吊銷 SSL 證書

我們在這裡使用 Paypal SDK：

https ://github.com/paypal/PayPal-NET-SDK

幫助處理我們的 webhook。我們已經開始收到異常：

PayPal.PayPalException: Unable to verify the certificate(s) found at https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec
  at PayPal.CertificateManager.GetCertificatesFromUrl(String certUrl)
  at PayPal.Api.WebhookEvent.ValidateReceivedEvent(APIContext apiContext, NameValueCollection requestHeaders, String requestBody, String webhookId)

如果我們檢查證書文件，https://api.paypal.com/v1/notifications/certs/CERT-360caa42-fca2a594-8079afec我們會得到文件：

-----BEGIN CERTIFICATE-----
MIIHdzCCBl+gAwIBAgIQBHtmc7f0ru/ozCsjsr2YyjANBgkqhkiG9w0BAQsFADB1
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk
IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE5MDMyNzAwMDAwMFoXDTIxMDYwMjEy
MDAwMFowgfUxHTAbBgNVBA8MFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB
BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF
EwczMDE0MjY3MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTERMA8G
A1UEBxMIU2FuIEpvc2UxFTATBgNVBAoTDFBheVBhbCwgSW5jLjEYMBYGA1UECxMP
UGFydG5lciBTdXBwb3J0MSwwKgYDVQQDEyNtZXNzYWdldmVyaWZpY2F0aW9uY2Vy
dHMucGF5cGFsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKo
k6Zr7AuPwsMwaTfBmv/ECGHU1/hjZ9VAdOBuolrKGql+TZ3NfZsu62Me8sdPuCjJ
R/8KUCJ/FtyFs/gVreg63zDqZLsHLBAR+6OcJR3yOJX1W4Y0ABdMA0i+iZFh/iUx
HHq6CZCnPlS2lvzJaS2UrzJ+mkPhCn1u2NRzys8FSKj/rn9ZLnT7CfgVvzabzobW
GvpHdXk+I3UieKyLkxZxlqJGWKN5KVTbPLU10F7H8RdO0f7deqt3tXT7eHIeEmBQ
6FZUIb3kt6qe4jTugXMqeS4JUiH9mhJTX1bC3PRl2TsnyjqgzKZZNfBXs/3IDHST
RElxn0603HnsWiyxn/ECAwEAAaOCA4AwggN8MB8GA1UdIwQYMBaAFD3TUKXWoK3u
80pgCmXTIdT4+NYPMB0GA1UdDgQWBBSkuNmXUDoHVayujFb0oeloO61qIDAuBgNV
HREEJzAlgiNtZXNzYWdldmVyaWZpY2F0aW9uY2VydHMucGF5cGFsLmNvbTAOBgNV
HQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHUGA1Ud
HwRuMGwwNKAyoDCGLmh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zaGEyLWV2LXNl
cnZlci1nMi5jcmwwNKAyoDCGLmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zaGEy
LWV2LXNlcnZlci1nMi5jcmwwSwYDVR0gBEQwQjA3BglghkgBhv1sAgEwKjAoBggr
BgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAHBgVngQwBATCB
iAYIKwYBBQUHAQEEfDB6MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2Vy
dC5jb20wUgYIKwYBBQUHMAKGRmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9E
aWdpQ2VydFNIQTJFeHRlbmRlZFZhbGlkYXRpb25TZXJ2ZXJDQS5jcnQwDAYDVR0T
AQH/BAIwADCCAXwGCisGAQQB1nkCBAIEggFsBIIBaAFmAHYAu9nfvB+KcbWTlCOX
qpJ7RzhXlQqrUugakJZkNo4e0YUAAAFpvJhEdQAABAMARzBFAiEAprZz2cWH2zV4
lymEVimmwQUTp6QpeVL6ruCjqr45cp8CIHE2SD079OeyVyXzbN6lcCPAQscdF+to
3rLMebtmZ10dAHUAVhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0AAAFp
vJhE0QAABAMARjBEAiAboeCw/qNGNi/bQahj4LxufXCoLVDS7p60HpWwCzvo/gIg
C1MRFVPAjxQ8ZW1445+gO/YXt/mxRr1P2ZTGDaI2RKMAdQCHdb/nWXz4jEOZX73z
bv9WjUdWNv9KtWDBtOr/XqCDDwAAAWm8mEabAAAEAwBGMEQCIHGAUX3fYxOY0Kmf
5cE5rFdoBWkugpku5tdQdaHl3XkUAiBn0TtWXdCi2XC8AX9HsfmkUhNRxt0a4Qrc
aRHA2pEBsDANBgkqhkiG9w0BAQsFAAOCAQEAKstIrA+/RYCmv1tiaRwsnyfMeFa/
9axfNcqy/Ip3h4K9uk2R3h2QpOMm19a5+cdYssBXRULMes2Y7+7iCMSlEKug5lq7
1P3DpVZeqg4kkWvirE39Mrr894z9tuthVuDEkOZ99p8vJhoPWXqURCZNaBGTg7qI
xJh1zxoihRW8XYoP/ToX/wFolQcBU19PF25Sb2zx3aio7Nu6aNEAKWI/zavsDJWk
G5HgJsgsqRA2wJSIonhUL+g/Xpmiz0wrDWcj9py2tO6COUBkYwOPVW7DHm3yU7q7
pa7sNAPF/Rb0oxQMQ1lFwEBEIWaIlgRs34zNteZS3JZudGYjLiBvRGDoNA==
-----END CERTIFICATE-----

如果我們檢查X509Chain這個證書，它是無效的，錯誤是：

FalseChain error: Revoked The certificate is revoked.

我們使用的是 Windows Server 2012 R2 Datacenter，有沒有辦法從伺服器配置的角度以任何方式阻止這個異常？

作為臨時解決方案，您可以將此證書添加到伺服器上的 Trusted People 儲存中。

為此：

• 將證書複製/粘貼到 .crt 文件中；
• 從 Windows 資源管理器中點兩下它；
• 選擇Install Certificate；
• Store Location: Local Machine;
• Place all certificates in the following store;
• Browse並選擇Trusted People商店

無需阻止防火牆上的任何內容。

注意力！

這樣做會給您的通信帶來安全風險！請在那裡進行盡職調查

這不是錯誤。證書已被證書頒發機構（在本例中為數字證書）吊銷。

您可以在以下位置測試自己：https ://decoder.link/ocsp

在您的 SDK 中某處使用此證書。或者它是通過貝寶呈現給你的。因此，要麼更新您的 SDK，要麼告訴貝寶替換該證書。

您可以在防火牆中禁用訪問以http://ocsp.digicert.com防止檢查 CRL（證書吊銷列表）。但這不是一個好主意。

引用自：https://serverfault.com/questions/961681