在我的服务器上,我有多个使用 apache2 的虚拟主机。一些使用域名 *.example-one.org,一些使用 *.example-two.org。每个域名都有自己的通配符证书。
当我通过输出获取证书时,openssl s_client如下所示:
$ openssl s_client -connect sub.example-one.org:443
CONNECTED(00000003)
[...] CN = *.example-two.org, emailAddress [...]
verify error:num=18:self signed certificate
verify return:1
[...] CN = *.example-two.org, emailAddress [...]
verify return:1
---
[...]
Verify return code: 18 (self signed certificate)
---
与gnutls-cli
$ gnutls-cli -p 443 sub.example-one.org
Processed 164 CA certificate(s).
Resolving 'sub.example-one.org'...
Connecting to '14x.xxx.xxx.xxx:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
- subject `[...]CN=*.example-one.org[...]', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-07-11 12:30:31 UTC', expires `2015-07-11 12:30:31 UTC', SHA-1 fingerprint `94ddfd0d74e0352521af511c1d08c71e5314fae4'
[...]
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
(我已将输出缩短为“[...]”)
Firefox 获取(作为 gnutls)正确的证书...
为什么会有差异?
答案1
如果您在同一个 IP 地址后面使用多个证书,则必须使用 SNI(服务器名称指示)。虽然浏览器默认执行此操作,gnutls 也可能执行此操作,但 s_client 不执行此操作,因此您必须使用openssl s_client -servername sub.example.org -connect ...