我们已经使用公共证书设置了 LDAPS
Signature Algorithm: sha256WithRSAEncryption
Issuer: (CA ID: 105493)
commonName = Sectigo RSA Domain Validation Secure Server CA
organizationName = Sectigo Limited
localityName = Salford
stateOrProvinceName = Greater Manchester
countryName = GB
Validity
Not Before: Sep 3 00:00:00 2019 GMT
Not After : Sep 2 23:59:59 2021 GMT
Subject:
commonName = dc-1.ad.example.com
organizationalUnitName = PositiveSSL
organizationalUnitName = Domain Control Validated
因此它仍然有效。
今天早上,我们发现与服务器的 LDAPS 连接不再起作用:
# openssl s_client -connect dc-1.ad.example.com:636
CONNECTED(00000003)
depth=0 CN = dc-1.ad.example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = dc-1.ad.example.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = dc-1.ad.example.com
我们意识到,AD 似乎已经颁发了一个自签名证书
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1d:00:00:00:*redacted*
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = com, DC = example, DC = ad, CN = ad-DC-1-CA
Validity
Not Before: May 31 01:21:28 2021 GMT
Not After : May 31 01:21:28 2022 GMT
为了解决这个问题,我们从活动目录服务器上的证书存储中删除了自签名证书。
现在,大约 12 小时后,同样的事情再次发生,并且这样的自签名证书取代了官方证书:
Not Before: May 31 13:40:04 2021 GMT
有人见过这种现象吗?原因是什么?
编辑
这是官方证书:
X509v3 Subject Alternative Name:
DNS:dc-1.ad.example.com, DNS:www.dc-1.ad.example.com
这是自动生成的:
X509v3 Subject Alternative Name:
othername:<unsupported>, DNS:dc-1.ad.example.com