Nginx不提供中间证书 [英] Nginx not serving intermediate certificate
问题描述
我正在尝试在Nginx上安装ssl证书(实际上是Laravel Forge).我已将证书与中级连接在一起,并且在Nginx错误日志中没有任何错误.但是,在移动Chrome浏览器中不受信任-仅台式机.
I am trying to install an ssl certificate on Nginx (laravel forge actually). I have concatenated the certificate with the intermediate and I don't get any errors in the Nginx error log. However it is not trusted in mobile chrome - only desktops.
看着Qualys ssl测试,它说链条不完整.我不知道如何.
Looking at Qualys ssl test, it's says that the Chain is incomplete. I don't see how though.
这是我的Nginx配置
Here's my Nginx config
server {
listen 80;
server_name **********.com;
return 301 https://**********.com$request_uri;
}
server {
listen 443 ssl;
server_name **********.com;
root /home/forge/**********.com/public;
# FORGE SSL (DO NOT REMOVE!)
ssl on;
ssl_certificate /etc/nginx/ssl/**********.com/1086/server.pem;
ssl_certificate_key /etc/nginx/ssl/**********.com/1086/server.key;
index index.html index.htm index.php;
charset utf-8;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
access_log off;
error_log /var/log/nginx/**********.com-error.log error;
error_page 404 /index.php;
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location ~ /\.ht {
deny all;
}
}
有人可以帮忙吗?我已经拔头发好几天了.
Can any one help? I have been pulling my hair out for days.
推荐答案
看着Qualys ssl测试,它说链条不完整.我不知道如何...
Looking at Qualys ssl test, it's says that the Chain is incomplete. I don't see how though...
您似乎发送了错误的中间体:
It looks like you are sending the wrong intermediate:
$ openssl s_client -connect cauterypens.com:443
CONNECTED(00000003)
depth=0 C = GB, OU = Domain Control Validated, CN = cauterypens.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = GB, OU = Domain Control Validated, CN = cauterypens.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = GB, OU = Domain Control Validated, CN = cauterypens.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=GB/OU=Domain Control Validated/CN=cauterypens.com
i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
1 s:/O=AlphaSSL/CN=AlphaSSL CA - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
...
证书0的主题为CN=cauterypens.com.证书0的颁发者是CN=AlphaSSL CA - SHA256 - G2.
The subject of certificate 0 is CN=cauterypens.com. The issuer of certificate 0 is CN=AlphaSSL CA - SHA256 - G2.
中间证书应该是链中的下一个证书.但是,不是发送CN=AlphaSSL CA - SHA256 - G2,而是发送CN=AlphaSSL CA - G2.请注意,名称中缺少SHA256.
The intermediate certificate should be the next in the chain. However, rather than sending CN=AlphaSSL CA - SHA256 - G2, you are sending CN=AlphaSSL CA - G2. Notice the lack of SHA256 in the name.
要解决此问题,您应该从下载GlobalSign根目录和中级证书 一个>.它具有thumprint指纹ae:bf:32:c3:c8:32:c7:d7:bc:55:99:b1:aa:05:fb:6c:f4:d9:29:4c.
To fix this, you should fetch AlphaSSL CA - SHA256 - G2 from Download GlobalSign Root and Intermediate Certificate. It has thumprint thumbprint ae:bf:32:c3:c8:32:c7:d7:bc:55:99:b1:aa:05:fb:6c:f4:d9:29:4c.
相关:CA为CN=GlobalSign Root CA.这是GlobalSign Root R1下载.下载并将其保存到文件(名称为Root-R1.crt).它已经采用PEM编码.然后,您应该能够通过以下方式验证链条:
Related: the CA is CN=GlobalSign Root CA. That's the GlobalSign Root R1 download. Download it and save it to a file (its name is Root-R1.crt). Its already in a PEM encoding. Then, you should be able to verify the chain with:
$ openssl s_client -connect cauterypens.com:443 -CAfile Root-R1.crt
...
Verify OK (0)
如果不验证,则还有其他麻烦.在继续操作之前,请先解决问题.
If it does not verify, then you have other troubles. Fix the problems before proceeding.
这篇关于Nginx不提供中间证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
