不知何故就在今天突然我的seafile客户端抛出了这个错误。 我不相信它是一个seafile问题,因为我的openssl抛出了完全相同的错误:
user@nb-user:~$ echo |openssl s_client -connect seafile.mydomain.ch:443 CONNECTED(00000003) depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 2 Primary Intermediate Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/description=5RygJ9fx8e2SBLzw/C=CH/ST=Thurgau/L=Frauenfeld/O=mydomain GmbH/CN=*.mydomain.ch/[email protected] i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIGqzCCBZOgAwIBAgIDAjmGMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0 [... some more lines] -----END CERTIFICATE----- subject=/description=5RygJ9fx8e2SBLzw/C=CH/ST=Thurgau/L=Frauenfeld/O=mydomain GmbH/CN=*.mydomain.ch/[email protected] issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA --- No client certificate CA names sent --- SSL handshake has read 3997 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 96E1F6B9E123F8F8C1C1E8FB0DBACDBBE76ECB3E2CF5C46C1FD2CF46833C8212 Session-ID-ctx: Master-Key: 25837E1786B0CC60E676D0694319641CD0887F9CAF48A820F1C0D6ABA6FDE0742551816ACD2A4885B0D3FC143716B1F6 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 88 15 c0 c5 30 04 63 d6-ff 7c 72 c4 12 84 7b d6 ....0.c..|r...{. 0010 - 73 33 8d 91 7c da ce 22-23 d0 31 fb c1 7f 1c 9c s3..|.."#.1..... [... some more lines] Start Time: 1424953937 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- DONE
对我来说,链部分看起来应该是什么。 Apache的conf应该也可以:
root@i-can-haz-data ~ # cat /etc/apache2/sites-enabled/seafile.conf <VirtualHost *:443> ServerName seafile.mydomain.ch DocumentRoot /opt/seafile/www [... seafile specific things] ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/ssl/custom/wildcardmydomain.ch.crt SSLCertificateKeyFile /etc/ssl/custom/wildcardmydomain.ch.key SSLCertificateChainFile /etc/ssl/custom/wildcardmydomain.ch.chain.crt [... seafile specific things] </VirtualHost>
我找不到我的问题是什么…(证书安装在我的Lubuntu 14.04上)。 他们的网站是不适用的,因为他们链接了他们的1级证书,但是我的是2级发布的。
verify error:num=20:unable to get local issuer certificate
OpenSSL的这个错误意味着程序无法validation证书的颁发者或提供链的最高级证书。 这可能发生在某些情况下,例如:
受信任的根证书的本地数据库没有被给出,因此OpenSSL不查询。 要明确指定证书的path,请使用-CApath
或-CAfile
选项。 对于Debian而言,Ubuntu是一个例子:
-CApath /etc/ssl/certs/ -CAfile /etc/ssl/certs/ca-certificates.crt
从而导致了
openssl s_client -connect example.com:443 -CApath /etc/ssl/certs/ openssl s_client -connect example.com:443 -CAfile /etc/ssl/certs/ca-certificates.crt
后者需要更多的信息。 自2009年以来,Ubuntu中有一个针对OpenSSL的漏洞报告 :
使用-CApath似乎将-CAfile设置为默认的/etc/ssl/certs/ca-certificates.crt。
无论您通过-CApath
指定path,它都可以工作,因为-CAfile
也被设置为默认值(事先为空)。 所以, 不要依赖OpenSSL的默认行为来validation本地证书数据库的证书,这可能是假的!