具有GoDaddy证书的HTTP SSL-此服务器的证书链不完整 [英] HTTP SSL with GoDaddy's certificate - This server's certificate chain is incomplete
问题描述
通常我从GoDaddy获得了3个文件:
in general I got 3 files from GoDaddy:
- 主证书文件
- 服务器私钥
- 捆绑文件
通过以下方式在Go服务器中配置了所有这些文件:
in configured all these files in my Go server in the following way:
cert, err := tls.LoadX509KeyPair("myalcoholist.pem","myalcoholist.key")
if err != nil {
log.Fatalf("server: loadkeys: %s", err)
}
pem, err := ioutil.ReadFile("cert/sf_bundle-g2-g1.crt")
if err != nil {
log.Fatalf("Failed to read client certificate authority: %v", err)
}
if !certpool.AppendCertsFromPEM(pem) {
log.Fatalf("Can't parse client certificate authority")
}
tlsConfig := &tls.Config{
ClientCAs: certpool,
Certificates: []tls.Certificate{cert},
}
srv := &http.Server{
Addr: "myalcoholist.com:443",
Handler: n,
ReadTimeout: time.Duration(5) * time.Second,
WriteTimeout: time.Duration(5) * time.Second,
TLSConfig: tlsConfig,
}
err := srv.ListenAndServeTLS("cert/myalcoholist.pem","cert/myalcoholist.key")
Web服务器正常运行,当前发布在https://myalcoholist.com:443.
The web server runs properly, it's currently published at https://myalcoholist.com:443.
我使用https://www.ssllabs.com/ssltest/analyze.html?d=myalcoholist.com验证了我的SSL,它的响应是This server's certificate chain is incomplete. Grade capped to B.
I validated my SSL using https://www.ssllabs.com/ssltest/analyze.html?d=myalcoholist.com and it's response is This server's certificate chain is incomplete. Grade capped to B.
您可以转到此链接以查看所有详细结果.
you can go to this link to see the all detailed result.
我想念什么?
推荐答案
跟随 net/http/#ListenAndServeTLS() doc:
Following that thread, and from the net/http/#ListenAndServeTLS() doc:
如果证书是由证书颁发机构签名的,则certFile应该是服务器证书,任何中间件和CA证书的串联.
If the certificate is signed by a certificate authority, the certFile should be the concatenation of the server's certificate, any intermediates, and the CA's certificate.
尝试并确保您的cert/myalcoholist.pem也包括CA证书.
Try and make sure your cert/myalcoholist.pem includes the CA certificates as well.
所使用的线程:
myTLSConfig := &tls.Config{
CipherSuites: []uint16{
tls.TLS_RSA_WITH_RC4_128_SHA,
tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
tls.TLS_RSA_WITH_AES_128_CBC_SHA,
tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},}
myTLSConfig.PreferServerCipherSuites = true
const myWebServerListenAddress = "0.0.0.0:5555"
myTLSWebServer := &http.Server{Addr: myWebServerListenAddress, TLSConfig: myTLSConfig, Handler: router}
if err = myTLSWebServer.ListenAndServeTLS("/home/loongson/webServerKeysV2/golangCertFile2", "/home/loongson/webServerKeysV2/adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key"); err != nil {
panic(err)
}
与我之前的答案相比,添加密码套件是个好主意,但再次尝试看看是否如果证书文件包含CA,则传递给ListenAndServeTLS的证书文件效果更好.
Compared to my previous answer, adding a cipher suite is a good idea, but again, try and see if the certificate file passed to ListenAndServeTLS works better if it includes the CAs.
果然, https://www.ssllabs.com/ssltest/analyze.html?d = myalcoholist.com 报告为A级,警告:连锁问题:包含锚点".
请参阅" SSL/TLS:如何解决链接问题:包含锚点" "以删除该警告,但这不是错误:
Sure enough, https://www.ssllabs.com/ssltest/analyze.html?d=myalcoholist.com reports grade A, with the warning: "Chain issues: Contains anchor".
See "SSL/TLS: How to fix "Chain issues: Contains anchor"" to remove that warning, but this is not an error though:
RFC 2119 :允许服务器包含根证书(又称信任锚" "),或者忽略它.一些服务器包含它
RFC 2119: the server is allowed to include the root certificate (aka "trust anchor") in the chain, or omit it. Some servers include it
这篇关于具有GoDaddy证书的HTTP SSL-此服务器的证书链不完整的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
