Gitlab-Server 的证书对于“主题备用名称”无效

2024-6-1 • tag-icon

我公司拥有https://data.ddl.at，其中包括的 SAN（主题备用名称）gitlab.ddl.at。此 Gitlab 服务器是内部的，域名仅由我们的内部 DNS 服务器解析。作为参考，还有 SANhttps://sicher.ddl.at，它是公开的，并且在浏览器中有效。

我已经在Gitlab-Server上配置了此证书，当我转到时gitlab.ddl.at，该证书已通过浏览器验证并被视为有效。

问题出现时，我尝试使用 Gitlab-Runner。我在另一台机器上安装并注册了一个，一开始遇到了一些问题，之后我让它连接到主实例，但作业仍然无法签出子模块，运行器正在获取server certificate verification failed。

现在，我认为是问题的根源症状：如果我运行openssl s_client -connect data.ddl.at:443，我会得到：

CONNECTED(00000005)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Private Organization, serialNumber = FN 374566h, jurisdictionC = AT, jurisdictionL = Wels, jurisdictionST = Oberoesterreich, C = AT, ST = Oberoesterreich, L = Ruestorf, street = Erwin Greiner-Str. 4, OU = GIS, O = DDL GmbH, CN = data.ddl.at
verify return:1
---
Certificate chain
 0 s:businessCategory = Private Organization, serialNumber = FN 374566h, jurisdictionC = AT, jurisdictionL = Wels, jurisdictionST = Oberoesterreich, C = AT, ST = Oberoesterreich, L = Ruestorf, street = Erwin Greiner-Str. 4, OU = GIS, O = DDL GmbH, CN = data.ddl.at
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
---
Server certificate
[...]

最后：Verify return code: 0 (ok)

现在当我运行时openssl s_client -connect gitlab.ddl.at:443，我得到：

CONNECTED(00000005)
depth=0 businessCategory = Private Organization, serialNumber = 374566h, jurisdictionC = AT, jurisdictionL = Wels, jurisdictionST = Oberoesterreich, C = AT, ST = Oberoesterreich, L = Ruestorf, street = Erwin Greiner-Stra\C3\9Fe 4, OU = GIS, O = DDL GmbH, CN = data.ddl.at
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 businessCategory = Private Organization, serialNumber = 374566h, jurisdictionC = AT, jurisdictionL = Wels, jurisdictionST = Oberoesterreich, C = AT, ST = Oberoesterreich, L = Ruestorf, street = Erwin Greiner-Stra\C3\9Fe 4, OU = GIS, O = DDL GmbH, CN = data.ddl.at
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:businessCategory = Private Organization, serialNumber = 374566h, jurisdictionC = AT, jurisdictionL = Wels, jurisdictionST = Oberoesterreich, C = AT, ST = Oberoesterreich, L = Ruestorf, street = Erwin Greiner-Stra\C3\9Fe 4, OU = GIS, O = DDL GmbH, CN = data.ddl.at
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
---
Server certificate
[...]

第一个错误是unable to get local issuer certificate。

我也尝试过使用可公开访问的方法sicher.ddl.at，但出现了与相同的错误gitlab.ddl.at。

它获得的证书是data.ddl.at，但它有 SAN gitlab.ddl.at，这难道不应该使它有效吗？我做错了什么？

答案1

看起来服务器gitlab.ddl.at缺少颁发者证书。

如果客户端和服务器没有正确的根证书和中间证书，那么您可能会遇到验证错误。

我始终确保在服务器上安装完整的链，以确保所有客户端都能获得链中的所有证书。

您有几个选择。

从导出完整链data.ddl.at，然后将其导入gitlab.ddl.at。
使用 OpenSSL 之类的工具将证书链组合成一个证书，然后安装到gitlab.ddl.at
将链中的所有证书安装到服务器。

答案1

相关内容