SSL 错误:无法获取本地颁发者证书 [英] SSL Error: unable to get local issuer certificate
问题描述
我在 Debian 6.0 32 位服务器上配置 SSL 时遇到问题.我对 SSL 比较陌生,所以请多多包涵.我尽可能多地提供信息.
注意:为了保护服务器的身份和完整性,已经更改了真实域名.
配置
服务器正在使用 nginx 运行.配置如下:
ssl_certificate/usr/local/nginx/priv/mysite.ca.chained.crt;ssl_certificate_key/usr/local/nginx/priv/mysite.ca.key;ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers HIGH:!aNULL:!MD5;ssl_verify_depth 2;我使用此处
中描述的方法链接了我的证书cat mysite.ca.crt bundle.crt >mysite.ca.chained.crt其中 mysite.ca.crt 是签名机构给我的证书,而 bundle.crt 是我签名时也发送给我的 CA 证书权威.问题是我没有直接从 GlobalSign 购买 SSL 证书,而是通过我的托管服务提供商 Singlehop.
测试
证书在 Safari 和 Chrome 上正确验证,但在 Firefox 上无效.初步搜索显示这可能是 CA 的问题.
我探索了类似问题的答案,但无法找到解决方案,因为我不太了解每个证书的用途.
我使用 openssl 的 s_client 来测试连接,并且收到的输出似乎表明与 类似问题.错误如下:
depth=0/OU=域控制验证/CN=*.mysite.ca验证错误:num=20:无法获取本地颁发者证书验证返回:1depth=0/OU=域控制验证/CN=*.mysite.ca验证错误:num=27:证书不受信任验证返回:1可以在这里找到openssl响应的完整细节(证书和不必要的信息被截断).
我也看到了警告:
未发送客户端证书 CA 名称这可能是问题所在吗?如何确保 nginx 发送这些 CA 名称?
解决问题的尝试
我试图通过直接从 GlobalSign 下载根 CA 来解决问题,但收到了同样的错误.我使用 update-ca-certificates 命令更新了我的 Debian 服务器上的根 CA,但没有任何改变.这可能是因为我的提供商发送的 CA 是正确的,因此导致证书被链接两次,这没有帮助.
0 s:/OU=域控制验证/CN=*.mysite.cai:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G21 秒:/O=AlphaSSL/CN=AlphaSSL CA - G2i:/C=BE/O=GlobalSign nv-sa/OU=根 CA/CN=GlobalSign 根 CA2 s:/C=BE/O=GlobalSign nv-sa/OU=根 CA/CN=GlobalSign 根 CAi:/C=BE/O=GlobalSign nv-sa/OU=根 CA/CN=GlobalSign 根 CA后续步骤
如果有什么我可以尝试的,或者我只是配置不正确,请告诉我.
jww 是对的——你引用了错误的中间证书.
由于您已获得 SHA256 证书,因此您需要 SHA256 中间证书.您可以从这里获取它:http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crtp>
I'm having trouble configuring SSL on a Debian 6.0 32bit server. I'm relatively new with SSL so please bear with me. I'm including as much information as I can.
Note: The true domain name has been changed to protect the identity and integrity of the server.
Configuration
The server is running using nginx. It is configured as follows:
ssl_certificate /usr/local/nginx/priv/mysite.ca.chained.crt;
ssl_certificate_key /usr/local/nginx/priv/mysite.ca.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_verify_depth 2;
I chained my certificate using the method described here
cat mysite.ca.crt bundle.crt > mysite.ca.chained.crt
where mysite.ca.crt is the certificate given to me by the signing authority, and the bundle.crt is the CA certificate also sent to me by my signing authority. The problem is that I did not purchase the SSL certificate directly from GlobalSign, but instead through my hosting provider, Singlehop.
Testing
The certificate validates properly on Safari and Chrome, but not on Firefox. Initial searching revealed that it may be a problem with the CA.
I explored the answer to a similar question, but was unable to find a solution, as I don't really understand what purpose each certificate serves.
I used openssl's s_client to test the connection, and received output which seems to indicate the same problem as the similar question. The error is as follows:
depth=0 /OU=Domain Control Validated/CN=*.mysite.ca
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.mysite.ca
verify error:num=27:certificate not trusted
verify return:1
A full detail of openssl's response (with certificates and unnecessary information truncated) can be found here.
I also see the warning:
No client certificate CA names sent
Is it possible that this is the problem? How can I ensure that nginx sends these CA names?
Attempts to Solve the Problem
I attempted to solve the problem by downloading the root CA directly from GlobalSign, but received the same error. I updated the root CA's on my Debian server using the update-ca-certificates command, but nothing changed. This is likely because the CA sent from my provider was correct, so it led to the certificate being chained twice, which doesn't help.
0 s:/OU=Domain Control Validated/CN=*.mysite.ca
i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
1 s:/O=AlphaSSL/CN=AlphaSSL CA - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
Next Steps
Please let me know if there is anything I can try, or if I just have the whole thing configured incorrectly.
jww is right — you're referencing the wrong intermediate certificate.
As you have been issued with a SHA256 certificate, you will need the SHA256 intermediate. You can grab it from here: http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crt
这篇关于SSL 错误:无法获取本地颁发者证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
