我的 LetsEncrypt SSL 证书不受信任

我的 LetsEncrypt SSL 证书不受信任

根据https://www.digicert.com/help/,我的证书https://sqless.ddns.net(我的 Apache XAMPP REST Web 服务)不受信任,因为

SSL 证书不受信任

该证书未由受信任的机构签名(根据 Mozilla 的根存储进行检查)。如果您从受信任的机构购买了证书,则可能只需安装一个或多个中间证书。请联系您的证书提供商以获取有关您的服务器平台的帮助。

这很奇怪,因为 Google 和 Firefox 都在 Chrome 上显示绿色挂锁以及“安全”。

我用了教程,以便在我的服务器上设置 SSL。这些是我的虚拟主机C:\xampp\apache\conf\extra\httpd-vhosts.conf

<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerName sqless.ddns.net
    
    RewriteEngine On
    # Redirect to the HTTPS site
    RewriteCond %{HTTPS} off
    RewriteRule ^/?(.*)$ https://sqless.ddns.net/$1 [NE,L,R=301]
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin [email protected]
    ServerName sqless.ddns.net
    
    RewriteEngine On
    # Redirect to the correct domain name
    RewriteCond %{HTTP_HOST} !^sqless.ddns.net$ [NC]
    RewriteRule ^/?(.*)$ https://sqless.ddns.net/$1 [NE,L,R=301]

    Alias /.well-known C:/xampp/htdocs/.well-known

    SSLEngine on
    SSLCertificateFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-crt.pem"
    SSLCertificateKeyFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-key.pem"
    SSLCertificateChainFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-crt.pem"
</VirtualHost>

我使用了位于此处的 Win-Acme 1.8.0 版本:https://github.com/PKISharp/win-acme/releases

我是否遗漏了什么?

答案1

请参阅本报告的更多详细信息:https://www.ssllabs.com/ssltest/analyze.html?d=sqless.ddns.net显示“此服务器的证书链不完整。等级上限为 B。”。

值得注意的是“证书路径”中的“额外下载”部分。您的服务器需要发送中间 CA。这意味着SSLCertificateChainFile不能只是与 中的内容相同SSLCertificateFile

再次查看您引用的教程,您会发现它显示了您没有注意到的差异。您可以在其页面上找到 CA 中级证书: https://letsencrypt.org/certificates/

因此,您SSLCertificateChainFile需要依次获得中间证书和 CA 证书。从 SSLLabs 结果中可以看出,您的最终证书是由“Let's Encrypt X3”(中间 CA)生成的,而该证书本身由“DST Root CA X3”签名。如果您访问https://letsencrypt.org/certificates/你可以找到它们两者。

您需要将它们一个接一个地放在一个文件中。然后您应该得到以下内容:

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

答案2

目前,您的链指向与您的证书相同的文件。这是不正确的。

SSLCertificateFile ".../sqless.ddns.net-crt.pem"
SSLCertificateChainFile ".../sqless.ddns.net-crt.pem"

您的链应该指向中间证书。

相关内容