在Firefox和Android上不受信任的StartSSL证书 [英] StartSSL certificate not trusted in Firefox and on Android
问题描述
httpd.conf:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+ HIGH:+ MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile/ usr / local / apache2 / conf / domain.crt
SSLCertificateKeyFile/usr/local/apache2/conf/private.key
SSLCertificateChainFile/usr/local/apache2/conf/1_root_bundle.crt
在Chrome中可以正常工作,但Firefox产生以下错误:
错误代码:SEC_ERROR_UNKNOWN_ISSUER
https://www.sslshopper.com/ssl-checker.html 中说: / p>
证书在所有Web浏览器中都不受信任。您可能需要安装中间体/链式证书才能将其链接到受信任的根证书。详细了解这个错误。您可以通过关于您的服务器平台的StartCom的证书安装说明来解决此问题。请注意有关中间证书的部分。
如何使链条有效? / b>
$ $ $ $ $ $ $ $ $ $ $ $ $ $ / conf / 1_root_bundle.crt
...您可能需要安装一个Intermediate / chain证书将其链接到受信任的根证书
SSLCertificateChainFile选项在Apache版本2.4.8中已经过时,需要将证书添加到SSLCertificateFile中。由于您根据您的评论使用2.4.23,这意味着此设置被忽略。这意味着没有链证书发送到客户端,导致验证错误。您应该在错误日志中收到一条消息,指出无效设置。
Apache server, followed the guide from here: https://www.startssl.com/Support?v=21
httpd.conf:
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!LOW:!aNULL:!eNULL
SSLCertificateFile "/usr/local/apache2/conf/domain.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/private.key"
SSLCertificateChainFile "/usr/local/apache2/conf/1_root_bundle.crt"
Works fine in Chrome but Firefox yields the following error:
Error code: SEC_ERROR_UNKNOWN_ISSUER
Analysis at https://www.sslshopper.com/ssl-checker.html says the following:
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following StartCom's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.
How can I make the chain valid?
SSLCertificateChainFile "/usr/local/apache2/conf/1_root_bundle.crt"
... You may need to install an Intermediate/chain certificate to link it to a trusted root certificate
The SSLCertificateChainFile option was obsoleted in Apache version 2.4.8 and any chain certificates need to be added to SSLCertificateFile instead. Since you are using 2.4.23 based on your comment this means that this setting was ignored. This means that no chain certificates were sent to the client, causing the validation error. You should have gotten a message in the error logs though pointing out the invalid setting.
这篇关于在Firefox和Android上不受信任的StartSSL证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!