如何强制Apache 2.2发送完整的证书链? [英] How to force Apache 2.2 to send the full certificate chain?

问题描述

我们正在使用 mod_proxy 的反向代理模式将Apache 2.2.25与 mod_ssl 一起使用.它具有由GoDaddy颁发的用于测试目的的服务器证书.链中有3个证书，server cert -> GoDaddy intermediate CA -> GoDaddy Root CA.在客户的受信任CA列表中并不总是找到中间CA( Go Daddy安全证书颁发机构-G2 ).

We are using Apache 2.2.25 with mod_ssl in the reverse proxy mode using mod_proxy. It has a server certificate we use for testing purposes, issued by GoDaddy. There are 3 certificates in the chain, server cert -> GoDaddy intermediate CA -> GoDaddy Root CA. The intermediate CA (Go Daddy Secure Certificate Authority - G2) is not always found in clients' list of trusted CA.

与服务器的SSL连接对于浏览器(至少对于某些浏览器)工作良好，但不适用于某些其他客户端.我们注意到服务器使用以下命令未发送完整的证书链:openssl s_client -showcerts -connect SERVER_URL:443，实际上该命令报告错误Verify return code: 21 (unable to verify the first certificate)

The SSL connection to the server works well for browsers (at least for some), but not for some other clients. We noticed that our server does not send the full certificate chain, by using the following command: openssl s_client -showcerts -connect SERVER_URL:443, and indeed the command reports the error Verify return code: 21 (unable to verify the first certificate)

我们在每个VirtualHost中使用SSLCertificateFile指令:

We use the SSLCertificateFile directive in each VirtualHost:

SSLCertificateFile certificate.crt

certificate.crt文件中包含私钥和链中所有证书的位置. 我们尝试将其拆分为以下内容:

Where the certificate.crt file contains the private key and all the certificates in the chain. We tried to split it into the following:

SSLCertificateFile server.crt
SSLCertificateKeyFile server.key
SSLCertificateChainFile chain.crt

但这并没有改变任何东西.

But this didn't change anything.

感谢您的帮助！

编辑
该图变厚了-似乎是证书和服务器的某种组合.
(使用 SSL Shopper 工具进行测试)

EDIT
The plot thickens - it seems to be some combination of the certificate and the server.
(testing is done with the SSL Shopper tool)

1. Apache 2.2(RHEL)上的Go Daddy证书(如上所述)-不起作用
2. 相同的证书，在IIS7上-有效
3. 客户证书(来自Comodo)在Apache 2.2 RHEL上-有效

1. Go Daddy certificate (as above) on Apache 2.2 (RHEL) - does not work
2. same certificate, on IIS7 - works
3. customer's certificate (from Comodo) on Apache 2.2 RHEL - works

推荐答案

您在正确的轨道上.

SSLCertificateFile server.crt      >> Your public certificate
SSLCertificateKeyFile server.key   >> Your private key
SSLCertificateChainFile chain.crt  >> List of intermediate certificates;
                                 in your case, only one - GoDaddy intermediate CA

使用 SSL实验室之类的工具检查服务器配置，以确定您是否要发送正确的中间证书.

Check your server configuration with a tool like SSL Labs to determine if you are sending the correct intermediate certificate.

这篇关于如何强制Apache 2.2发送完整的证书链?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！