OpenSSL的无法获取本地颁发者证书,除非明确指定凭证档案错误 [英] OpenSSL unable to get local issuer certificate unless CAfile is explicitly specified
问题描述
我想从一个Ubuntu服务器连接到苹果的推送通知服务的应用程序。我已经成功地通过产生我使用的是pyAPNS提供所需的复合的.pem证书。然而,当我尝试验证与 OpenSSL的证书验证,我得到 0深入查找错误20:无法获取本地颁发者证书。如果我明确指定的证书颁发机构它的工作原理( OpenSSL的校验apns.pem -CAfile entrust_2048_ca.pem ),但我已经明确地安装在系统上的委托证书指示这里,将证书导入到系统范围的证书颁发机构数据库之下,据我了解此页面,一切都是理所应当的(该证书是在/ usr / lib中/ SSL /证书并有一个符号链接它与哈希值)。
I'm trying to connect to Apple's Push Notification service from an Ubuntu server for an app. I've successfully generated the combined .pem certificate required by the pyAPNS provider I'm using. However, when I try to verify the certificate with openssl verify, I get error 20 at 0 depth lookup:unable to get local issuer certificate. It works if I specify the certificate authority explicitly (openssl verify apns.pem -CAfile entrust_2048_ca.pem), but I've already explicitly installed the Entrust certificate on the system as instructed here, under "Importing a Certificate into the System-Wide Certificate Authority Database", and as far as I understand this page, everything is as it should be (the certificate is in /usr/lib/ssl/certs and there is a symlink to it with the hash).
同样的情况,如果我尝试连接到APNS本身的OpenSSL的s_client.First :看来,如果我明确地指定凭证档案错误连接好的,但否则不是。 PyAPNS告诉我,它无法连接到APNS服务器,我只能presume这是出于同样的原因。
The same happens if I try connecting to the APNS itself with openssl s_client: it seems to connect okay if I specify the CAfile explicitly, but otherwise not. PyAPNS tells me it can't connect to the APNS server, and I can only presume that's for the same reason.
我如何获得OpenSSL的识别默认情况下,委托证书颁发机构,没有明确指定每次吗?我缺少的一个步骤的地方?
How do I get OpenSSL to recognize the Entrust certificate authority by default, without explicitly specifying it every time? Am I missing a step somewhere?
推荐答案
OpenSSL的使用证书的颁发者DN的哈希值来查找文件所在的CA证书安装在默认目录。
OpenSSL use a hash of the certificate's Issuer DN to look up the file in the default directory where the CA certificates are installed.
请参阅 OpenSSL的验证文档:
-CApath目录
受信任的证书的目录。该证书应具备的形式名称:hash.0或者有这种形式的符号连接
(``散'是哈希的证书使用者名称:看到-hash选项
在X509实用程序)。在Unix系统下的c_rehash脚本
自动创建符号链接到证书的目录。
A directory of trusted certificates. The certificates should have names of the form: hash.0 or have symbolic links to them of this form (``hash'' is the hashed certificate subject name: see the -hash option of the x509 utility). Under Unix the c_rehash script will automatically create symbolic links to a directory of certificates.
这些散列值将来自每个CA证书的主题DN(因为其目的是寻找与匹配证书的颁发,验证这一主题的CA证书)。您可以使用 c_rehash 如记录,或得到使用主题DN的哈希值 OpenSSL的X509 -subject_hash -noout -in cacert.pem 并相应地重命名文件/链接。
These hash values will comes from the Subject DN of each CA certificate (since the aim is to look for a CA certificate with the subject matching the issuer of the certificate to verify). You can either use c_rehash as documented, or get the Subject DN's hash using openssl x509 -subject_hash -noout -in cacert.pem and rename the file/link accordingly.
证书的直接发行,以验证可能不是一个根CA证书:有可能是链中的中间CA证书。您还需要确保中间证书使用。
The direct issuer of the certificate to verify might not be a root CA certificate: there might be an intermediate CA certificate in the chain. You also need to make sure that the intermediate certificates are used.
此外,有两种不同的散列格式(有自OpenSSL的1.0版本的变化),这是值得的同时使用 -subject_hash_old 链接和 -subject_hash ,虽然本身的OpenSSL默认情况下,才应使用新格式。
In addition, there are two distinct hash formats (there was a change since OpenSSL version 1.0), it's worth making a link using both -subject_hash_old and -subject_hash, although OpenSSL itself by default should only use its new format.
这篇关于OpenSSL的无法获取本地颁发者证书,除非明确指定凭证档案错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
