SSL站点和浏览器警告 [英] SSL site and browser warning
问题描述
我有一个使用wordpress的电子商务网站naturalvape.us。 hostgator是托管的地方。
I have an e commerce site naturalvape.us using wordpress. hostgator is where its hosted.
我已经安装了ssl认证。我的问题我的网站显示了一个警告标志,并说它没有安全保障。 hostgator的人给了我一个链接到这个网站强制ssl / https。显然,需要某种类型的代码才能重定向到安全站点。
I have a ssl certification installed. My issue my site shows a caution sign and says it is unsecured. The guys at hostgator gave me a link to this site to force ssl/https. Apparently some type of code is needed to redirect to the secure site.
为什么我在浏览器中有警告?
Why do I have a warning in the browser?
如何将网站重定向到https?
How can I redirect the site to https?
推荐答案
要扩展Boan的评论,您的证书链格式不正确。
To expand upon Boan's comment, you certificate chain is malformed.
您只发送最终实体(服务器)证书;并且您需要发送最终实体证书和Comodo所需的两个中间证书。
You are only sending the end entity (server) certificate; and you need to send both the end entity certificate and two intermediate certificates required for Comodo.
您需要发送中间证书以避免目录问题。它是PKI中众所周知的问题。这就是客户所经历的 - 他们不知道去哪里获得缺少的中间证书。
You need to send the intermediate certificates to avoid the "which directory" problem. Its a well known problem in PKI. That's what clients are experiencing - they don't know where to go to get the missing intermediate certificate.
以下是检查方法:
$ openssl s_client -connect naturalvape.us:443 -showcerts
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = naturalvape.us
verify error:num=20:unable to get local issuer certificate
verify return:1
...
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=naturalvape.us
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
-----BEGIN CERTIFICATE-----
MIIFUDCCBDigAwIBAgIRAOIeCA8uCx0hLc8AQSHiak8wDQYJKoZIhvcNAQELBQAw
gZAxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
...
t3d8prtVxlUd9xp0AEXPOLI1uKQlDKNCOQlHFrINkZbwwg6hmomiFXx5IpfVSb9U
XIqr/cZP7xtD2oiYCJ2giJ7dHLU=
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=naturalvape.us
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
...
注意,有一个证书的主题为 CN = naturalvape.us (主题是显示屏中的s:)。发行者 CN = COMODO RSA域验证安全服务器CA ,但缺少该中间证书(发行人是显示中的i:部分)。
Notice there's one certificate present with a subject of CN=naturalvape.us (subject is the "s:" in the display). The issuer is CN=COMODO RSA Domain Validation Secure Server CA, but that intermediate certificate is missing (issuer is the "i:" part in the display).
To fix this, you need to fetch COMODO RSA Domain Validation Secure Server CA from [Intermediate #2 (SHA-2)] Comodo RSA Domain Validation Secure Server CA.
中间证书已经过PEM编码。获取服务器证书,并附加 COMODO RSA域验证安全服务器CA 中间件。这意味着文件中将有两个证书。它们看起来像:
The intermediate certificate is already PEM encoded. Take your server certificate, and append the COMODO RSA Domain Validation Secure Server CA intermediate. That means there will be two certificates in the file. They will look like:
-----BEGIN CERTIFICATE-----
<server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate>
-----END CERTIFICATE-----
将其插入您的网站在服务器证书下。
Plug that into your site under the server certificate.
不幸的是,仅仅添加 COMODO RSA域验证安全服务器CA 的。您还需要添加 COMODO RSA证书颁发机构。它的另一个缺少中间证书。您可以从 COMODO RSA认证中心 -sha-2-comodo-rsa-certification-authority> [中级#1(SHA-2)] COMODO RSA认证中心。
Unfortunately, its not enough to add just COMODO RSA Domain Validation Secure Server CA. You also need to add COMODO RSA Certification Authority. Its another missing intermediate certificate. You can get COMODO RSA Certification Authority from [Intermediate #1 (SHA-2)] COMODO RSA Certification Authority.
所以他们将如下所示:
-----BEGIN CERTIFICATE-----
<end entity/server certificate>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate #2>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<intermediate certificate #1>
-----END CERTIFICATE-----
用户(依赖方)仍然需要拥有/信任最后缺少中间产品的发布者(最后缺少中间产品 COMODO RSA域验证安全服务器CA )。最后丢失的中间件的发行者是 CN = AddTrust External CA Root ,它应该内置于浏览器或其中一个 cacerts。 pem 包。
Users (relying parties) will still need to have/trust the issuer of the last missing intermediate (the last missing intermediate is COMODO RSA Domain Validation Secure Server CA). The issuer of the last missing intermediate is CN=AddTrust External CA Root, and it should be built-in to the browser or one of those cacerts.pem packs.
将两个缺少的中间证书与服务器证书连接后(和上传它,你可以测试如下。
Once you concatenate the two missing intermediates certificates with the server certificate (and upload it), you can test as follows.
首先,下载信任锚。其 CN = AddTrust外部CA根,可在 [KMCS] AddTrust外部CA根。
First, download the trust anchor. Its CN=AddTrust External CA Root, and it can be found at [KMCS] AddTrust External CA Root.
其次,运行 openssl s_client 进行验证。请注意添加 CAfile 选项和验证结果OK(0)。
Second, run openssl s_client to verify. Notice the addition of the CAfile option and the "Verify result OK (0)".
$ openssl s_client -connect naturalvape.us:443 -CAfile addtrustexternalcaroot_kmod.crt
CONNECTED(00000003)
...
Start Time: 1407558078
Timeout : 300 (sec)
Verify return code: 0 (OK)
这篇关于SSL站点和浏览器警告的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
