我有两个网站在不同的主机上受同一个SSL证书的保护,一个是Apache2,一个是JBOSS。
我的过程:
我已经将客户端证书和CA证书安装到所有浏览器。 (安装CA证书不是必要的,但是可以去掉URL中的红色/危险图标。)
Ubuntu 14.04
Windows 7的
Chrome,Firefox和IE浏览器都允许我访问Apache2站点,他们都不让我访问JBOSS站点。
证书和根证书都是最新的,只是无法validation。
任何人有一个理论/解决scheme?
一些编辑过的openssl命令行输出,以防万一:
$ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt CONNECTED(00000003) depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = [email protected] verify return:1 depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = [email protected] verify return:1 139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46 139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected] i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected] -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected] $ openssl s_client -connect jboss_host:8443 -cert client.pem -showcerts -CAfile private_ca.crt CONNECTED(00000003) depth=1 C = US, ST = California, L = Mendocino, O = My Company, CN = My Company CA, emailAddress = [email protected] verify return:1 depth=0 C = US, ST = California, L = Mendocino, O = My Company, OU = Systems, CN = OND, emailAddress = [email protected] verify return:1 139661545379488:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1262:SSL alert number 46 139661545379488:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected] i:/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected] -----BEGIN CERTIFICATE----- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Mendocino/O=My Company/OU=Systems/CN=OND/[email protected] issuer=/C=US/ST=California/L=Mendocino/O=My Company/CN=My Company CA/[email protected] --- Acceptable client certificate CA names /C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/[email protected] /C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/[email protected] /C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/[email protected] /C=US/ST=Illinois/L=Champaign/O=ACME Integrated Systems/OU=Research Division/CN=ACME Certificate Factory/[email protected] /C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR Production/CN=MESA Certificate Factory/[email protected] /C=US/ST=Missouri/L=St. Louis/O=Washington University/OU=MIR/CN=MESA Certificate Factory/[email protected] --- SSL handshake has read 2028 bytes and written 2356 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF Session-ID-ctx: Master-Key: 0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1429133346 Timeout : 300 (sec) Verify return code: 0 (ok) ---