SSL错误:无法获取本地颁发者证书 [英] SSL Error: unable to get local issuer certificate
问题描述
我在Debian 6.0 32位服务器上配置SSL时遇到问题。我是SSL的新手,所以请耐心等待。我尽可能多地提供信息。
注意:真正的域名已经更改,以保护服务器的身份和完整性。
I'm having trouble configuring SSL on a Debian 6.0 32bit server. I'm relatively new with SSL so please bear with me. I'm including as much information as I can.
Note: The true domain name has been changed to protect the identity and integrity of the server.
服务器正在使用nginx运行。配置如下:
The server is running using nginx. It is configured as follows:
ssl_certificate /usr/local/nginx/priv/mysite.ca.chained.crt;
ssl_certificate_key /usr/local/nginx/priv/mysite.ca.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_verify_depth 2;
我使用描述的方法链接了我的证书这里
I chained my certificate using the method described here
cat mysite.ca.crt bundle.crt > mysite.ca.chained.crt
其中 mysite.ca.crt 是签名机构提供给我的证书, bundle.crt 是我的签名机构发给我的CA证书。问题是我没有直接从GlobalSign购买SSL证书,而是通过我的托管服务提供商Singlehop购买。
where mysite.ca.crt is the certificate given to me by the signing authority, and the bundle.crt is the CA certificate also sent to me by my signing authority. The problem is that I did not purchase the SSL certificate directly from GlobalSign, but instead through my hosting provider, Singlehop.
证书在Safari和Chrome上正确验证,但在Firefox上验证不正确。初步搜索显示它可能是CA的问题。
The certificate validates properly on Safari and Chrome, but not on Firefox. Initial searching revealed that it may be a problem with the CA.
我探讨了答案类似问题,但无法找到解决方案,因为我不太了解每个证书的用途。
I explored the answer to a similar question, but was unable to find a solution, as I don't really understand what purpose each certificate serves.
我使用openssl的s_client来测试连接,并收到输出,这似乎表明了与类似的问题。错误如下:
I used openssl's s_client to test the connection, and received output which seems to indicate the same problem as the similar question. The error is as follows:
depth=0 /OU=Domain Control Validated/CN=*.mysite.ca
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/CN=*.mysite.ca
verify error:num=27:certificate not trusted
verify return:1
openssl响应的完整细节(有证书和不必要的信息被截断)可以在这里找到。
A full detail of openssl's response (with certificates and unnecessary information truncated) can be found here.
我也看到警告:
No client certificate CA names sent
这可能是问题吗?如何确保nginx发送这些CA名称?
Is it possible that this is the problem? How can I ensure that nginx sends these CA names?
我试图解决直接从GlobalSign下载根CA的问题,但收到相同的错误。我使用 update-ca-certificates 命令在我的Debian服务器上更新了根CA,但没有任何改变。这可能是因为从我的提供商发送的CA是正确的,因此它导致证书被链接两次,这没有帮助。
I attempted to solve the problem by downloading the root CA directly from GlobalSign, but received the same error. I updated the root CA's on my Debian server using the update-ca-certificates command, but nothing changed. This is likely because the CA sent from my provider was correct, so it led to the certificate being chained twice, which doesn't help.
0 s:/OU=Domain Control Validated/CN=*.mysite.ca
i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
1 s:/O=AlphaSSL/CN=AlphaSSL CA - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
2 s:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
后续步骤
如果有任何问题,请告诉我我可以尝试,或者如果我只是将整个事情配置错误。
Next Steps
Please let me know if there is anything I can try, or if I just have the whole thing configured incorrectly.
推荐答案
jww是对的 - 你引用的是错误的中级证书。
jww is right — you're referencing the wrong intermediate certificate.
当您获得SHA256证书时,您将需要SHA256中间证书。你可以从这里抓住它: http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crt
As you have been issued with a SHA256 certificate, you will need the SHA256 intermediate. You can grab it from here: http://secure2.alphassl.com/cacert/gsalphasha2g2r1.crt
这篇关于SSL错误:无法获取本地颁发者证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
