Firebase Hosting生成的SSL证书不包括连接的域 [英] SSL certificate generated by Firebase Hosting does not include connected domain

问题描述

上个星期我们两次遇到这个问题.对于具有两个连接域的Firebase Hosting项目，证书中不包含一个域.

We've had this issue twice during the last week. For a Firebase Hosting project with two connected domains, one domain is not included in the certificate.

尝试连接浏览器似乎返回503状态代码，Chrome在控制台中显示net::ERR_CERT_COMMON_NAME_INVALID. curl返回

Trying to connect with a browser seems to return a 503 status code and Chrome shows net::ERR_CERT_COMMON_NAME_INVALID in the console. curl returns

(51)SSL:没有其他证书使用者名称与目标主机名"{host}"匹配

(51) SSL: no alternative certificate subject name matches target host name '{host}'

(其中{host}是主机名/连接的域)

(where {host} is the host name / connected domain)

要直接检查证书，即 SAN ，我使用以下命令:

To check the certificate directly, i.e. the SANs, I use the following command:

gnutls-cli --print-cert ${host} < /dev/null \
    | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' \
    | openssl x509 -noout -text \
    | grep DNS | tr , '\n' | tr -s " "

这将返回100个证书的列表，包括工作域的主机名，但仅包含失败域的默认firebaseapp.com/*.firebaseapp.com条目.

This returns a list of 100 certificates including the host name for the working domain, but only the default firebaseapp.com/*.firebaseapp.com entries for the failing domain.

注意:我在这里使用gnutls-cli，因为似乎openssl s_client -connect ${host}:443在请求中不包含主机名，并且始终为firebaseapp.com/*.firebaseapp.com

Note: I am using gnutls-cli here, because it seems that openssl s_client -connect ${host}:443 does not include the host name in the request and always loads a certificate for firebaseapp.com/*.firebaseapp.com

我已经联系了Firebase支持，但他们的最后答复(约16小时前)是同一项目有两个不同的域，但是我需要确认是否支持".鉴于在分析问题时发现，在我们负责的域旁边，对于相同的两个主机名，已经找到了400多个SAN，因此我非常确定这是受支持的.

I have already reached out to Firebase Support, but their last response (~16 hours ago) was "there are two different domains associated to the same project, but I need to confirm if this is supported". I am quite sure this is supported, given that during my analysis of the problem I have found more than 400 SANs for the same two host names next to the domains under our responsibility.

关于如何解决此问题的任何建议?我已经尝试删除并重新添加自定义域，但这并没有改变任何内容.

Any suggestions on how we can resolve this issue? I already tried deleting and re-adding the custom domain, but this did not change anything.

从技术上来说，切换托管并不难，但是我们的主要问题是DNS受客户服务提供商的控制，他们很难更改生产中已经存在的任何内容.

Switching hosting would technically not be too difficult, but our main issue is that the DNS is under control of a service provider of our customer and it's difficult for them to change anything already in production.

推荐答案

在获得Firebase支持后，他们发现根域包含一个

After some back and forth with Firebase Support, they found out that the root domain contained a CAA record that did not include letsencrypt.org.

在我们的特定情况下，解决方法是仅让我们对子域进行加密.例如，使用以下设置

The fix in our specific case was to include let's encrypt for the subdomain only. As an example, using the following settings

• 域:awesomesite.com
• 连接域:firebaseapp.awesomesite.com

• Domain: awesomesite.com
• Connected Domain: firebaseapp.awesomesite.com

我们可以使用dig查询记录:

We can query the records using dig:

$ dig CAA awesomesite.com +noall +answer && dig CAA firebaseapp.awesomesite.com +noall +answer             

; <<>> (...) <<>> CAA awesomesite.com +noall +answer
;; global options: +cmd
awesomesite.com.        299 IN  CAA 0 iodef "mailto:cert@awesomesite.com"
awesomesite.com.        299 IN  CAA 0 issue "digicert.com"

; <<>> (...) <<>> CAA firebaseapp.awesomesite.com +noall +answer
;; global options: +cmd
firebaseapp.awesomesite.com.    3599    IN  CAA 0 issue "letsencrypt.org"

如您所见，域firebaseapp.awesomesite.com具有带有 letsencrypt.org 的CAA记录，而未触及awesomesite.com.

As you can see, the domain firebaseapp.awesomesite.com has a CAA record with letsencrypt.org, while awesomesite.com was not touched.

现在，一切正常，更新记录仅一小段时间.我们不必在Firebase Hosting上重新触发部署，也不必删除/添加连接的域(我之前曾尝试解决此问题的事物).

Everything works fine now, just a short time after updating the records. We did not have to retrigger deployment on Firebase Hosting or delete/add the connected domain (things I had previously tried to resolved the problem).

更正此问题的替代方法:

Alternatives to correct the issue:

• 删除CAA记录:从根域(或中间域)中删除CAA记录.
• 扩展CAA记录:在根域的CAA记录的域列表中包括 letsencrypt.org .

• Delete CAA records: Remove the CAA record from the root domain (or intermediary domains).
• Extend CAA records: Include letsencrypt.org in the list of domains in the CAA record of the root domain

更新，2020年9月:根据我收到的电子邮件，由于

Update, September 2020: According to an email I have received, Google is in the process of migrating the SSL certificate provider to a new Google-run CA because of Let's Encrypt's transition to ISRG's Root that may break backwards compatibility. According to that email, an additional CAA using pki.goog is required:

firebaseapp.awesomesite.com.    3599    IN  CAA 0 issue "pki.goog"
firebaseapp.awesomesite.com.    3599    IN  CAA 0 issue "letsencrypt.org"

这篇关于Firebase Hosting生成的SSL证书不包括连接的域的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！