架构:
VM-10.0.0.50
本地计算机
我将 CN 命名为www.ben.com并将 10.0.0.50 作为www.ben.com在 /etc/hosts 中。
当我卷曲https://www.ben.com我得到了 HTML(如果我 curl IP 它会返回一个 CA not valid 但这是正确的)
如果我尝试通过 Google Chrome 访问该网站,它会显示网站不安全警告,错误代码如下:
NET::ERR_CERT_COMMON_NAME_INVALID
我将相同的证书文件放在/etc/pki/ca-trust/source/anchors
文件夹中,并放在 Google Chrome 的授权部分(在设置等下)。
用于创建证书的命令-
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
/etc/httpd/conf.d/ssl.conf 文件:
<VirtualHost www.ben.com:443>
ServerAdmin [email protected]
DocumentRoot /var/www/html
ServerName www.ben.com:443
ErrorLog /var/log/httpd/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
SSLUseStapling off
</VirtualHost>
这是输出openssl x509 -in ./certs/apache-selfsigned.crt -text
:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
60:d3:b5:d4:71:01:53:e7:bd:a9:3c:8e:93:6f:49:73:21:34:b6:d8
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = IL, ST = Tel-Aviv, L = TLV, O = Ben Ltd, OU = Ben Ltd, CN = www.ben.com
Validity
Not Before: May 26 08:49:48 2021 GMT
Not After : May 26 08:49:48 2022 GMT
Subject: C = IL, ST = Tel-Aviv, L = TLV, O = Ben Ltd, OU = Ben Ltd, CN = www.ben.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:9e:b3:dd:4f:4b:e6:5c:ae:80:17:b6:58:86:4a:
9a:61:c9:76:c4:cf:d5:75:10:af:15:0a:e2:24:1a:
73:c6:5d:9d:77:33:79:60:0b:8d:cf:78:a1:f7:14:
a4:c2:dc:0a:e7:dc:d9:e6:e2:f1:92:33:1c:24:d9:
a5:b9:7d:08:f3:f9:78:06:0d:b8:cd:f3:40:8d:de:
95:6f:dd:f8:b3:89:89:8b:34:ec:d8:13:e0:d4:78:
1e:a5:a4:c1:2b:c6:ca:78:d4:d9:1a:87:da:a5:f5:
1d:07:40:b0:6c:1d:69:12:61:8a:59:16:03:c6:d3:
18:b9:8f:12:25:cc:e0:9b:d8:a1:1e:a1:34:e8:af:
58:a8:19:f8:29:f4:9e:a0:29:52:13:8d:3f:5e:4e:
17:f1:10:1c:1c:df:45:05:41:99:4a:fa:98:bf:d3:
2f:f9:cb:25:a2:69:1f:a3:ab:09:b9:f2:02:0d:dc:
f4:0a:1b:36:a0:be:cd:f0:2e:27:16:b1:88:a3:b2:
6f:49:d7:1e:b3:ac:04:3b:47:b3:a1:2b:83:e4:d1:
6f:e1:00:4d:4a:12:43:44:8d:0c:4c:4d:e6:00:0b:
a2:86:9e:ba:d8:43:25:0e:28:71:9b:e8:3b:d7:4e:
96:71:94:7a:b1:ee:cc:de:ba:ef:ce:74:e9:e7:c3:
30:df
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
70:CE:7D:E3:E5:5A:A6:A6:7D:3A:66:5E:35:DE:35:9A:78:0B:24:D8
X509v3 Authority Key Identifier:
keyid:70:CE:7D:E3:E5:5A:A6:A6:7D:3A:66:5E:35:DE:35:9A:78:0B:24:D8
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
62:bd:c0:f1:9f:67:60:24:dd:7a:46:71:ae:39:a4:c1:85:f1:
d9:3b:99:6b:e7:e0:1f:52:af:f0:e4:98:5c:e5:0e:e8:8a:09:
b9:3f:44:0c:69:64:93:69:13:ea:01:e3:6c:7d:c2:2a:d8:5b:
c9:bc:6b:33:be:d5:0c:77:9e:9a:9b:4f:35:5b:87:01:95:72:
c9:45:1f:25:66:8f:24:df:bc:a1:16:08:a3:f3:c2:d7:80:f6:
0b:b5:31:2d:d7:48:28:5d:0f:93:f1:b1:9b:2a:ed:44:4f:69:
f5:90:cf:05:af:a7:63:d3:78:85:86:5e:15:2b:7d:07:6b:24:
63:c9:f8:3d:7d:da:93:6e:71:d5:ef:59:ab:1c:c9:d9:38:71:
32:e8:9e:ca:14:6d:ee:2a:65:72:5e:5f:e9:e6:0e:d3:8c:6d:
5d:65:38:b2:b2:84:0d:f9:6a:98:d6:2f:c8:1e:a1:b7:c1:ba:
d3:b4:d9:2b:57:e7:0c:47:2f:84:15:5c:42:2c:62:98:9e:1c:
ab:9c:70:36:be:1a:3e:69:1c:18:15:c3:a7:27:b7:a4:bd:91:
b2:5e:96:b5:32:e3:0a:f4:c3:90:12:59:95:aa:9e:be:cd:5f:
bc:6a:2c:e0:3f:5a:d6:a8:83:6e:65:21:0b:aa:fc:f0:1d:6f:
09:f9:73:78
-----BEGIN CERTIFICATE-----
MIIDsTCCApmgAwIBAgIUYNO11HEBU+e9qTyOk29JcyE0ttgwDQYJKoZIhvcNAQEL
BQAwaDELMAkGA1UEBhMCSUwxETAPBgNVBAgMCFRlbC1Bdml2MQwwCgYDVQQHDANU
TFYxEDAOBgNVBAoMB0JlbiBMdGQxEDAOBgNVBAsMB0JlbiBMdGQxFDASBgNVBAMM
C3d3dy5iZW4uY29tMB4XDTIxMDUyNjA4NDk0OFoXDTIyMDUyNjA4NDk0OFowaDEL
MAkGA1UEBhMCSUwxETAPBgNVBAgMCFRlbC1Bdml2MQwwCgYDVQQHDANUTFYxEDAO
BgNVBAoMB0JlbiBMdGQxEDAOBgNVBAsMB0JlbiBMdGQxFDASBgNVBAMMC3d3dy5i
ZW4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnrPdT0vmXK6A
F7ZYhkqaYcl2xM/VdRCvFQriJBpzxl2ddzN5YAuNz3ih9xSkwtwK59zZ5uLxkjMc
JNmluX0I8/l4Bg24zfNAjd6Vb934s4mJizTs2BPg1HgepaTBK8bKeNTZGofapfUd
B0CwbB1pEmGKWRYDxtMYuY8SJczgm9ihHqE06K9YqBn4KfSeoClSE40/Xk4X8RAc
HN9FBUGZSvqYv9Mv+cslomkfo6sJufICDdz0Chs2oL7N8C4nFrGIo7JvSdces6wE
O0ezoSuD5NFv4QBNShJDRI0MTE3mAAuihp662EMlDihxm+g7106WcZR6se7M3rrv
znTp58Mw3wIDAQABo1MwUTAdBgNVHQ4EFgQUcM594+VapqZ9OmZeNd41mngLJNgw
HwYDVR0jBBgwFoAUcM594+VapqZ9OmZeNd41mngLJNgwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAAOCAQEAYr3A8Z9nYCTdekZxrjmkwYXx2TuZa+fgH1Kv
8OSYXOUO6IoJuT9EDGlkk2kT6gHjbH3CKthbybxrM77VDHeemptPNVuHAZVyyUUf
JWaPJN+8oRYIo/PC14D2C7UxLddIKF0Pk/GxmyrtRE9p9ZDPBa+nY9N4hYZeFSt9
B2skY8n4PX3ak25x1e9ZqxzJ2ThxMuieyhRt7iplcl5f6eYO04xtXWU4srKEDflq
mNYvyB6ht8G607TZK1fnDEcvhBVcQiximJ4cq5xwNr4aPmkcGBXDpye3pL2Rsl6W
tTLjCvTDkBJZlaqevs1fvGos4D9a1qiDbmUhC6r88B1vCflzeA==
-----END CERTIFICATE-----
(在 VM(10.0.0.50)和 localhost fedora 计算机中)的输出curl https://www.ben.com
:
<h1>Test Page</h1>
<h1>IP is: 10.0.0.50</h1>
又名网站上的 HTML。
Google Chrome 错误输出:
Your connection is not private
Attackers might be trying to steal your information from www.ben.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID
To get Chrome’s highest level of security, turn on enhanced protection
This server could not prove that it is www.ben.com; its security certificate does not specify Subject Alternative Names. This may be caused by a misconfiguration or an attacker intercepting your connection.
Proceed to www.ben.com (unsafe)
当我执行命令时:
openssl req -new -subj "/C=IL/CN=www.ben.com" \
-addext "subjectAltName = DNS:www.ben.com" \
-addext "certificatePolicies = 1.2.3.4" \
-newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt
我得到:
Error Loading command line extensions
140221663946560:error:0D064083:asn1 encoding routines:a2d_ASN1_OBJECT:invalid separator:crypto/asn1/a_object.c:87:
140221663946560:error:2208206E:X509 V3 routines:r2i_certpol:invalid object identifier:crypto/x509v3/v3_cpols.c:141:section:<NULL>,name:10.0.0.50,value:<NULL>
140221663946560:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:crypto/x509v3/v3_conf.c:47:name=certificatePolicies, value=10.0.0.50
使用该命令并执行后,systemctl restart httpd
我在 /var/log/httpd/error_log 文件中收到下一个错误:
[Wed May 26 15:14:21.750982 2021] [ssl:emerg] [pid 37460:tid 140170087201088] AH02562: Failed to configure certificate www.ben.com:443:0 (with chain), check /etc/ssl/certs/apache-selfsigned.crt
[Wed May 26 15:14:21.750994 2021] [ssl:emerg] [pid 37460:tid 140170087201088] SSL Library Error: error:0909006C:PEM routines:get_name:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile?
答案1
您的证书对于 Chrome 无效,因为它仅包含通用名称,而不包含主题备用名称 ( subjectAltName
)。
从 Chrome 58 开始,Google 会阻止不包含主题备用名称的证书: https://bugs.chromium.org/p/chromium/issues/detail?id=308330
因此,您必须在证书中添加指定域名的主题备用名称扩展。