程序员经验分享-hwhale

无法验证 SSL 证书

2024-05-01

我想做的事: 与以下人员保持干净的联系openssl -connect到远程站点。

网站似乎是自签名的。

What I'm getting: CONNECTED(00000003)
depth=0 CN = DC01.home.pri
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = DC01.home.pri
verify error:num=21:unable to verify the first certificate
verify return:1
...
...
Verify return code: 21 (unable to verify the first certificate)

我尝试过的:

echo -n | openssl s_client -connect DC01.home.pri:636 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ldapserver.pem
echo -n | openssl s_client -connect DC01.home.pri:636 -CAfile ldapserver.pem

sudo cp ldapserver.pem /etc/ssl/certs/ldapserver.pem
sudo c_rehash /etc/ssl/certs/
echo -n | openssl s_client -connect dc01.home.pri:636 -CApath /etc/ssl/certs/

我也尝试过

openssl verify -CAfile /etc/ssl/certs/ldapserver.pem ldapserver.pem 
openssl verify -CApath /etc/ssl/certs/ ldapserver.pem

结果

ldapserver.pem: CN = DC01.home.pri
error 20 at 0 depth lookup:unable to get local issuer certificate

我已更改 CN/主机名以保护自己。但主机名也会添加到我的主机文件中,以防有帮助。

审查的 PEM 文件

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            64:c7:48:64:00:00:00:00:00:d0
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=pri, DC=home, CN=home-HOMECA-CA
        Validity
            Not Before: Mar  7 22:41:45 2015 GMT
            Not After : Mar  6 22:41:45 2016 GMT
        Subject: CN=DC01.home.pri
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    <CENSORED>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2: 
                . .D.o.m.a.i.n.C.o.n.t.r.o.l.l.e.r
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            S/MIME Capabilities: 
......0...`.H.e...*0...`.H.e...-0...`.H.e....0...`.H.e....0...+....0
..*.H..
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, DNS:DC01.home.pri
            X509v3 Subject Key Identifier: 
                <CENSORED>
            X509v3 Authority Key Identifier: 
                keyid:<CENSORED>

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:ldap:///CN=home-HOMECA-CA,CN=HOMECA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?certificateRevocationList?base?objectClass=cRLDistributionPoint
                  URI:http://homeca.home.pri/CertEnroll/home-HOMECA-CA.crl

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=home-CA-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=home,DC=pri?cACertificate?base?objectClass=certificationAuthority

    Signature Algorithm: sha1WithRSAEncryption
         <CENSORED>

您发布的证书不是自签名的;发行人(DC=pri, DC=home, CN=home-HOMECA-CA) 与主语 (CN=DC01.home.pri).

验证证书时,OpenSSL 无法找到颁发者(或 TLS 握手期间从 Web 服务器收到的链中第一个证书的颁发者)的本地证书来验证签名。

你需要给予openssl verify the issuer证书(或将其保存在您的信任存储中):

openssl verify -CApath /etc/ssl/certs/<issuer-cert>.pem
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)

SSL

openssl

LDAP

sslcertificate

Ubuntu1404

无法验证 SSL 证书 的相关文章

随机推荐

热门标签