证书链在Firefox中不可见 [英] Certificate chain not visible in Firefox

问题描述

我们已在负载均衡器上安装了证书链.当我们使用Chrome浏览器访问该网站时，没有任何问题，而且链条也没有显示.

We have installed the certificate chain on our Load balancer. When we visit the site in chrome, we don't get any issue and the chain in visible.

但是，在某些版本的Firefox中，不会显示证书链，因此我们收到连接不受信任的错误".

But, in certain versions of Firefox the certificate chain is not displayed and hence we get the "The connecting is untrusted error".

这可能是什么原因，我们已经清除了缓存.但是证书没有与链一起显示.

What could be causing this, we have cleared the cache. But the certificate is not getting displayed with the chain.

推荐答案

通常情况下，如果链不是由服务器(或在这种情况下为负载均衡器)完全发送，则情况就是如此. Chrome会自行查找丢失的链证书，而Firefox不会.但是Firefox会缓存从较早的连接到其他站点的中间证书，因此，如果在访问正确的站点之前访问过正确的站点，则Firefox已经知道丢失的证书，这些证书将用于完成信任链.但是，如果您使用的是全新的Firefox配置文件，则不会缓存任何证书，因此会收到验证错误.

This is typically the case if the chain is not send (fully) by the server (or in this case the load balancer). Chrome looks for this missing chain certificates by itself while Firefox does not. But Firefox caches intermediate certificates from earlier connections to other sites so if the right sites were visited before then the missing certificates are already known by Firefox and will be used to complete the trust chain. But if you would use a fresh Firefox profile no certificates are cached and thus you get the validation error.

浏览器不是检查服务器实际发送的内容的好工具.更好的工具是openssl s_client.如果该站点可公开访问，则还可以根据 SSLabs 进行检查，该站点还会显示该链服务器发送的邮件不完整，并且链中缺少哪些证书.

Browsers are not a good tool to check what is actually sent by the server. A better tool is openssl s_client. If the site is public accessible you might also check it against SSLabs which also shows if the chain sent by the server is incomplete and which certificates are missing from the chain.

这篇关于证书链在Firefox中不可见的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！