Nginx
Nginx 不發送證書鏈
我有以下證書(第一個是我自己的,另外兩個來自 Comodo PositiveSSL):
-----BEGIN CERTIFICATE----- MIIFWTCCBEGgAwIBAgIPPZlYpZLvxHV+Rsy+qSD/MA0GCSqGSIb3DQEBCwUAMIGQ MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE2MDQGA1UE AxMtQ09NT0RPIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB MB4XDTE1MDIwODAwMDAwMFoXDTIwMDIwNzIzNTk1OVowVjEhMB8GA1UECxMYRG9t YWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQLEwtQb3NpdGl2ZVNTTDEbMBkG A1UEAxMSdGllbmRhZ2FuYWRlcmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAv7cwKm7ssjSakyeRFrYi303RnGbnif3+mmfyGCWRCtmmbZpxTrFg CVhFJwcuD0Gd4JkwPXk7GOuY93mhT+Zry1gDCSrAZpaSshV+Osg8bC4DJmil/ZBe /HF2pH0j7XajyYYZjLUQgY8NAuCAW62ArgUL1oBQTZfH1EMM4HSYHoy4so437Glp SwsCQnePokdyMnx/4Y9uPxkC7nZiJr1n6Ue7thXGTkayxsw9sdeBBsG/fk42U/nW JAINeRRM+5BKGqyj5tOINDUMAC+4XAAibVnnvFuvhInQ4t6pmP34vigkhXkpgp/6 IoA31BXT7SP1FK/AI3CaymO/PbF3AsBbdQIDAQABo4IB5zCCAeMwHwYDVR0jBBgw FoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFIdRYyYSTjLGCYxfU/wO 0+j0SFMbMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCsw KQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeB DAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9D T01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggr BgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29t L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYI KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA1BgNVHREELjAsghJ0 aWVuZGFnYW5hZGVyYS5jb22CFnd3dy50aWVuZGFnYW5hZGVyYS5jb20wDQYJKoZI hvcNAQELBQADggEBACFMKXGU1ECzff4ORsJMM9tCHYijcrxLNddP7acCFGwhkj3D 7Z3w2drDTYlVEIr84S+4w4QW61LvalwoFo2M0jjTabnsOM323VppPTyXvIUN0nZP q/IVPtDTVOXgz7bbGDCXCkza2PXBRVvGgr+MhUmZ5OkHsnwU5BB9BXoX3rAS1ZSP dhf1g3QYLekz14p53gtcBxbiqQVlLTyjJM/4qlDuRSQrysK665H42x7pch+i4VOn b/5NE85soX/QToKP+cE+rF2DWb6jFjYvUcuh2hHKwRd4gg923S5XWsxsHHCHppcG 4ZZ/CmpDTpxxq61IA5aqYEKrlhKaWBkT6GV+tZ4= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow gYUxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMSswKQYD VQQDEyJDT01PRE8gUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkq hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkehUktIKVrGsDSTdxc9EZ3SZKzejfSNw AHG8U9/E+ioSj0t/EFa9n3Byt2F/yUsPF6c947AEYe7/EZfH9IY+Cvo+XPmT5jR6 2RRr55yzhaCCenavcZDX7P0N+pxs+t+wgvQUfvm+xKYvT3+Zf7X8Z0NyvQwA1onr ayzT7Y+YHBSrfuXjbvzYqOSSJNpDa2K4Vf3qwbxstovzDo2a5JtsaZn4eEgwRdWt 4Q08RWD8MpZRJ7xnw8outmvqRsfHIKCxH2XeSAi6pE6p8oNGN4Tr6MyBSENnTnIq m1y9TBsoilwie7SrmNnu4FGDwwlGTm0+mfqVF9p8M1dBPI1R7Qu2XK8sYxrfV8g/ vOldxJuvRZnio1oktLqpVj3Pb6r/SVi+8Kj/9Lit6Tf7urj0Czr56ENCHonYhMsT 8dm74YlguIwoVqwUHZwK53Hrzw7dPamWoUi9PPevtQ0iTMARgexWO/bTouJbt7IE IlKVgJNp6I5MZfGRAy1wdALqi2cVKWlSArvX31BqVUa/oKMoYX9w0MOiqiwhqkfO KJwGRXa/ghgntNWutMtQ5mv0TIZxMOmm3xaG4Nj/QN370EKIf6MzOi5cHkERgWPO GHFrK+ymircxXDpqR+DDeVnWIBqv8mqYqnK8V0rSS527EPywTEHl7R09XiidnMy/ s1Hap0flhFMCAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTvA73g JMtUGjAdBgNVHQ4EFgQUu69+Aj36pvE8hI6t7jiY7NkyMtQwDgYDVR0PAQH/BAQD AgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1UdHwQ9 MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4dGVy bmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0dHA6 Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAGS/g/FfmoXQ zbihKVcN6Fr30ek+8nYEbvFScLsePP9NDXRqzIGCJdPDoCpdTPW6i6FtxFQJdcfj Jw5dhHk3QBN39bSsHNA7qxcS1u80GH4r6XnTq1dFDK8o+tDb5VCViLvfhVdpfZLY Uspzgb8c8+a4bmYRBbMelC1/kZWSWfFMzqORcUx8Rww7Cxn2obFshj5cqsQugsv5 B5a6SE2Q8pTIqXOi6wZ7I53eovNNVZ96YUWYGGjHXkBrI/V5eu+MtWuLt29G9Hvx PUsE2JOAWVrgQSQdso8VYFhH2+9uRv0V9dlfmrPb2LjkQLPNlzmuhbsdjrzch5vR pu/xO28QOG8= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCB hTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNV BAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEy MDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgT EkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMR Q09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZh bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28Sh bXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0 Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6 ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51 UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0n c13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQY MBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz 30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNV HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgG BmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNv bS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcB AQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9E T1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21v ZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2p mj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/ e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBps P0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMY dVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc 2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxG V/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4 HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQX j4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII 0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5Ap lBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf +AZxAeKCINT+b72x -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290 MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9 uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0 WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0 Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5 6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ= -----END CERTIFICATE-----
以及以下 nginx 配置:
server { listen 80 default_server; server_name tiendaganadera.com www.tiendaganadera.com; root /var/www/tiendaganadera.com; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { index index.php; } # redirect server error pages to the static page /40x.html # error_page 404 /404.html; location = /40x.html { } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { } location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } rewrite ^/tienda/(.*)$ /$1 permanent; if ($request_uri ~ /(Smarty-2.6.19|payment|admin|provider|partner)/) { break; } if ($request_uri ~ \.(gif|jpe?g|png|js|css|swf|php|ico)$) { break; } if (!-e $request_filename) { rewrite ^(.*)$ /dispatcher.php last; } } server { listen 443 default ssl; server_name tiendaganadera.com www.tiendaganadera.com; root /var/www/tiendaganadera.com; ssl on; ssl_certificate /etc/nginx/ssl/tiendaganadera.com.crt; ssl_certificate_key /etc/nginx/ssl/tiendaganadera.com.key; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { index index.php; } # redirect server error pages to the static page /40x.html # error_page 404 /404.html; location = /40x.html { } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { } location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } rewrite ^/tienda/(.*)$ /$1 permanent; if ($request_uri ~ /(Smarty-2.6.19|payment|admin|provider|partner)/) { break; } if ($request_uri ~ \.(gif|jpe?g|png|js|css|swf|php|ico)$) { break; } if (!-e $request_filename) { rewrite ^(.*)$ /dispatcher.php last; } }
但是我執行 openssl s_client -connect tiendaganadera.com:443 -servername tiendaganadera.com 它輸出:
CONNECTED(00000003) depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = tiendaganadera.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = tiendaganadera.com verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = tiendaganadera.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=tiendaganadera.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- Server certificate -----BEGIN CERTIFICATE----- MIIFWTCCBEGgAwIBAgIPPZlYpZLvxHV+Rsy+qSD/MA0GCSqGSIb3DQEBCwUAMIGQ MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE2MDQGA1UE AxMtQ09NT0RPIFJTQSBEb21haW4gVmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENB MB4XDTE1MDIwODAwMDAwMFoXDTIwMDIwNzIzNTk1OVowVjEhMB8GA1UECxMYRG9t YWluIENvbnRyb2wgVmFsaWRhdGVkMRQwEgYDVQQLEwtQb3NpdGl2ZVNTTDEbMBkG A1UEAxMSdGllbmRhZ2FuYWRlcmEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAv7cwKm7ssjSakyeRFrYi303RnGbnif3+mmfyGCWRCtmmbZpxTrFg CVhFJwcuD0Gd4JkwPXk7GOuY93mhT+Zry1gDCSrAZpaSshV+Osg8bC4DJmil/ZBe /HF2pH0j7XajyYYZjLUQgY8NAuCAW62ArgUL1oBQTZfH1EMM4HSYHoy4so437Glp SwsCQnePokdyMnx/4Y9uPxkC7nZiJr1n6Ue7thXGTkayxsw9sdeBBsG/fk42U/nW JAINeRRM+5BKGqyj5tOINDUMAC+4XAAibVnnvFuvhInQ4t6pmP34vigkhXkpgp/6 IoA31BXT7SP1FK/AI3CaymO/PbF3AsBbdQIDAQABo4IB5zCCAeMwHwYDVR0jBBgw FoAUkK9qOpRaC9iQ6hJWc99DtDoo2ucwHQYDVR0OBBYEFIdRYyYSTjLGCYxfU/wO 0+j0SFMbMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCsw KQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeB DAECATBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9D T01PRE9SU0FEb21haW5WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggr BgEFBQcBAQR5MHcwTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29t L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYI KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTA1BgNVHREELjAsghJ0 aWVuZGFnYW5hZGVyYS5jb22CFnd3dy50aWVuZGFnYW5hZGVyYS5jb20wDQYJKoZI hvcNAQELBQADggEBACFMKXGU1ECzff4ORsJMM9tCHYijcrxLNddP7acCFGwhkj3D 7Z3w2drDTYlVEIr84S+4w4QW61LvalwoFo2M0jjTabnsOM323VppPTyXvIUN0nZP q/IVPtDTVOXgz7bbGDCXCkza2PXBRVvGgr+MhUmZ5OkHsnwU5BB9BXoX3rAS1ZSP dhf1g3QYLekz14p53gtcBxbiqQVlLTyjJM/4qlDuRSQrysK665H42x7pch+i4VOn b/5NE85soX/QToKP+cE+rF2DWb6jFjYvUcuh2hHKwRd4gg923S5XWsxsHHCHppcG 4ZZ/CmpDTpxxq61IA5aqYEKrlhKaWBkT6GV+tZ4= -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=tiendaganadera.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 2043 bytes and written 402 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 48003BE87D4EA04D8F60A4838BF7CC4B0FAA821A4ABF2347726E9D86BAAFEC8F Session-ID-ctx: Master-Key: CB66470AC61552D63B68EB78678A210CC1AFF4175B25E4FEFB6A9A416CA4FE0A191487F3EE432B4FB88FF3E171A46452 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 67 37 af 40 7d b4 06 5e-92 ed 10 a1 eb cf fd c8 g7.@}..^........ 0010 - 4d a4 b7 1a 39 e0 04 e4-dc b5 c0 65 aa 60 0e f7 M...9......e.`.. 0020 - 86 91 24 b3 d8 54 48 47-12 94 02 ae 0a 4f e7 d0 ..$..THG.....O.. 0030 - 63 1a c6 56 59 b0 a2 74-73 57 9d b5 76 b8 04 39 c..VY..tsW..v..9 0040 - 88 fb 4f bb 6b a6 e2 c2-92 a3 36 22 d1 7c 51 8f ..O.k.....6".|Q. 0050 - 9a e6 ab 94 a5 a5 51 6d-0a 8c 6d 24 af 9b ac 9b ......Qm..m$.... 0060 - 0e 57 d6 27 94 86 9f 09-b3 54 7a b5 00 30 19 6d .W.'.....Tz..0.m 0070 - 4c 25 67 45 f5 74 e7 24-c7 02 bc c0 8f 10 38 76 L%gE.t.$......8v 0080 - 20 98 7e e6 05 f8 1d da-68 aa b2 66 3d f9 2b 5b .~.....h..f=.+[ 0090 - cf 6b 6f 7f d7 1e f2 77-7c b9 8b 32 0a 6d 8a 18 .ko....w|..2.m.. 00a0 - 99 61 ce b1 a3 ce 97 aa-6b 4e 32 06 eb 14 67 9f .a......kN2...g. Start Time: 1423599873 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ---
所以 nginx 顯然只發送第一個。這是為什麼?
您的列表中有以下證書(按此順序):
#L Subject: ... CN=tiendaganadera.com Issuer: ... CN=COMODO RSA Domain Validation Secure Server CA #A Subject: ... CN=COMODO RSA Certification Authority Issuer: ... CN=AddTrust External CA Root #B Subject: ... CN=COMODO RSA Domain Validation Secure Server CA Issuer: ... CN=COMODO RSA Certification Authority #R Subject: ... CN=AddTrust External CA Root Issuer: ... CN=AddTrust External CA Root
顯然,順序不匹配。第一個證書#L 是正確的葉子證書。但是下面的證書#A 沒有簽名#L,從#A 的主題與#L 的頒發者不匹配這一事實可以看出。取而代之的是#B 標記#L 和#A 標記#B 和#R 標記#A。#R 然後是根本不應該包含的根證書。
修理:
- 葉#L作為第一個
- 將#B 向上移動,使其直接位於#L 之後
- 將#A 向下移動,使其直接位於#B 之後
- 刪除#R,因為不應該包含根證書(如果包含,通常會被忽略,但它是不好的風格)。