与TLS服务器的SSL连接和letencrypt [英] ssl connection with tls server and letsencrypt

问题描述

我尝试在c中为我的服务器建立ssl连接.我已采用此代码: https://wiki.openssl.org/index.php/Simple_TLS_Server ，并且我已经使用certbot生成了证书:

I try to do ssl connection for my server in c. i have take this code : https://wiki.openssl.org/index.php/Simple_TLS_Server and I have generated certificate with certbot:

sudo certbot certonly --standalone

我的程序目录中的/etc/letsencrypt/live/MY_DOMAIN/中存在cert.pem和privkey.pem副本.但是当我尝试使用curl连接时，出现此错误:

I have copy cert.pem and privkey.pem present in /etc/letsencrypt/live/MY_DOMAIN/ on my program directory. but when I try to connect with curl, I get this error:

卷曲:(60)SSL证书问题:无法获取本地发行者证书此处有更多详细信息: https://curl.haxx.se/docs/sslcerts.html

和我的服务器打印:

1996193792:错误:14094418:SSL例程:ssl3_read_bytes:tlsv1警报未知ca:../ssl/record/rec_layer_s3.c:1407:SSL警报编号48

1996193792:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1407:SSL alert number 48

谢谢您的帮助！

推荐答案

那个过于简单的服务器不处理链证书(或多个证书)，也称为中间证书，这是本世纪每个真正的 CA 都需要的，包括LE.它仅适用于您自己生成的测试证书，或某些有限的环境，例如运行自己的私有CA的公司的Intranet.

That oversimple server does not handle a chain cert (or certs), also called intermediate, which every real CA this century requires, including LE. It is suitable only for test certs you generate yourself, or some limited environments like the intranet of a company that runs its own private CA.

将 cert.pem 文件上的 SSL_CTX_use_certificate_file 替换为

Replace SSL_CTX_use_certificate_file on the cert.pem file with SSL_CTX_use_certificate_chain_file on the fullchain.pem file.

此外，从2016年的1.1.0版开始， SSLv23 * 方法(最终！)已被 TLS * 方法所取代(尽管到目前为止，过时的名称仍作为同义词使用)

Also, SSLv23* methods have (finally!) been replaced by TLS* methods as of 1.1.0 in 2016, although the obsolete names remain as synonyms for now.

这篇关于与TLS服务器的SSL连接和letencrypt的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！