无法验证第一个证书(RapidSSL/GeoTrust/Ubuntu)

tag-icon tag-icon ssl-certificate openssl
无法验证第一个证书(RapidSSL/GeoTrust/Ubuntu)

一直试图让 Ubuntu 识别 GeoTrust SAN 证书,但没有成功。浏览器运行正常。帮忙吗?

$ openssl s_client -showcerts -connect artsyapi.com:443
CONNECTED(00000003)
depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 4660944, C = US, ST = New York, L = New York, O = Artsy Inc., CN = artsy.net
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 4660944, C = US, ST = New York, L = New York, O = Artsy Inc., CN = artsy.net
verify error:num=27:certificate not trusted
verify return:1
depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 4660944, C = US, ST = New York, L = New York, O = Artsy Inc., CN = artsy.net
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=4660944/C=US/ST=New York/L=New York/O=Artsy Inc./CN=artsy.net
   i:/C=US/O=GeoTrust Inc/OU=See www.geotrust.com/resources/cps (c)06/CN=GeoTrust Extended Validation SSL CA
-----BEGIN CERTIFICATE-----
MIIFfDCCBGSgAwIBAgICUFIwDQYJKoZIhvcNAQEFBQAwgYUxCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxHZW9UcnVzdCBJbmMxMTAvBgNVBAsTKFNlZSB3d3cuZ2VvdHJ1
c3QuY29tL3Jlc291cmNlcy9jcHMgKGMpMDYxLDAqBgNVBAMTI0dlb1RydXN0IEV4
dGVuZGVkIFZhbGlkYXRpb24gU1NMIENBMB4XDTEzMDExNzIxMTE0N1oXDTE0MDEy
MDExMTAxM1owgb0xHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYL
KwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYD
VQQFEwc0NjYwOTQ0MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAP
BgNVBAcTCE5ldyBZb3JrMRMwEQYDVQQKEwpBcnRzeSBJbmMuMRIwEAYDVQQDEwlh
cnRzeS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDoN6pmvv8V
6BhF4gRMzMV+5sSjQDNrhyqV2NMdDOzwqoTHGVMvyD+AJC9kaP6WmH/S8MlA6LmW
b/Z0RvDplD6Wvyoz5MJsHaeCwVThOs1fVLY4PYMky154515RF9H1rui4nz3KXUfP
bm6MeAZY7FStRM/Uep9LhewR/qXEfLocNEfb92piTJ/UtsiLtTbfeZKYxFe/IpMO
EMADQmhEBEXOq2ozcvwnwNBDHwApxhE88z2/mzUTHZl40fLnWI4S2tSVZZwOI45p
VMiu3XwVwzCCMmosm5k3B3l6swFlSOH+WDUTwEbnmxa4HRdQWAIFHsT3cTT28VyW
LIAbw8lSstKjAgMBAAGjggG6MIIBtjAfBgNVHSMEGDAWgBQoxOuP8V95kKMrVcNW
Tn1rU3IsGDBuBggrBgEFBQcBAQRiMGAwKgYIKwYBBQUHMAGGHmh0dHA6Ly9FVlNT
TC1vY3NwLmdlb3RydXN0LmNvbTAyBggrBgEFBQcwAoYmaHR0cDovL0VWU1NMLWFp
YS5nZW90cnVzdC5jb20vZXZjYS5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBVBgNVHREETjBMghBzZWN1cmUuYXJ0c3ku
bmV0gg13d3cuYXJ0c3kubmV0ggxhcnRzeWFwaS5jb22CEHd3dy5hcnRzeWFwaS5j
b22CCWFydHN5Lm5ldDBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8vRVZTU0wtY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0ZXh0dmFsY2EuY3JsMAwGA1UdEwEB/wQCMAAw
SwYDVR0gBEQwQjBABgkrBgEEAfAiAQYwMzAxBggrBgEFBQcCARYlaHR0cDovL3d3
dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczANBgkqhkiG9w0BAQUFAAOCAQEA
owIpFaZH6wTdC05Bs++zElThmUdPuh2g9JXGjt8vWcZZg929s5I+grNIw1YEU5AC
aZBvw/imGFYECuVBbLZt3EGYewkFlUfVPcprVhHDDYZASlddN71fR/N9w4Y+A1io
sYS+yBjYOEpP8fTJAHkRK9nhqQ3/lnMQoFdy4yt/YL/k14dX9uFjoQuts1TLOwdk
VfCe/F/+Xme9WUZY2l9TE+TsqMg33C2O+Of/Im5rH+RkkkfE8nyzLMjWVGrofhiJ
jUw294H52QnouV/EPnzQgHmKmlb0AjqwG2zwFM2LlcJIEeZVLQ64mRyLENYN8TeZ
PcoaJf0Y9Qhecr51uvdwtQ==
-----END CERTIFICATE-----
---
Server certificate
subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=4660944/C=US/ST=New York/L=New York/O=Artsy Inc./CN=artsy.net
issuer=/C=US/O=GeoTrust Inc/OU=See www.geotrust.com/resources/cps (c)06/CN=GeoTrust Extended Validation SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 2275 bytes and written 440 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: DB973C054A9552ED83D591518D0F81E77AC548CE91450602E3C72ACCDD1C2E8E
    Session-ID-ctx: 
    Master-Key: AEB7BC9F1077B2BE36D9E5020D873736227A9BE9271F673AA8825073FEA96CA6C37AC41E75C8B56F07220A205B49ADB9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e3 e1 6d 3e 5e 73 78 88-0e a2 79 e1 cf 05 91 90   ..m>^sx...y.....
    0010 - 07 90 cb 53 60 be 78 85-c3 08 b0 a6 8e ae d0 7b   ...S`.x........{
    0020 - 7c 71 d4 b8 a8 40 29 14-dc d2 12 39 a0 1d f0 fa   |q...@)....9....
    0030 - 3d d7 9b 6a cb fe 87 29-5f b6 d4 94 d2 4a e3 d4   =..j...)_....J..
    0040 - b2 f5 db ed d3 c3 43 2a-7a 64 65 8e bd 7a e6 46   ......C*zde..z.F
    0050 - d5 b6 5e da ee 09 e0 50-24 ec 3e 17 c4 90 b9 16   ..^....P$.>.....
    0060 - 7e 60 c5 f5 50 03 f9 b4-41 5b 6c 13 6d 75 e9 7c   ~`..P...A[l.mu.|
    0070 - 2c a5 2b 48 b0 06 61 06-90 99 ed 97 f6 db f9 b2   ,.+H..a.........
    0080 - 4c 35 7e 7e 87 a0 92 41-b6 f4 16 35 d9 af de b4   L5~~...A...5....
    0090 - 19 11 0d 92 38 b9 a8 d2-f6 e7 0b d5 aa f9 90 7b   ....8..........{

    Start Time: 1368999775
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)

答案1

这有效:

RapidSSL 作为“证书链”提供的 2 个证书已从 CA 文件(在 nginx 配置中声明为ssl_client_certificate)中删除,并附加到证书文件(声明为ssl_certificate)。

换句话说,最终的配置如下所示:

 ssl_certificate /etc/nginx/ssl/artsyapi.com/crt;  # original cert plus 2 from chain
 ssl_certificate_key /etc/nginx/ssl/artsyapi.com.key;  # key (unchanged)
 ssl_client_certificate /etc/nginx/ssl/artsyapi.com.ca;  # now empty

答案2

我怀疑您缺少证书存储中的根证书。您需要下载根 geotrust 证书,将其复制到/etc/ssl/certs/,然后c_rehash在该目录中运行。

相关内容