Apache-2.2
伺服器自行連接時 SSL 證書無效
我有一個本地網路
$$ server $$伺服器的ip地址是:192.168.88.201,主機:local.mydomain.com。此伺服器是執行 Apache+PHP 的 Ubuntu 18.04.6 LTS。此伺服器還使用 certbot 安裝了 Let’s encrypt SSL。 在本地網路上使用另一台電腦時,SSL 可以正常訪問https://local.mydomain.com -> Chrome 顯示認證有效。
當伺服器連接自身並認為認證無效時,問題就出現了。
我被困在這裡,因為我不確定問題可能出在哪裡。你有什麼建議嗎?
例如:在
$$ SERVER $$的終端,當:
root@server:/tmp# wget https://local.mydomain.com --2022-01-07 07:47:18-- https://local.mydomain.com/ Resolving local.mydomain.com (local.mydomain.com)... 192.168.88.201 Connecting to local.mydomain.com (local.mydomain.com)|192.168.88.201|:443... connected. ERROR: cannot verify local.mydomain.com's certificate, issued by ‘CN=R3,O=Let's Encrypt,C=US’: Unable to locally verify the issuer's authority. To connect to local.mydomain.com insecurely, use `--no-check-certificate'.
root@server:/tmp# openssl s_client -connect local.mydomain.com:443 -prexit > a.txt CONNECTED(00000005) --- Certificate chain 0 s:CN = local.mydomain.com i:C = US, O = Let's Encrypt, CN = R3 --- Server certificate -----BEGIN CERTIFICATE----- *** -----END CERTIFICATE----- subject=CN = local.mydomain.com issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2005 bytes and written 402 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) --- HTTP/1.1 400 Bad Request Date: Fri, 07 Jan 2022 06:53:07 GMT Server: Apache/2.4.29 (Ubuntu) Content-Length: 313 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.4.29 (Ubuntu) Server at local.mydomain.com Port 443</address> </body></html> --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: E5F662F909BA717C5FA0D6DBBDA777CA284E164FACC4784915D7E08DF39B63DB Session-ID-ctx: Resumption PSK: FFA7F4A4502316545E4147887CE4A7D552DDF54A92A8C2B5D87601BEA01B8DDEC2292004635AC152E71188CEDEF099CE PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 **** Start Time: 1641538382 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Post-Handshake New Session Ticket arrived: SSL-Session: Protocol : TLSv1.3 Cipher : TLS_AES_256_GCM_SHA384 Session-ID: BABB13C496B291A43F4FDDCD20FE5568574F79ACA2D06203A53D9072FBE3A2C8 Session-ID-ctx: Resumption PSK: 90F330C4D3B9BA54DB4CA687400E692CC7AF250F7E6A58493D579A9DD6C3DBA3E5B1F2BA94DA7AEA8CF483C2FB19211B PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - *** Start Time: 1641538382 Timeout : 7200 (sec) Verify return code: 21 (unable to verify the first certificate) Extended master secret: no Max Early Data: 0 --- read R BLOCK --- Certificate chain 0 s:CN = local.mydomain.com i:C = US, O = Let's Encrypt, CN = R3 --- Server certificate -----BEGIN CERTIFICATE----- *** -----END CERTIFICATE----- subject=CN = local.mydomain.com issuer=C = US, O = Let's Encrypt, CN = R3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3152 bytes and written 450 bytes Verification error: unable to verify the first certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 21 (unable to verify the first certificate) ---
Certificate chain 0 s:CN = local.mydomain.com i:C = US, O = Let's Encrypt, CN = R3
伺服器配置錯誤,僅發送不完整的鏈,缺少中間證書。正確配置的站點應該返回一個額外的中間證書,導致 ISRG Root X1。Let’s Encrypt 有一個範例伺服器:
$ openssl s_client -connect valid-isrgrootx1.letsencrypt.org:443 ... Certificate chain 0 s:CN = valid-isrgrootx1.letsencrypt.org i:C = US, O = Let's Encrypt, CN = R3 1 s:C = US, O = Let's Encrypt, CN = R3 i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
使用另一台電腦時… Chrome 顯示認證有效。
瀏覽器通常會通過下載缺少的中間證書或使用記憶體副本來成功解決此類錯誤配置。其他客戶不會。所以只檢查它是否適用於瀏覽器並不是一個好主意。改用SSL Labs之類的網站,它們會在您的情況下將“鏈問題”報告為問題。