GoLang带有http ssl GoDaddy的证书 - 该服务器的证书链不完整。 [英] GoLang with http ssl GoDaddy's certificate - This server's certificate chain is incomplete.

问题描述

一般来说，我从GoDaddy获得了3个文件：

1. 主要证书文件


2. 以下列方式在我的Go服务器中配置的所有这些文件中共享密钥
   
3. 捆绑文件

：

  cert，err：= tls.LoadX509KeyPair（myalcoholist.pem，myalcoholist.key）
如果err！= nil {
 log.Fatalf（server：loadkeys：％s，err）
 
} 
 pem，err：= ioutil.ReadFile（cert / sf_bundle-g2-g1.crt）
 if err！= nil {
 log.Fatalf（无法读取客户端证书权限：％v，err）
} 
 if！certpool.AppendCertsFromPEM（pem）{
 log.Fatalf（Can not parse client certificate authority）
} 
 tlsConfig：=& tls.Config {
 ClientCAs ：certpool，
证书：[] tls.Certificate {cert}，
} 
 
 srv：=& http.Server {
地址：myalcoholist.com ：443，
处理程序：n，
 ReadTimeout：t ime.Duration（5）* time.Second，
 WriteTimeout：time.Duration（5）* time.Second，
 TLSConfig：tlsConfig，
} 
 err：= srv。 ListenAndServeTLS（cert / myalcoholist.pem，cert / myalcoholist.key）
  

Web服务器运行正常，目前发布在 https://myalcoholist.com:443 。

我验证了我的SSL https://www.ssllabs.com/ssltest/analyze.html?d=myalcoholist.com ，它的响应是此服务器的证书链不完整。等级上限为B.

您可以到此链接查看所有详细结果。

我缺少什么？

解决方案

关注线程，并从 net / http /＃ListenAndServeTLS（） doc：

如果证书由证书颁发机构签署，certFile应该是服务器证书，任何中间器和CA证书的串联。

尝试并确保您的 cert / myalcoholist.pem 也包含CA证书。

使用的线程：

  myTLSConfig：=& tls.Config {
 CipherSuites： [] uint16 {
 tls.TLS_RSA_WITH_RC4_128_SHA，
 tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA，
 tls.TLS_RSA_WITH_AES_128_CBC_SHA，
 tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}，} 
 myTLSConfig.PreferServerCipherSuites = true 
 const myWebServerListenAddress =0.0.0.0:5555
 myTLSWebServer如果err = myTLSWebServer.ListenAndServeTLS（/ home / loongson / webServerKeysV2 / golangCertFile2，/ home / loongson / webServerKeysV2 / adequatech.ca-comodoinstantssl导出的-专用密钥-RSA-ForApache.key）; err！= nil {
 panic（err）
 
} 
  

与我以前的回答相比，添加密码套件是个不错的主意，但再次尝试查看证书文件传递给 ListenAndServeTLS 如果包含CA，效果会更好。

---

果然， https://www.ssllabs.com/ssltest/analyze .html？d = myalcoholist.com 报告等级A，警告：连锁问题：包含锚点。

请参阅 SSL / TLS：如何解决链问题：包含锚以移除该警告，但这不是一个错误：

RFC 2119 ：服务器全部应该包括链中的根证书（又名信任锚），或者省略它。一些服务器包含它

in general I got 3 files from GoDaddy:

1. main Certificate file
2. Server Private Key
3. Bundle file

in configured all these files in my Go server in the following way:

cert, err := tls.LoadX509KeyPair("myalcoholist.pem","myalcoholist.key")
if err != nil {
    log.Fatalf("server: loadkeys: %s", err)

}
    pem, err := ioutil.ReadFile("cert/sf_bundle-g2-g1.crt")
    if err != nil {
        log.Fatalf("Failed to read client certificate authority: %v", err)
    }
    if !certpool.AppendCertsFromPEM(pem) {
        log.Fatalf("Can't parse client certificate authority")
    }
    tlsConfig := &tls.Config{
        ClientCAs:    certpool,
    Certificates: []tls.Certificate{cert},
    }

    srv := &http.Server{
    Addr: "myalcoholist.com:443",
    Handler: n,
    ReadTimeout: time.Duration(5) * time.Second,
    WriteTimeout: time.Duration(5) * time.Second,
    TLSConfig: tlsConfig,
}
err := srv.ListenAndServeTLS("cert/myalcoholist.pem","cert/myalcoholist.key")

The web server runs properly, it's currently published at https://myalcoholist.com:443.

I validated my SSL using https://www.ssllabs.com/ssltest/analyze.html?d=myalcoholist.com and it's response is This server's certificate chain is incomplete. Grade capped to B.

you can go to this link to see the all detailed result.

what am I missing ?

解决方案

Following that thread, and from the net/http/#ListenAndServeTLS() doc:

If the certificate is signed by a certificate authority, the certFile should be the concatenation of the server's certificate, any intermediates, and the CA's certificate.

Try and make sure your cert/myalcoholist.pem includes the CA certificates as well.

That thread used:

myTLSConfig := &tls.Config{
    CipherSuites: []uint16{
        tls.TLS_RSA_WITH_RC4_128_SHA,
        tls.TLS_ECDHE_RSA_WITH_RC4_128_SHA,
        tls.TLS_RSA_WITH_AES_128_CBC_SHA,
        tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},}
myTLSConfig.PreferServerCipherSuites = true
const myWebServerListenAddress = "0.0.0.0:5555"
myTLSWebServer := &http.Server{Addr: myWebServerListenAddress, TLSConfig: myTLSConfig, Handler: router}
if err = myTLSWebServer.ListenAndServeTLS("/home/loongson/webServerKeysV2/golangCertFile2", "/home/loongson/webServerKeysV2/adequatech.ca-comodoinstantssl-exported-privatekey-rsa-ForApache.key"); err != nil {
    panic(err)

}

Compared to my previous answer, adding a cipher suite is a good idea, but again, try and see if the certificate file passed to ListenAndServeTLS works better if it includes the CAs.

---

Sure enough, https://www.ssllabs.com/ssltest/analyze.html?d=myalcoholist.com reports grade A, with the warning: "Chain issues: Contains anchor".
See "SSL/TLS: How to fix "Chain issues: Contains anchor"" to remove that warning, but this is not an error though:

RFC 2119: the server is allowed to include the root certificate (aka "trust anchor") in the chain, or omit it. Some servers include it

这篇关于GoLang带有http ssl GoDaddy的证书 - 该服务器的证书链不完整。的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！