"PKIX路径构建失败"；尽管有有效的Verisign证书 [英] "PKIX path building failed" despite valid Verisign certificate

问题描述

我遇到了类似此处所述的问题:

I'm having a similar problem as described here:

尽管具有有效的Verisign证书，"PKIX路径构建失败"异常.

"PKIX path building failed" exception despite having a valid Verisign certificate.

我不明白的是为什么当我在Web浏览器中单击相同的URL时服务器仍能正常工作.

What I don't understand is why the server works fine when I hit the same URL in a web browser.

服务器正在发送整个证书链，我可以在Web浏览器中看到它:

The server is sending the whole certificate chain and I can see it in my web browser:

   (Verisign root)
     -> (VeriSign Class 3 Secure Server CA - G3) 
       -> (my server) 

但是由于某些原因，Java和OpenSSL命令行工具没有看到它.

But for some reason, Java and OpenSSL command line tools aren't seeing it.

wget失败，并且openssl s_connect仅看到中间的"G3"证书.

wget fails, and openssl s_connect only sees the intermediate "G3" certificate.

但是IE和Chrome-没问题.

Yet IE and Chrome - no problems.

这是怎么回事?

推荐答案

在浏览器中看到的不一定是服务器发送的链，而是浏览器重建的链. Windows可能会将G3中间CA作为受信任的锚，而其他客户端则没有.

What you see in the browser isn't necessarily the chain sent by the server, but it's rather the chain reconstructed by the browser. It's possible that Windows has the G3 intermediate CA as a trusted anchor, whereas the other clients don't.

要检查服务器发送的实际链，请将-showcerts与s_connect结合使用:

To check the actual chain sent by the server, use -showcerts with s_connect:

openssl s_client -showcerts -connect your.host.name:443

确保按正确的顺序发送链:首先是服务器证书，然后是中间证书(如果需要).

Make sure the chain is sent in the correct order: server certificate first, followed by intermediate certificates, if required.

Certificate chain
 0 s:/.../CN=your.host.name
   i:/.../CN=VeriSign Class 3 Secure Server CA - G3
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/.../CN=VeriSign Class 3 Secure Server CA - G3
   i:/.../CN=Verisign root
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

(以防万一，请检查您是否获得了正确的证书，以防万一您使用的是SNI，但使用不支持它的Java或OpenSSL版本.)

(Just in case, check that you're getting the correct certs, just in case you're using SNI, but using versions of Java or OpenSSL that don't support it.)

Qualys SSL实验室测试是一个很好的检查方法.

A good tool to check this is the Qualys SSL labs test.

此外，根据wget或openssl的安装方式，它们通常没有默认的受信任锚的列表，因此您必须为它们提供一个指向一系列CA证书的路径.

In addition, depending on how wget or openssl were installed, they often don't have a default list of trusted anchors, so you would have to give them a path to a bundle of CA certificates explicitly.

这篇关于"PKIX路径构建失败"；尽管有有效的Verisign证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！