Heroku SSL问题给我验证失败 [英] Heroku SSL issue its give me verification fails
问题描述
我使用此命令在heroku上更新了所有证书
I updated my all certificate on heroku with this command
heroku certs:add heroku.pem server.key -a myapp --bypass
heroku.pem具有以下详细信息
heroku.pem has below details
-----BEGIN CERTIFICATE-----
entrustcert.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
L1Cchain.txt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
L1Croot.txt
-----END CERTIFICATE-----
当我在服务器上运行测试时,它会给我这个结果
when I run test on server its give me this result
SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
我已经委托了SSL证书.
I have entrust SSL certificate.
请帮助我解决此问题
命令:
curl -kvI "my HTTPS domain name"
推荐答案
请帮助我解决此问题
Please help me to solve this issue
Curl不应声明错误19.错误19是OpenSSL的X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN.您至少有两个问题.
Curl should no be claiming error 19. Error 19 is OpenSSL's X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN. You have at least two problems.
首先,您要发送包含根证书的证书链.不要在证书链中发送根.仅将最终实体(服务器)证书和构建链所需的任何中间组件发送到受信任的根.如果没有中间体,则仅发送最终实体(服务器)证书.
First, you're sending a certificate chain that includes your root. Don't send the root in the certificate chain. Only send the end entity (server) certificate and any intermediates required to build a chain to the trusted root. If there are no intermediates, then only send the end entity (server) certificate.
如果我正确阅读了您的信息,则表示:
If I am reading your post correctly, that means:
-----BEGIN CERTIFICATE-----
server cert (entrustcert.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate cert (L1Cchain.txt)
-----END CERTIFICATE-----
第二,您需要Curl信任您的根.我并没有真正使用Curl,所以我不知道如何传递单个根来信任.浏览 curl(1)手册页,它没有出现Curl允许您指定一个信任点.因此,卷曲可能是这项工作的错误工具.
Second, you need Curl to trust your root. I don't really use Curl, so I don't know how to pass in a single root to trust. Looking through the curl(1) man pages, it does not appear Curl allows you to specify a trust point. So curl is probably the wrong tool for the job.
使用OpenSSL的s_client(CAfile选项)的方法如下:
Here's how you do it with OpenSSL's s_client (the CAfile option):
printf "GET / HTTP/1.0\r\n" | openssl s_client \
-connect example.com:443 \
-CAfile <root to trust>
-CAfile将使用
The -CAfile will use one of the Entrust roots at Entrust Root Certificates - SSL. But I don't know which one since you're not sharing a URL or domain.
如果需要,您可以放下printf,而只需使用openssl s_client.但是s_client在关闭套接字之前(或按下 CTRL C 时),不会结束.
You can drop the printf if you want, and just use openssl s_client. But s_client won't finish until the socket is closed (or CTRL C is pressed).
使用OpenSSL s_client跟踪,您也可以确定构建链所需的中间物.有关解释s_client结果的示例,请参见 s_client验证证书失败,但浏览器接受和无法验证CA证书除非使用了CApath或CAfile .
With an OpenSSL s_client trace, you will be able to determine the intermediates required to build the chain, too. For an example of interpreting s_client results, see s_client verify certificate failed, but browser accept and Can't verify CA certificate unless CApath or CAfile used.
第三,-k选项是客户端密钥选项.我不认为您不需要它,因为您没有发送客户证书.但是我也不认为这是您问题的一部分.
Third, the -k option is a client side key option. I don't believe you need it since you are not sending a client certificate. But I don't believe this is part of your problem, either.
我已经委托了SSL证书.
I have entrust SSL certificate.
最后,您可以从 Startcom 获得免费的1类证书.默认情况下,大多数台式机和移动浏览器都信任它们.
Finally, you can get free Class 1 certificates from Startcom. They are trusted by default in most desktop and mobile browsers.
尽管Startcom是免费颁发证书的,但它们却要收取吊销费用,因为那是要花钱的.其他人则对撤销费用进行收费,如果不需要的话,也可以将其收入囊中.
While Startcom issues the certificates for free, they do charge for revocation because that's what costs money. Others charge for the revocation up front and pocket the money if not needed.
这篇关于Heroku SSL问题给我验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
