服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 无法validation第一个证书(RapidSSL / GeoTrust / Ubuntu)
Intereting Posts
为什么SSMS将数据库还原到另一个数据库不复制“从”数据库的当前状态? Jenkins windows Gui给出了一个错误 线程转储到一个文件 在同一台机器上失去与SQL Server的连接? OpenVPN – 可能logging失败的身份validation? 使用KVM(virtio驱动程序)的networking性能较差 – 更新:使用vhost_net 需要帮助在Centos Linux上configurationApache,MySQL,PHP 在Amazon AWS Route 53中设置Google Apps SPFlogging 防火墙规则只允许Postfix通过端口25上的SMTP发送电子邮件 AWS:公共子网中的NAT网关。 为什么? postfix / proxymap:请求未经批准的表 在Active Directory中找不到机器“testing系统”的服务主体名称(SPN) 使用IBM X3650 M3和DS3400 SAN的HyperV群集 在/etc/security/limit.conf中设置nproc防止sshlogin 列出共享文件夹中的打开文件

无法validation第一个证书(RapidSSL / GeoTrust / Ubuntu)

一直在试图让Ubuntu承认GeoTrust SAN证书,没有运气。 浏览器工作正常。 帮帮我? 

$ openssl s_client -showcerts -connect artsyapi.com:443 CONNECTED(00000003) depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 4660944, C = US, ST = New York, L = New York, O = Artsy Inc., CN = artsy.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 4660944, C = US, ST = New York, L = New York, O = Artsy Inc., CN = artsy.net verify error:num=27:certificate not trusted verify return:1 depth=0 businessCategory = Private Organization, 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, serialNumber = 4660944, C = US, ST = New York, L = New York, O = Artsy Inc., CN = artsy.net verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=4660944/C=US/ST=New York/L=New York/O=Artsy Inc./CN=artsy.net i:/C=US/O=GeoTrust Inc/OU=See www.geotrust.com/resources/cps (c)06/CN=GeoTrust Extended Validation SSL CA -----BEGIN CERTIFICATE----- MIIFfDCCBGSgAwIBAgICUFIwDQYJKoZIhvcNAQEFBQAwgYUxCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxHZW9UcnVzdCBJbmMxMTAvBgNVBAsTKFNlZSB3d3cuZ2VvdHJ1 c3QuY29tL3Jlc291cmNlcy9jcHMgKGMpMDYxLDAqBgNVBAMTI0dlb1RydXN0IEV4 dGVuZGVkIFZhbGlkYXRpb24gU1NMIENBMB4XDTEzMDExNzIxMTE0N1oXDTE0MDEy MDExMTAxM1owgb0xHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYL KwYBBAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYD VQQFEwc0NjYwOTQ0MQswCQYDVQQGEwJVUzERMA8GA1UECBMITmV3IFlvcmsxETAP BgNVBAcTCE5ldyBZb3JrMRMwEQYDVQQKEwpBcnRzeSBJbmMuMRIwEAYDVQQDEwlh cnRzeS5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDoN6pmvv8V 6BhF4gRMzMV+5sSjQDNrhyqV2NMdDOzwqoTHGVMvyD+AJC9kaP6WmH/S8MlA6LmW b/Z0RvDplD6Wvyoz5MJsHaeCwVThOs1fVLY4PYMky154515RF9H1rui4nz3KXUfP bm6MeAZY7FStRM/Uep9LhewR/qXEfLocNEfb92piTJ/UtsiLtTbfeZKYxFe/IpMO EMADQmhEBEXOq2ozcvwnwNBDHwApxhE88z2/mzUTHZl40fLnWI4S2tSVZZwOI45p VMiu3XwVwzCCMmosm5k3B3l6swFlSOH+WDUTwEbnmxa4HRdQWAIFHsT3cTT28VyW LIAbw8lSstKjAgMBAAGjggG6MIIBtjAfBgNVHSMEGDAWgBQoxOuP8V95kKMrVcNW Tn1rU3IsGDBuBggrBgEFBQcBAQRiMGAwKgYIKwYBBQUHMAGGHmh0dHA6Ly9FVlNT TC1vY3NwLmdlb3RydXN0LmNvbTAyBggrBgEFBQcwAoYmaHR0cDovL0VWU1NMLWFp YS5nZW90cnVzdC5jb20vZXZjYS5jcnQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW MBQGCCsGAQUFBwMBBggrBgEFBQcDAjBVBgNVHREETjBMghBzZWN1cmUuYXJ0c3ku bmV0gg13d3cuYXJ0c3kubmV0ggxhcnRzeWFwaS5jb22CEHd3dy5hcnRzeWFwaS5j b22CCWFydHN5Lm5ldDBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8vRVZTU0wtY3Js Lmdlb3RydXN0LmNvbS9jcmxzL2d0ZXh0dmFsY2EuY3JsMAwGA1UdEwEB/wQCMAAw SwYDVR0gBEQwQjBABgkrBgEEAfAiAQYwMzAxBggrBgEFBQcCARYlaHR0cDovL3d3 dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczANBgkqhkiG9w0BAQUFAAOCAQEA owIpFaZH6wTdC05Bs++zElThmUdPuh2g9JXGjt8vWcZZg929s5I+grNIw1YEU5AC aZBvw/imGFYECuVBbLZt3EGYewkFlUfVPcprVhHDDYZASlddN71fR/N9w4Y+A1io sYS+yBjYOEpP8fTJAHkRK9nhqQ3/lnMQoFdy4yt/YL/k14dX9uFjoQuts1TLOwdk VfCe/F/+Xme9WUZY2l9TE+TsqMg33C2O+Of/Im5rH+RkkkfE8nyzLMjWVGrofhiJ jUw294H52QnouV/EPnzQgHmKmlb0AjqwG2zwFM2LlcJIEeZVLQ64mRyLENYN8TeZ PcoaJf0Y9Qhecr51uvdwtQ== -----END CERTIFICATE----- --- Server certificate subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=4660944/C=US/ST=New York/L=New York/O=Artsy Inc./CN=artsy.net issuer=/C=US/O=GeoTrust Inc/OU=See www.geotrust.com/resources/cps (c)06/CN=GeoTrust Extended Validation SSL CA --- No client certificate CA names sent --- SSL handshake has read 2275 bytes and written 440 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.1 Cipher : DHE-RSA-AES256-SHA Session-ID: DB973C054A9552ED83D591518D0F81E77AC548CE91450602E3C72ACCDD1C2E8E Session-ID-ctx: Master-Key: AEB7BC9F1077B2BE36D9E5020D873736227A9BE9271F673AA8825073FEA96CA6C37AC41E75C8B56F07220A205B49ADB9 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - e3 e1 6d 3e 5e 73 78 88-0e a2 79 e1 cf 05 91 90 ..m>^sx...y..... 0010 - 07 90 cb 53 60 be 78 85-c3 08 b0 a6 8e ae d0 7b ...S`.x........{ 0020 - 7c 71 d4 b8 a8 40 29 14-dc d2 12 39 a0 1d f0 fa |q...@)....9.... 0030 - 3d d7 9b 6a cb fe 87 29-5f b6 d4 94 d2 4a e3 d4 =..j...)_....J.. 0040 - b2 f5 db ed d3 c3 43 2a-7a 64 65 8e bd 7a e6 46 ......C*zde..zF 0050 - d5 b6 5e da ee 09 e0 50-24 ec 3e 17 c4 90 b9 16 ..^....P$.>..... 0060 - 7e 60 c5 f5 50 03 f9 b4-41 5b 6c 13 6d 75 e9 7c ~`..P...A[l.mu.| 0070 - 2c a5 2b 48 b0 06 61 06-90 99 ed 97 f6 db f9 b2 ,.+H..a......... 0080 - 4c 35 7e 7e 87 a0 92 41-b6 f4 16 35 d9 af de b4 L5~~...A...5.... 0090 - 19 11 0d 92 38 b9 a8 d2-f6 e7 0b d5 aa f9 90 7b ....8..........{ Start Time: 1368999775 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate)

这工作:

将RapidSSL提供的2个证书作为“证书链”从CA文件中删除(在nginx config中声明为ssl_client_certificate ),并附加到证书文件(声明为ssl_certificate )。

换句话说,最终的configuration如下所示: 

  ssl_certificate /etc/nginx/ssl/artsyapi.com/crt; # original cert plus 2 from chain ssl_certificate_key /etc/nginx/ssl/artsyapi.com.key; # key (unchanged) ssl_client_certificate /etc/nginx/ssl/artsyapi.com.ca; # now empty

我怀疑你错过了证书存储的根证书。 您需要下载根geotrust证书,将其复制到/etc/ssl/certs/ ,然后在该目录中运行c_rehash