Apache-2.2

伺服器自行連接時 SSL 證書無效

  • January 7, 2022

我有一個本地網路

$$ server $$伺服器的ip地址是:192.168.88.201,主機:local.mydomain.com。此伺服器是執行 Apache+PHP 的 Ubuntu 18.04.6 LTS。此伺服器還使用 certbot 安裝了 Let’s encrypt SSL。 在本地網路上使用另一台電腦時,SSL 可以正常訪問https://local.mydomain.com -> Chrome 顯示認證有效。

當伺服器連接自身並認為認證無效時,問題就出現了。

我被困在這裡,因為我不確定問題可能出在哪裡。你有什麼建議嗎?

例如:在

$$ SERVER $$的終端,當:

root@server:/tmp# wget https://local.mydomain.com
--2022-01-07 07:47:18--  https://local.mydomain.com/
Resolving local.mydomain.com (local.mydomain.com)... 192.168.88.201
Connecting to local.mydomain.com (local.mydomain.com)|192.168.88.201|:443... connected.
ERROR: cannot verify local.mydomain.com's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’:
 Unable to locally verify the issuer's authority.
To connect to local.mydomain.com insecurely, use `--no-check-certificate'.
root@server:/tmp# openssl s_client -connect local.mydomain.com:443 -prexit > a.txt
CONNECTED(00000005)
---
Certificate chain
0 s:CN = local.mydomain.com
  i:C = US, O = Let's Encrypt, CN = R3
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=CN = local.mydomain.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2005 bytes and written 402 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
HTTP/1.1 400 Bad Request
Date: Fri, 07 Jan 2022 06:53:07 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 313
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at local.mydomain.com Port 443</address>
</body></html>
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
   Protocol  : TLSv1.3
   Cipher    : TLS_AES_256_GCM_SHA384
   Session-ID: E5F662F909BA717C5FA0D6DBBDA777CA284E164FACC4784915D7E08DF39B63DB
   Session-ID-ctx:
   Resumption PSK: FFA7F4A4502316545E4147887CE4A7D552DDF54A92A8C2B5D87601BEA01B8DDEC2292004635AC152E71188CEDEF099CE
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   TLS session ticket lifetime hint: 300 (seconds)
   TLS session ticket:
   0000 ****

   Start Time: 1641538382
   Timeout   : 7200 (sec)
   Verify return code: 21 (unable to verify the first certificate)
   Extended master secret: no
   Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
   Protocol  : TLSv1.3
   Cipher    : TLS_AES_256_GCM_SHA384
   Session-ID: BABB13C496B291A43F4FDDCD20FE5568574F79ACA2D06203A53D9072FBE3A2C8
   Session-ID-ctx:
   Resumption PSK: 90F330C4D3B9BA54DB4CA687400E692CC7AF250F7E6A58493D579A9DD6C3DBA3E5B1F2BA94DA7AEA8CF483C2FB19211B
   PSK identity: None
   PSK identity hint: None
   SRP username: None
   TLS session ticket lifetime hint: 300 (seconds)
   TLS session ticket:
   0000 - ***

   Start Time: 1641538382
   Timeout   : 7200 (sec)
   Verify return code: 21 (unable to verify the first certificate)
   Extended master secret: no
   Max Early Data: 0
---
read R BLOCK
---
Certificate chain
0 s:CN = local.mydomain.com
  i:C = US, O = Let's Encrypt, CN = R3
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=CN = local.mydomain.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3152 bytes and written 450 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
Certificate chain
0 s:CN = local.mydomain.com
  i:C = US, O = Let's Encrypt, CN = R3

伺服器配置錯誤,僅發送不完整的鏈,缺少中間證書。正確配置的站點應該返回一個額外的中間證書,導致 ISRG Root X1。Let’s Encrypt 有一個範例伺服器:

$ openssl s_client -connect valid-isrgrootx1.letsencrypt.org:443
...
Certificate chain
0 s:CN = valid-isrgrootx1.letsencrypt.org
  i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
  i:C = US, O = Internet Security Research Group, CN = ISRG Root X1

使用另一台電腦時… Chrome 顯示認證有效。

瀏覽器通常會通過下載缺少的中間證書或使用記憶體副本來成功解決此類錯誤配置。其他客戶不會。所以只檢查它是否適用於瀏覽器並不是一個好主意。改用SSL Labs之類的網站,它們會在您的情況下將“鏈問題”報告為問題。

引用自:https://serverfault.com/questions/1089269