Nginx

帶有 nginx 的 OCSP 無法獲取頒發者證書

  • September 14, 2016

我無法使用 GlobalSign 頒發的證書在 nginx/1.6.2 上設置 OCSP。我閱讀了許多相關的文章,但我發現沒有一個解決方案有效。當我連接到伺服器時,OCSP 不工作

> openssl s_client -connect cawi.kondeor.at:443 -tls1 -tlsextdebug -status
[...]                                             .
OCSP response: no response sent
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - SHA256 - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = cawi.kondeor.at
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/CN=cawi.kondeor.at
  i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
  i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=cawi.kondeor.at
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
---
No client certificate CA names sent
---
SSL handshake has read 2944 bytes and written 372 bytes
---
[...]
---

並且 nginx 日誌顯示以下錯誤:

[error] 10646#0: OCSP_basic_verify() failed (SSL: error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:Verify error:unable to get issuer certificate) while requesting certificate status, responder: ocsp2.globalsign.com

我發現的所有其他文章都與Verify error:unable to get LOCAL issuer certificate通過修復證書鏈解決的錯誤有關。我的證書鏈似乎沒問題,因為openssl ocsp命令有效(但僅當我使用-header "HOST" "ocsp2.globalsign.com"CDN 的參數時):

> openssl ocsp -issuer root_ca_and_intermediate.pem -cert signed_cert_and_intermediate.pem -url http://ocsp2.globalsign.com/gsdomainvalsha2g2 -CAfile root_ca_and_intermediate.pem -header "HOST" "ocsp2.globalsign.com" -resp_text
OCSP Response Data:
   OCSP Response Status: successful (0x0)
   Response Type: Basic OCSP Response
   Version: 1 (0x0)
   Responder Id: 32B1CE1488C41C77C67D0B2DAEFE569D3A5F4E69
   Produced At: Sep 12 20:46:48 2016 GMT
   Responses:
   Certificate ID:
     Hash Algorithm: sha1
     Issuer Name Hash: D1F1B576F9EEC0C10F7AFC7C3124A9C3625D7C61
     Issuer Key Hash: EA4E7CD4802DE5158186268C826DC098A4CF970F
     Serial Number: 1121CD2E68A5AE7FEF7A719EDD4AE4034F8B
   Cert Status: good
   [...]
Certificate:
   Data:
       Version: 3 (0x2)
       Serial Number:
           14:dd:f1:f0:75:30:57:18:61:ec:c0:2c
   Signature Algorithm: sha256WithRSAEncryption
       Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G2
       Validity
           Not Before: Jul 25 03:28:41 2016 GMT
           Not After : Oct 25 03:28:41 2016 GMT
       Subject: C=BE, O=GlobalSign nv-sa/serialNumber=201607251137, CN=GlobalSign Domain Validation CA - SHA256 - G2 - OCSP Responder
       [...]
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
Response verify OK
signed_cert_and_intermediate.pem: good
   This Update: Sep 12 20:46:48 2016 GMT
   Next Update: Sep 16 20:46:48 2016 GMT

可以在這裡找到我的 nginx 配置的清理版本:http: //pastebin.com/KYujwSgS

Cloudflare 可能是這裡的問題還是我忽略了什麼?任何幫助是極大的讚賞!

感謝所有的評論!它讓我再次仔細查看證書鏈,我注意到我沒有將根 CA 證書放入文件中root_ca_and_intermediate.pem,而是將中間證書放入了兩次。

所以現在的工作設置是該文件signed_cert_and_intermediate.pem包含站點的實際證書(第一個)和用於簽署實際證書的中間證書(第二個)。該文件root_ca_and_intermediate.pem包含中間證書(第一個)和用於簽署中間證書的根 CA 證書(第二個)。

引用自:https://serverfault.com/questions/802683