Windows

找不到有效的根 CA 證書,該證書可能會顯示瀏覽器警告

  • October 6, 2021

我正在嘗試讓 Telegram Webhook 與我的本地機器一起工作,但它不發出請求。我認為這是證書問題

這是 geocerts.com/ssl-checker 所說的:

截屏

這是我的 Apache 配置:

<IfModule ssl_module>
<VirtualHost *:%httpsport%>

   DocumentRoot    "%hostdir%"
   ServerName      "%host%"
   ServerAlias     "%host%" %aliases%
   ScriptAlias     /cgi-bin/ "%hostdir%/cgi-bin/"

   SSLEngine       on
   #Header always set          Strict-Transport-Security "max-age=94608000"

   SSLCACertificateFile       "%sprogdir%/userdata/config/cert_files/xxx/xxx-rootCA.crt"
   SSLCertificateChainFile    "%sprogdir%/userdata/config/cert_files/xxx/xxx-bundle.crt"

   SSLCertificateFile          "%sprogdir%/userdata/config/cert_files/xxx/xxx-server.crt"
   SSLCertificateKeyFile       "%sprogdir%/userdata/config/cert_files/xxx/xxx-server.key"

   SetEnvIf User-Agent ".*MSIE [1-5].*" \
   nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0

   SetEnvIf User-Agent ".*MSIE [6-9].*" \
   ssl-unclean-shutdown

   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions              +StdEnvVars
   </FilesMatch>

   <Directory "%hostdir%/cgi-bin/">
       SSLOptions              +StdEnvVars
   </Directory>

</VirtualHost>
</IfModule>

我使用以下腳本生成了這些證書:

: Version 1.0
: Author unknown (improved by Kama - wp-kama.ru)
@echo off

: parameters
set DOM=xxx.info
set DOM_KEY=xxx
set APACHE_VER=Apache-PHP-7.2-x64

: create .txt config file
set config_txt=generate-temp-config.txt
(
   echo nsComment = "Open Server Panel Generated Certificate"
   echo basicConstraints = CA:false
   echo subjectKeyIdentifier = hash
   echo authorityKeyIdentifier = keyid,issuer
   echo keyUsage = nonRepudiation, digitalSignature, keyEncipherment
   echo.
   echo subjectAltName = @alt_names
   echo [alt_names]
   echo DNS.1 = %DOM%
   echo DNS.2 = www.%DOM%
) > %config_txt%

mkdir %DOM_KEY%

set OSAPACHE_DIR=%~dp0..\..\..\modules\http\%APACHE_VER%
set OPENSSL_CONF=%OSAPACHE_DIR%\conf\openssl.cnf
"%OSAPACHE_DIR%\bin\openssl" req -x509 -sha256 -newkey rsa:2048 -nodes -days 5475 -keyout %DOM_KEY%\%DOM_KEY%-rootCA.key -out %DOM_KEY%\%DOM_KEY%-rootCA.crt -subj /CN=OSPanel-%DOM_KEY%/
"%OSAPACHE_DIR%\bin\openssl" req -newkey rsa:2048 -nodes -days 5475 -keyout %DOM_KEY%/%DOM_KEY%-server.key -out %DOM_KEY%\%DOM_KEY%-server.csr -subj /CN=%DOM_KEY%/
"%OSAPACHE_DIR%\bin\openssl" x509 -req -sha256 -days 5475 -in %DOM_KEY%\%DOM_KEY%-server.csr -extfile %config_txt% -CA %DOM_KEY%\%DOM_KEY%-rootCA.crt -CAkey %DOM_KEY%\%DOM_KEY%-rootCA.key -CAcreateserial -out %DOM_KEY%\%DOM_KEY%-server.crt
"%OSAPACHE_DIR%\bin\openssl" dhparam -out %DOM_KEY%\%DOM_KEY%-dhparam.pem 2048

del %DOM_KEY%\%DOM_KEY%-server.csr
del %DOM_KEY%\%DOM_KEY%-dhparam.pem
del %DOM_KEY%\%DOM_KEY%-rootCA.srl
del %config_txt%

pause

我對證書不是很熟悉,而且我沒有太多時間做這個 rn,所以我需要幫助。

您自己生成證書,當然沒有其他人會信任它們;這就是證書的全部意義所在。

您應該從公共證書頒發機構獲得證書(或使用像 Let’s Encrypt 這樣的免費解決方案)。

引用自:https://serverfault.com/questions/1079693