FF:89:18:BE:21:E9:34:73:32:59:33:2E:93:B3:2B
X509v3 Basic Constraints: critical
CA:FALSE
Authority Information Access:
OCSP - URI:http://gtssl-ocsp.geotrust.com
CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: http://www.geotrust.com/resources/cps
Signature Algorithm: sha1WithRSAEncryption
82:bc:a7:50:e1:36:7c:c0:67:cc:40:56:7b:22:a2:c2:98:2c:
01:12:b0:6f:0d:01:97:4e:a6:19:5a:d0:eb:61:22:c8:6e:05:
07:a2:97:2a:4e:4f:0b:a4:af:f4:3b:2c:42:e4:21:6d:4a:b1:
e8:47:2c:71:56:fb:ec:49:59:97:a7:0f:54:f2:0e:06:cf:e7:
6a:4c:f7:33:d1:21:aa:bb:e2:a2:c1:85:8e:46:02:e5:e9:93:
eb:4e:aa:a5:78:e0:bc:94:a6:58:9d:b4:53:98:21:48:48:4c:
94:dd:3a:96:79:3d:08:ed:25:6c:16:31:1b:e3:a8:9d:4f:7e:
c7:9e:bf:d7:c5:06:e0:2e:05:94:54:7a:13:71:a7:8a:24:18:
e1:c3:51:16:e7:02:0d:07:71:e7:ae:d8:27:ed:7c:2b:ba:b7:
16:ac:95:50:f0:a4:30:1b:f4:4a:6b:ca:7a:f4:b4:f4:cb:d3:
29:87:a5:b6:03:59:94:c0:f3:7c:91:ee:e7:37:69:3f:b1:fe:
06:a6:62:12:91:30:c5:63:e0:f9:9f:af:a5:dd:de:15:b8:b6:
e7:df:78:7a:97:e7:a6:cc:f1:57:e2:b9:00:59:b1:52:03:9c:
de:b4:e5:4f:45:22:8a:69:26:5b:27:ca:45:98:d9:c3:5a:32:
d5:f7:27:c2
openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout以下是“问题计算机”上的输出,该计算机通过 USB 密钥运行 Ubuntu 14.04。请注意有效性此处的属性显示有效证书,其到期日期为Dec 5 14:21:24 2015 GMT:
ubuntu@ubuntu:~$ openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 686155 (0xa784b)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA
Validity
Not Before: Dec 1 23:03:54 2014 GMT
Not After : Dec 5 14:21:24 2015 GMT
Subject: serialNumber=AEv6bwWEDDnubjaF1huAIm7G/hgmDTWE, OU=GT24051799, OU=See www.geotrust.com/resources/cps (c)14, OU=Domain Control Validated - QuickSSL(R), CN=a.contoso.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:48:ca:32:bb:e9:a3:f9:75:35:71:f2:c0:78:
2b:22:60:8d:36:91:20:46:d0:d4:09:d0:8d:fa:3e:
e2:bc:23:f6:c1:fc:03:2a:9a:79:da:12:e8:d2:1d:
b2:09:df:af:21:42:94:5c:88:68:43:51:57:40:26:
d1:b2:51:93:59:5e:ba:2f:41:de:c1:5c:04:e3:66:
a3:13:d5:87:de:71:83:cc:03:2a:06:c1:66:29:12:
c8:a5:32:91:74:0a:40:87:d4:e7:d8:32:c3:7e:aa:
57:75:c0:0e:19:75:27:9a:08:40:8c:1a:90:ab:e6:
3a:e7:8c:47:25:ec:d0:61:07:e2:da:a6:86:43:fa:
2b:40:0b:37:c2:63:7b:57:4e:fd:3a:54:ce:f9:c7:
b7:38:c1:2c:65:76:91:7e:84:85:90:c6:3e:65:5d:
e7:57:2f:2f:63:5a:ec:6b:77:6a:9e:9f:2b:f1:40:
c6:8f:14:77:ce:ee:3f:f1:e8:87:5f:a0:c0:18:39:
8b:63:df:a7:3a:68:39:c1:dc:9b:48:ec:65:75:07:
30:b2:6d:91:e8:42:41:cb:a7:33:64:01:21:e2:39:
ab:9d:64:7d:b2:24:2c:2c:69:b3:b1:36:ab:ed:93:
eb:3d:be:0f:2f:b3:13:47:78:ea:be:77:54:e2:be:
ba:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:8C:F4:D9:93:0A:47:BC:00:A0:4A:CE:4B:75:6E:A0:B6:B0:B2:7E:FC
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:a.contoso.com
X509v3 CRL Distribution Points:
Full Name:
URI:http://gtssldv-crl.geotrust.com/crls/gtssldv.crl
X509v3 Subject Key Identifier:
B5:10:8A:28:BE:B2:E8:EA:D2:0C:A9:0B:78:BF:1A:4C:FF:CB:70:BE
X509v3 Basic Constraints: critical
CA:FALSE
Authority Information Access:
OCSP - URI:http://gtssldv-ocsp.geotrust.com
CA Issuers - URI:http://gtssldv-aia.geotrust.com/gtssldv.crt
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: http://www.geotrust.com/resources/cps
Signature Algorithm: sha1WithRSAEncryption
8c:da:2b:78:4e:bf:6e:d8:48:4f:2c:e5:5a:06:18:d7:39:99:
fd:29:9d:c4:c3:e4:6b:54:82:df:96:c2:84:49:e1:f6:2c:62:
e0:61:b8:5d:7c:ce:db:38:ab:5f:1c:79:e5:c3:d4:f1:35:2e:
6c:8e:a2:60:f1:69:9f:41:54:0d:f4:1c:76:5e:46:33:60:a1:
bb:22:a9:ca:a2:14:a2:6c:e5:c6:80:dd:cb:e7:0e:f2:8a:5e:
b0:e7:cb:d4:72:3d:01:4f:58:42:9c:7c:81:1f:6e:22:10:0f:
de:1c:d4:54:cd:8e:5c:4b:35:5f:5a:af:b0:78:9f:60:56:1b:
10:64:2d:b7:39:55:be:e2:14:b8:27:5c:af:0e:63:03:27:6a:
bd:a7:14:27:5d:fc:a3:d1:27:3b:e9:23:11:10:63:7d:77:2b:
b2:db:2e:14:d5:e6:eb:80:6d:fc:bd:af:bb:14:9d:28:9c:91:
a4:16:b5:4b:70:4d:54:df:5b:0f:3e:83:40:02:cd:56:fd:7a:
4c:a9:06:2b:45:40:ce:8e:ec:6c:6c:1b:b1:a8:c5:56:fd:60:
dc:f1:bc:7d:27:63:eb:b7:99:d9:ec:8f:63:d7:a0:b6:7b:ea:
b0:1e:b2:4c:89:0c:11:c4:c2:dd:1f:e7:ef:db:44:23:c8:52:
37:40:6a:10
答案1
回答:
“问题计算机”上运行的 Win 7c:\windows\system 32\drivers\etc\hosts文件已被编辑。a.contoso.com 被硬编码为指向特定 IP 地址(例如AAA.BBB.CCC.90)。 的网站仍可AAA.BBB.CCC.90运行,但提供的证书已过期。在使用新证书创建新网站(奇怪的是看起来完全一样由于 位于AAA.BBB.CCC.145,因此网站开发人员必须将发往 a.contoso.com 的流量重定向到AAA.BBB.CCC.145提供有效证书的新网站 。我通过在tracert将 a.contoso.com 解析为 的其中一台正常工作的计算机上运行跟踪路由 ( )来实现这一点。在“问题计算机”上AAA.BBB.CCC.145运行得到。在问题计算机上直接浏览得到一个具有有效证书的良好网站!在我删除“问题计算机”主机文件中将流量直接定向到 的行后,一切正常。tracertAAA.BBB.CCC.90AAA.BBB.CCC.145AAA.BBB.CCC.90
现在看来,问题根本不出在 Win 7 证书上。问题在于这台机器将其流量导向一个使用过期证书的过时老旧网站,因为该网站的地址被硬编码到其 hosts 文件中。
感谢大家帮助我得出这个结论并解决这个问题。