在Firefox和Android上不受信任的StartSSL证书 [英] StartSSL certificate not trusted in Firefox and on Android

问题描述

Apache服务器，遵循从这里指南： https://www.startssl.com/Support ？v = 21

httpd.conf：

  SSLEngine on 
 SSLProtocol all -SSLv2 -SSLv3 
 SSLCipherSuite ALL：！DH：！EXPORT：！RC4：+ HIGH：+ MEDIUM：！LOW：！aNULL：！eNULL 
 SSLCertificateFile/ usr / local / apache2 / conf / domain.crt
 SSLCertificateKeyFile/usr/local/apache2/conf/private.key
 SSLCertificateChainFile/usr/local/apache2/conf/1_root_bundle.crt 
  

在Chrome中可以正常工作，但Firefox产生以下错误：

 错误代码：SEC_ERROR_UNKNOWN_ISSUER 
  

https://www.sslshopper.com/ssl-checker.html 中说： / p>

证书在所有Web浏览器中都不受信任。您可能需要安装中间体/链式证书才能将其链接到受信任的根证书。详细了解这个错误。您可以通过关于您的服务器平台的StartCom的证书安装说明来解决此问题。请注意有关中间证书的部分。

如何使链条有效？ / b>

 $ $ $ $ $ $ $ $ $ $ $ $ $ $ / conf / 1_root_bundle.crt
  

...您可能需要安装一个Intermediate / chain证书将其链接到受信任的根证书

SSLCertificateChainFile选项在Apache版本2.4.8中已经过时，需要将证书添加到SSLCertificateFile中。由于您根据您的评论使用2.4.23，这意味着此设置被忽略。这意味着没有链证书发送到客户端，导致验证错误。您应该在错误日志中收到一条消息，指出无效设置。

Apache server, followed the guide from here: https://www.startssl.com/Support?v=21

httpd.conf:

SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile "/usr/local/apache2/conf/domain.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/private.key"
SSLCertificateChainFile "/usr/local/apache2/conf/1_root_bundle.crt"

Works fine in Chrome but Firefox yields the following error:

Error code: SEC_ERROR_UNKNOWN_ISSUER

Analysis at https://www.sslshopper.com/ssl-checker.html says the following:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following StartCom's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.

How can I make the chain valid?

解决方案

SSLCertificateChainFile "/usr/local/apache2/conf/1_root_bundle.crt"   

... You may need to install an Intermediate/chain certificate to link it to a trusted root certificate

The SSLCertificateChainFile option was obsoleted in Apache version 2.4.8 and any chain certificates need to be added to SSLCertificateFile instead. Since you are using 2.4.23 based on your comment this means that this setting was ignored. This means that no chain certificates were sent to the client, causing the validation error. You should have gotten a message in the error logs though pointing out the invalid setting.

这篇关于在Firefox和Android上不受信任的StartSSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！