当服务器自行连接时 SSL 证书无效

tag-icon tag-icon apache-2.2 ubuntu ssl ssl-certificate lets-encrypt
当服务器自行连接时 SSL 证书无效

我有一个本地网络,其中 [服务器] 服务器的 IP 地址为:192.168.88.201,主机:local.mydomain.com。此服务器是运行 Apache+PHP 的 Ubuntu 18.04.6 LTS。此外,此服务器还使用 certbot 安装了 Let's encrypt SSL。

当使用本地网络上的另一台计算机时,SSL 可以正常访问https://local.mydomain.com-> Chrome 显示认证有效。

当服务器自行连接并认为认证无效时,就会出现问题。

我被困在这里,因为我不知道问题可能出在哪里。你有什么建议吗?

例如:在 [SERVER] 的终端中,当:

root@server:/tmp# wget https://local.mydomain.com
--2022-01-07 07:47:18--  https://local.mydomain.com/
Resolving local.mydomain.com (local.mydomain.com)... 192.168.88.201
Connecting to local.mydomain.com (local.mydomain.com)|192.168.88.201|:443... connected.
ERROR: cannot verify local.mydomain.com's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’:
  Unable to locally verify the issuer's authority.
To connect to local.mydomain.com insecurely, use `--no-check-certificate'.

root@server:/tmp# openssl s_client -connect local.mydomain.com:443 -prexit > a.txt
CONNECTED(00000005)
---
Certificate chain
 0 s:CN = local.mydomain.com
   i:C = US, O = Let's Encrypt, CN = R3
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=CN = local.mydomain.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2005 bytes and written 402 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
HTTP/1.1 400 Bad Request
Date: Fri, 07 Jan 2022 06:53:07 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 313
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at local.mydomain.com Port 443</address>
</body></html>
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: E5F662F909BA717C5FA0D6DBBDA777CA284E164FACC4784915D7E08DF39B63DB
    Session-ID-ctx:
    Resumption PSK: FFA7F4A4502316545E4147887CE4A7D552DDF54A92A8C2B5D87601BEA01B8DDEC2292004635AC152E71188CEDEF099CE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 ****

    Start Time: 1641538382
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: BABB13C496B291A43F4FDDCD20FE5568574F79ACA2D06203A53D9072FBE3A2C8
    Session-ID-ctx:
    Resumption PSK: 90F330C4D3B9BA54DB4CA687400E692CC7AF250F7E6A58493D579A9DD6C3DBA3E5B1F2BA94DA7AEA8CF483C2FB19211B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ***

    Start Time: 1641538382
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Certificate chain
 0 s:CN = local.mydomain.com
   i:C = US, O = Let's Encrypt, CN = R3
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=CN = local.mydomain.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3152 bytes and written 450 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---

答案1

Certificate chain
 0 s:CN = local.mydomain.com
   i:C = US, O = Let's Encrypt, CN = R3

服务器配置错误,仅发送不完整的链,缺少中间证书。正确配置的站点应返回额外的中间证书,从而指向 ISRG Root X1。Let's Encrypt 有一个示例服务器:

$ openssl s_client -connect valid-isrgrootx1.letsencrypt.org:443
...
Certificate chain
 0 s:CN = valid-isrgrootx1.letsencrypt.org
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

当使用另一台计算机时...Chrome 显示认证有效。

浏览器通常可以通过下载缺失的中间证书或使用缓存副本来成功解决此类配置错误。其他客户端则不会。因此,只检查它是否适用于浏览器并不是一个好主意。请使用以下网站SSL 实验室这会将“链问题”报告为您遇到的问题。

相关内容