Apache、SSL、UCC 无法在 CN 上运行,但可以在 subjectAltName 上运行

Apache、SSL、UCC 无法在 CN 上运行,但可以在 subjectAltName 上运行

我最近为

  • 域名1.com
  • *.domain1.com
  • 域名2.com
  • *.domain2.com

现在当我访问http://domain1.com在 Firefox 中我得到:

domain1.com uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown.
The certificate is only valid for the following names:
  *.domain1.com , domain2.com , *.domain2.com

(Error code: sec_error_unknown_issuer)

它抱怨 SSL

  • 由不受信任的机构颁发-这很好......
  • 并且对于所讨论的域名无效

这是我的文本形式的 SSL 证书:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=Example-CA/[email protected]
        Validity
            Not Before: Oct 28 11:26:20 2010 GMT
            Not After : Oct 28 11:26:20 2011 GMT
        Subject: C=US, ST=Connecticut, L=Stamford, O=Example, Inc., CN=domain1.com/[email protected]
        Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)
                Modulus (4096 bit):
                    00:b8:bf:9a:73:a0:6e:b6:2d:98:97:74:03:fc:76:
                    44:36:1d:e8:e8:49:2c:02:01:45:77:24:fb:cc:37:
                    22:af:8c:41:2d:92:63:74:e3:08:81:59:49:2b:96:
                    22:bd:2e:f9:55:dd:d9:cb:7e:e8:bd:ce:15:24:87:
                    2d:9b:1a:9c:8e:bd:fe:20:99:cf:8c:29:d2:92:af:
                    5f:dc:7e:17:5e:25:e6:c2:bf:70:79:0f:e9:78:74:
                    a4:6c:15:4f:8b:c7:45:11:d0:4c:f0:05:85:cf:c0:
                    bc:37:e5:c7:45:fd:8e:05:37:c1:aa:50:ef:14:ab:
                    55:f9:7d:79:b7:1e:bd:83:bd:cf:59:25:e0:d9:99:
                    17:d7:00:46:8b:86:58:bf:66:1a:77:e0:a6:35:81:
                    45:51:0a:e7:86:f6:40:c7:73:a7:4a:b8:c4:66:5d:
                    dd:8b:9a:0f:8c:48:05:d5:bf:53:bc:e6:5b:60:3c:
                    50:21:a2:2c:e5:e1:15:eb:14:18:3d:f0:80:59:08:
                    74:f8:e7:d5:e9:7d:82:73:f2:f1:dc:e8:d9:7f:46:
                    d5:68:eb:c0:e2:6b:f1:6f:90:c3:af:66:d5:f3:24:
                    93:a1:9f:bd:a9:62:c9:0a:76:8e:b4:a1:28:4e:b7:
                    09:e3:90:99:44:4d:3e:4d:89:ec:7c:7f:ac:b5:77:
                    e3:8d:af:e3:da:09:98:51:09:bf:76:ac:d9:1a:34:
                    0c:4c:3c:43:eb:47:d6:b7:ed:d4:42:35:09:a0:b2:
                    98:3f:ad:b7:d1:49:4d:df:72:07:48:6c:3e:df:67:
                    6a:48:14:4b:0c:d4:48:37:a5:c8:f6:7b:4d:d3:01:
                    3f:32:e8:a9:ef:92:55:cb:24:25:9f:c0:98:53:d2:
                    0b:fa:30:3d:3d:c5:9d:90:cd:bf:c8:01:d3:7a:c2:
                    3a:78:b7:db:eb:c2:ee:de:bc:5c:c4:74:af:5a:23:
                    08:e5:8c:df:ec:0d:f1:b3:7a:86:88:99:17:e8:d9:
                    81:b2:3c:eb:40:d9:b3:09:82:5b:e0:fa:84:68:ed:
                    c6:2c:c9:59:93:c3:f8:80:70:67:1f:6c:f8:3c:25:
                    63:95:ee:de:e2:ba:92:34:b0:f8:a1:53:5b:22:d9:
                    f3:d3:4c:1a:91:12:e6:0d:af:e3:99:3a:29:d0:ba:
                    57:d3:08:3d:a1:2f:91:61:a2:86:f6:f8:33:61:dc:
                    da:39:82:03:25:f3:88:5a:8a:88:e3:be:5e:78:1b:
                    c2:74:a4:c8:0f:66:18:2a:1e:a0:a9:ac:1c:71:50:
                    81:b5:6e:d4:2a:c3:b6:bd:85:ea:ef:72:3d:76:08:
                    79:d5:59:6a:b4:f2:54:33:61:76:49:13:93:95:e5:
                    86:2a:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                    OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                3F:40:13:7E:25:04:0A:B9:0F:5F:DE:5E:9D:55:94:10:EE:F2:2B:B0
            X509v3 Authority Key Identifier: 
                keyid:8E:C4:D5:F3:69:12:A9:75:DA:0D:9B:59:11:C8:DE:53:67:C0:DA:1B

            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                DNS:*.domain1.com, DNS:domain2.com, DNS:*.domain2.com
    Signature Algorithm: sha1WithRSAEncryption
        20:cd:15:09:9a:0b:7b:90:bd:db:83:fd:21:15:9a:32:21:8e:
        98:42:28:63:8b:fe:9c:36:73:9e:2f:2c:87:af:a4:0d:01:06:
        f4:5e:c1:76:d9:3b:ab:85:90:87:8e:8a:63:a8:d8:49:82:98:
        a3:4b:4e:dc:fe:4f:af:6e:86:4c:64:55:74:ca:cd:7b:db:4a:
        b8:b0:ad:f5:75:c3:92:da:a7:2c:72:d0:dd:2e:0b:78:85:91:
        03:fd:51:40:df:58:02:c1:ab:c8:5d:09:4a:7c:15:e3:ec:30:
        13:ea:b3:26:bc:56:a2:66:a0:5d:d7:26:9c:f9:24:47:a7:55:
        15:5f:8a:d0:02:92:fd:f9:4d:40:74:7a:c1:a5:85:bc:83:ff:
        c5:d7:1d:97:48:e3:58:c6:c3:b9:ba:65:f7:ba:c8:db:86:13:
        32:48:42:fe:cf:07:58:47:3d:66:bd:87:c2:40:86:1b:3b:82:
        01:e1:57:7f:04:89:9c:45:2e:d9:7c:ae:cf:4f:87:50:0a:f0:
        ff:f6:b3:c1:ce:24:21:1c:2f:3c:62:80:a6:5d:3b:61:6c:b7:
        e4:22:c0:ed:a5:07:c5:a9:ad:e5:26:24:f2:d0:29:3e:b7:dc:
        b6:3a:2c:76:ee:a5:8e:ba:cf:bf:65:b3:40:93:9f:ad:82:1b:
        b2:d6:28:4c:2c:6b:3c:db:da:5f:73:20:3d:1b:59:13:93:de:
        cd:03:df:e8:fa:13:1f:9d:30:99:83:0b:12:60:63:65:64:d8:
        1e:3f:7e:4b:3a:fe:e4:19:db:55:f5:95:cc:77:f6:64:5b:53:
        4b:d0:e0:30:35:91:81:b8:65:2d:81:4e:1f:aa:c8:b3:d2:d8:
        7d:85:47:49:1d:a5:bc:65:16:a5:bb:3e:ea:12:f4:70:e7:11:
        59:52:d8:2b:5d:4e:14:5f:d3:ae:45:69:17:61:bc:43:dc:9a:
        03:c2:8b:79:f3:39:f4:a4:7f:f7:3c:c5:b7:9e:df:52:1b:41:
        8d:c4:5e:bf:5e:17:3e:c8:07:6f:35:47:a4:32:0f:8d:cc:ad:
        45:0e:72:a5:74:0d:08:64:cf:da:79:cb:e2:c5:73:78:ff:f6:
        fc:c8:b3:d2:88:ea:03:10:36:eb:d5:79:d6:97:99:17:cd:e3:
        17:cc:2a:27:0f:ff:41:84:8e:38:f0:b0:c2:7d:cb:b2:a1:40:
        af:74:98:fb:87:15:53:68:24:39:cb:8e:63:cf:c0:56:b3:7c:
        2f:39:5e:bd:6e:cf:5a:43:37:f6:20:db:34:65:48:8f:0e:49:
        6c:66:a5:a5:70:2f:09:d6:0f:ed:f8:86:a2:17:67:2b:fe:d3:
        aa:7b:56:7d:63:c3:17:a0

答案1

您需要将 domain1.com 包含为主题备用名称。如果存在主题备用名称,大多数浏览器都会忽略主题中的通用名称。这就是为什么 Firefox 认为证书对以下情况无效:https://domain1.com

相关内容