Firefox 中的 SSL 证书异常
提前感谢您的帮助或任何可以让我离开这里的提示。
我使用 JBoss 服务器和 Apache 开发 Java EE 应用程序。我不太熟悉 SSL 连接和证书,我了解基本的,但我必须处理它。 因此,在我的本地配置 (localhost) 上,我在 JBoss 和 Apache 上配置了连接证书,以及一个 USER_DEV.P12 文件,我将其导入到 Firefox 的证书中。 我在远程测试服务器 (test-server) 和 USER_TEST.P12 上有相同的配置,我也在 Firefox 中导入了该配置。
当我访问 https://localhost/ 或 https://test-server/ 时,Firefox 会要求我添加例外,这是正常的。之后,我选择合适的用户证书,就可以正常使用我的应用程序了。 但对于第二个(假设https://test-server/),Firefox 给我带来了sec_error_reused_issuer_and_serial 错误。当然,我用谷歌搜索并找到了 Mozilla help,因此,当我删除证书管理器中的“服务器”时,我可以再次访问我的第二个域,但第一个域出现相同的问题。
为了缩短问题,我的 2 个客户端/服务器证书对没问题,但我不能在 Firefox 中同时为 2 个不同的服务器/用户提供 2 个证书例外,即使名称、服务器地址和 MD5 不同。我通知序列号是相同的 (01),但它可以在我同事的计算机上运行。那么我做错了什么吗?我是否必须每次都手动处理(或使用 Firefox 配置文件)?
and thanks in advance for your help or any tip that could get me out of here.
I work on a Java EE app with a JBoss server and an Apache. I'm not really familiar with SSL connections and certificates, I understand the basic, but I have to deal with it.
So on my local configuration (localhost) I have my connection certificate configured on JBoss and Apache, and a USER_DEV.P12 file, which I import in my certificates in Firefox.
I have the same configuration on a distant test server (test-server), and a USER_TEST.P12 which I also import in Firefox.
When I access https://localhost/ or https://test-server/ Firefox asks me to add an exception, which is normal. After that, I select the appropriated user certificate, and can use my application normally.
But for the second (let's say https://test-server/), Firefox rises me a sec_error_reused_issuer_and_serial error. Of course I googled it and founded the Mozilla help, So when I delete the "server" in my certificate manager, I can access again my second domain, but the same problem occurs for the first one.
To shorten the problem, my 2 client/server certificate couples are OK but I can't have 2 certificate exceptions at the same time in Firefox for my 2 different servers/users, even though the names, server address, and MD5 are different. I notified the serial is the same (01), but it's working on my colleague's computer. So am I doing something wrong? Do I have to deal with it manually each time (or with Firefox profiles)?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这是因为您使用自签名证书并且它们使用相同的序列号。您有一些解决方案,
使用相同的工具在同一台计算机上重新签署证书。大多数工具都会增加每次签名的序列号,您将获得不同的序列号。
创建您自己的 CA 并使用同一 CA 签署 2 个证书。这样 Firefox 只需要导入一个 CA。
This is because you use self-signed certs and they use the same serial number. You have a few solutions,
Re-sign the certificates on the same machine using the same tool. Most tools will bump up the serial number for each signing and you will get different serial number.
Make your own CA and sign the 2 certs with the same CA. This way Firefox only needs to import one CA.
在 Windows 上,我发现删除 C:\Users[myuser]\AppData\Roaming\Mozilla\Firefox\Profiles[myprofile] 中的 cert*.db 文件
可以解决该问题。我不知道这是否会产生任何连锁反应,因为 Firefox 不是我的主要浏览器,我只是需要调试一些在 Firefox 中不起作用的东西。
On Windows, I found that deleting the cert*.db files in C:\Users[myuser]\AppData\Roaming\Mozilla\Firefox\Profiles[myprofile]
fixed the issue. I have no idea if this has any knock-on effects as Firefox is not my primary browser I just needed to debug something that was not working in Firefox.
我在不同的情况下遇到相同的错误消息,但通过谷歌搜索错误消息将我带到这里。我通过 SSH 连接将所需端口(80,443 和 5900)转发到同一 LAN 上的另一台服务器,并在我的 Linux 工作站上浏览 localhost (https),从而访问安装在远程设施上的刀片服务器的 IPMI 远程管理控制器。这对我有用:
ssh -l 根 -L 80:192.168.0.90:80 -L 443:192.168.0.90:443 -L 5900:192.168.0.90:5900
但是当我尝试访问不同的远程机器时遇到“相同的序列号”错误。我使用 Firefox,支持文档描述了删除违规证书的过程:
https://support.mozilla.org/en-US/kb/Certificate%20contains%20the%20same%20serial%20number%20as%20another%20证书
这些说明适用于比我的版本更早的 Firefox,但即使找到证书存储(首选项 - 高级 - 证书 - ViewCertificates )并删除 127.0.0.1 条目,关闭并重新打开浏览器,我仍然收到错误。
唯一对我有用的就是重命名我的主目录中的各个文件夹,其中一些缓存的内容可能会残留:
在此之后,关闭/重新打开我的浏览器,我能够输入一个新的安全异常来浏览本地主机。这当然是一个相当“钝器”的解决方案,除了令人讨厌的挥之不去的证书之外,它还删除了许多东西,但我可以稍后将其全部放回去(在删除新生成的文件夹之后)。我可能会尝试缩小要重命名的范围,“.mozilla”将是我的第一个猜测。
I encounter the same error message under different circumstances, but googling the error message leads me here. I access IPMI remote management controllers for blade servers installed at a remote facility by forwarding the required ports (80,443, and 5900) through an SSH connection to another server on the same LAN, and browsing localhost (https) on my linux workstation. This works for me:
ssh -l root -L 80:192.168.0.90:80 -L 443:192.168.0.90:443 -L 5900:192.168.0.90:5900
But I encounter the "same serial number" error when I try to access different remote machines. I use firefox, and the support documentation describes a procedure to delete an offending certificate at:
https://support.mozilla.org/en-US/kb/Certificate%20contains%20the%20same%20serial%20number%20as%20another%20certificate
The instructions are for an earlier version of firefox than mine, but even after finding the certificate store ( preferences - advanced - certificates - ViewCertificates ) and deleting the 127.0.0.1 entry, closing and reopening the browser, I still get the error.
The only thing that worked for me was to rename away various folders in my home directory where some cached content might linger:
After this, and closing/reopening my browser, I was able to enter a new security exception to browse localhost. This is of course a rather "blunt-instrument" solution that removes many things besides the offending lingering certificate, but I can put it all back later (after deleting the newly-generated folders). I may try to narrow down which to rename, ".mozilla" would be my first guess.