除非明确指定 CAfile,否则 OpenSSL 无法获取本地颁发者证书 [英] OpenSSL unable to get local issuer certificate unless CAfile is explicitly specified
问题描述
我正在尝试从应用程序的 Ubuntu 服务器连接到 Apple 的推送通知服务.我已经成功生成了我正在使用的 pyAPNS 提供程序所需的组合 .pem 证书.但是,当我尝试使用 openssl verify 验证证书时,我收到 error 20 at 0 depth lookup:unable to get local issuer certificate.如果我明确指定证书颁发机构(openssl verify apns.pem -CAfile entrust_2048_ca.pem),它会起作用,但我已经按照指示在系统上明确安装了 Entrust 证书 此处,在将证书导入系统范围的证书颁发机构数据库"下,据我所知这个页面,一切都应该是这样(证书在/usr/lib/ssl/certs 并且有一个带有哈希的符号链接).
如果我尝试使用 openssl s_client 连接到 APNS 本身,也会发生同样的情况:如果我明确指定 CAfile,它似乎可以正常连接,否则不会.PyAPNS 告诉我它无法连接到 APNS 服务器,我只能假设出于同样的原因.
如何让 OpenSSL 在默认情况下识别 Entrust 证书颁发机构,而无需每次都明确指定?我是不是在某处遗漏了一步?
OpenSSL 使用证书颁发者 DN 的哈希值在安装 CA 证书的默认目录中查找文件.
请参阅OpenSSL verify 文档::><块引用>
-CApath 目录
受信任证书的目录.证书应具有以下形式的名称:hash.0 或具有这种形式的符号链接(``hash'' 是经过哈希处理的证书主题名称:请参阅 -hash 选项x509 实用程序).在 Unix 下,c_rehash 脚本将自动创建指向证书目录的符号链接.
这些哈希值将来自每个 CA 证书的主题 DN(因为目的是查找主题与证书颁发者匹配的 CA 证书以进行验证).您可以按照文档中的说明使用 c_rehash,也可以使用 openssl x509 -subject_hash -noout -in cacert.pem 获取主题 DN 的哈希值,并相应地重命名文件/链接.>
要验证的证书的直接颁发者可能不是根 CA 证书:链中可能存在中间 CA 证书.您还需要确保使用中间证书.
此外,有两种不同的哈希格式(自 OpenSSL 1.0 版以来有所变化),值得使用 -subject_hash_old 和 -subject_hash 建立链接,尽管默认情况下 OpenSSL 本身应该只使用其新格式.
I'm trying to connect to Apple's Push Notification service from an Ubuntu server for an app. I've successfully generated the combined .pem certificate required by the pyAPNS provider I'm using. However, when I try to verify the certificate with openssl verify, I get error 20 at 0 depth lookup:unable to get local issuer certificate. It works if I specify the certificate authority explicitly (openssl verify apns.pem -CAfile entrust_2048_ca.pem), but I've already explicitly installed the Entrust certificate on the system as instructed here, under "Importing a Certificate into the System-Wide Certificate Authority Database", and as far as I understand this page, everything is as it should be (the certificate is in /usr/lib/ssl/certs and there is a symlink to it with the hash).
The same happens if I try connecting to the APNS itself with openssl s_client: it seems to connect okay if I specify the CAfile explicitly, but otherwise not. PyAPNS tells me it can't connect to the APNS server, and I can only presume that's for the same reason.
How do I get OpenSSL to recognize the Entrust certificate authority by default, without explicitly specifying it every time? Am I missing a step somewhere?
OpenSSL use a hash of the certificate's Issuer DN to look up the file in the default directory where the CA certificates are installed.
See OpenSSL verify documentation:
-CApath directory
A directory of trusted certificates. The certificates should have names of the form: hash.0 or have symbolic links to them of this form (``hash'' is the hashed certificate subject name: see the -hash option of the x509 utility). Under Unix the c_rehash script will automatically create symbolic links to a directory of certificates.
These hash values will comes from the Subject DN of each CA certificate (since the aim is to look for a CA certificate with the subject matching the issuer of the certificate to verify). You can either use c_rehash as documented, or get the Subject DN's hash using openssl x509 -subject_hash -noout -in cacert.pem and rename the file/link accordingly.
The direct issuer of the certificate to verify might not be a root CA certificate: there might be an intermediate CA certificate in the chain. You also need to make sure that the intermediate certificates are used.
In addition, there are two distinct hash formats (there was a change since OpenSSL version 1.0), it's worth making a link using both -subject_hash_old and -subject_hash, although OpenSSL itself by default should only use its new format.
这篇关于除非明确指定 CAfile,否则 OpenSSL 无法获取本地颁发者证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
