无法找到有效的根 CA 证书,该证书可能会显示浏览器警告

tag-icon tag-icon windows ssl apache-2.4 ssl-certificate
无法找到有效的根 CA 证书,该证书可能会显示浏览器警告

我正在尝试让 Telegram Webhook 与我的本地机器一起工作,但它没有发出请求。我认为这是因为证书问题

以下是 geocerts.com/ssl-checker 的内容:

截屏

这是我的 Apache 配置:

<IfModule ssl_module>
<VirtualHost *:%httpsport%>

    DocumentRoot    "%hostdir%"
    ServerName      "%host%"
    ServerAlias     "%host%" %aliases%
    ScriptAlias     /cgi-bin/ "%hostdir%/cgi-bin/"

    SSLEngine       on
    #Header always set          Strict-Transport-Security "max-age=94608000"

    SSLCACertificateFile       "%sprogdir%/userdata/config/cert_files/xxx/xxx-rootCA.crt"
    SSLCertificateChainFile    "%sprogdir%/userdata/config/cert_files/xxx/xxx-bundle.crt"

    SSLCertificateFile          "%sprogdir%/userdata/config/cert_files/xxx/xxx-server.crt"
    SSLCertificateKeyFile       "%sprogdir%/userdata/config/cert_files/xxx/xxx-server.key"

    SetEnvIf User-Agent ".*MSIE [1-5].*" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0

    SetEnvIf User-Agent ".*MSIE [6-9].*" \
    ssl-unclean-shutdown

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions              +StdEnvVars
    </FilesMatch>

    <Directory "%hostdir%/cgi-bin/">
        SSLOptions              +StdEnvVars
    </Directory>

</VirtualHost>
</IfModule>

我使用以下脚本生成了这些证书:

: Version 1.0
: Author unknown (improved by Kama - wp-kama.ru)
@echo off

: parameters
set DOM=xxx.info
set DOM_KEY=xxx
set APACHE_VER=Apache-PHP-7.2-x64

: create .txt config file
set config_txt=generate-temp-config.txt
(
    echo nsComment = "Open Server Panel Generated Certificate"
    echo basicConstraints = CA:false
    echo subjectKeyIdentifier = hash
    echo authorityKeyIdentifier = keyid,issuer
    echo keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    echo.
    echo subjectAltName = @alt_names
    echo [alt_names]
    echo DNS.1 = %DOM%
    echo DNS.2 = www.%DOM%
) > %config_txt%

mkdir %DOM_KEY%

set OSAPACHE_DIR=%~dp0..\..\..\modules\http\%APACHE_VER%
set OPENSSL_CONF=%OSAPACHE_DIR%\conf\openssl.cnf
"%OSAPACHE_DIR%\bin\openssl" req -x509 -sha256 -newkey rsa:2048 -nodes -days 5475 -keyout %DOM_KEY%\%DOM_KEY%-rootCA.key -out %DOM_KEY%\%DOM_KEY%-rootCA.crt -subj /CN=OSPanel-%DOM_KEY%/
"%OSAPACHE_DIR%\bin\openssl" req -newkey rsa:2048 -nodes -days 5475 -keyout %DOM_KEY%/%DOM_KEY%-server.key -out %DOM_KEY%\%DOM_KEY%-server.csr -subj /CN=%DOM_KEY%/
"%OSAPACHE_DIR%\bin\openssl" x509 -req -sha256 -days 5475 -in %DOM_KEY%\%DOM_KEY%-server.csr -extfile %config_txt% -CA %DOM_KEY%\%DOM_KEY%-rootCA.crt -CAkey %DOM_KEY%\%DOM_KEY%-rootCA.key -CAcreateserial -out %DOM_KEY%\%DOM_KEY%-server.crt
"%OSAPACHE_DIR%\bin\openssl" dhparam -out %DOM_KEY%\%DOM_KEY%-dhparam.pem 2048

del %DOM_KEY%\%DOM_KEY%-server.csr
del %DOM_KEY%\%DOM_KEY%-dhparam.pem
del %DOM_KEY%\%DOM_KEY%-rootCA.srl
del %config_txt%

pause

我不太熟悉证书,而且目前也没有太多时间,所以我需要帮助。

答案1

您自己生成证书,当然没有其他人会信任它们;这就是证书的全部意义所在。

您应该从公共认证机构获取证书(或使用免费解决方案,如 Let's Encrypt)。

相关内容