使用 SSL 证书时出现问题:“证书链中的自签名证书”
我正在使用自行生成的通配符 SSL 证书,我想知道以下内容是否存在问题,如果存在,我可以采取哪些措施来解决该问题。证书适用于我在本地主机上运行的 Web Ruby on Rails 3 应用程序。
我使用的是运行“Snow Leopard”1.6.6 的 Mac 操作系统。在终端中输入时
<my_user_name>$ openssl s_client -connect localhost.com:443
,我得到以下信息:
CONNECTED(00000003)
depth=1 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = My Name\Surname
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=*localhost.com
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICJDCCAY0CAQEwDQYJKoZIhvcNAQEEBQAwWTELMAkGA1UEBhMCQVUxEzARBgNV
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDESMBAGA1UEAwwJU2VyZ2lvIEwuMB4XDTExMDIxODIwMDAwOFoXDTEyMDIxODIw
MDAwOFowXDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNV
BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEVMBMGA1UEAwwMKnBqdG5hbWUu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDM46dH9rWKy5sNKBwJ7oo
wytsjw8fFLRskJGE0QqgKpz5ZtYK8yC/kifI4gpWZYVySePmVqHR6+wpv8Ry1KVx
Bl2qhF6ssLBbc5bvOK4eF2Rx9LNAZ/ndy+0q07DVsnAMMCxhNmegltCG1JZhazCG
g7elPm2pIQLAQvKlFSJwkQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBADO7XJbOASZM
Bm/XElq1AuVU1dR6/wkowLOxCn8+KWsUmyIdZj1yL8+83nhhG/yekzOr25n/I0SQ
zN1aUi3oX5vXlx8vp2xQsnug2BM/InfQxOn+90JjhZYPbCokH9ifzYsNj7fvGg57
KZ4et2jSfchxFMRqqoPutdOp/gNKw3me
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=*localhost.com
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
---
No client certificate CA names sent
---
SSL handshake has read 1944 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 63BE474E62950D542BCBE30F72F80C28851EE23EA15BA34AE3E3E46AB5615505
Session-ID-ctx:
Master-Key: 9E8A8F7F4E824A2B251D5A28E3A133AC761BA8EDB237073973D2B1AE0AE0A31ADDADA2315F33B443B3F29D382070FC6C
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 10 b0 f3 4d 96 90 d3 65-22 d4 bf 09 27 8c a0 af ...M...e"...'...
0010 - d3 79 5c 9a cf d9 5b e1-3f aa 46 56 55 9b 55 50 .y\...[.?.FVU.UP
0020 - 8b 49 99 07 bc 35 e0 bc-e1 1d 4e 61 f0 aa 33 57 .I...5....Na..3W
0030 - 1d 37 0b dd 51 ae 81 ea-df 8e 6e 25 ff f7 2b ff .7..Q.....n%..+.
0040 - e9 88 79 e4 57 2a b2 f2-61 22 df 86 f0 24 57 a7 ..y.W*..a"...$W.
0050 - 06 13 b5 71 47 dc d5 ac-c2 61 89 75 6e 03 45 cc ...qG....a.un.E.
0060 - 14 69 0c 72 3a 4a 00 b3-4f d8 8d 44 2d 66 cb 40 .i.r:J..O..D-f.@
0070 - 80 c8 9b e2 12 9f 0d b4-58 6e a1 c7 bb fe 92 6d ........Xn.....m
0080 - b8 b7 b7 f0 dc 1c ab fd-44 a4 25 96 c6 09 09 a1 ........D.%.....
0090 - aa ff c0 dc 53 6b 30 13-30 f3 44 f6 78 b1 43 c7 ....Sk0.0.D.x.C.
00a0 - ca 88 9d 63 41 d3 c1 a1-af fa 36 e2 9c fd 0e 62 ...cA.....6....b
00b0 - c4 44 6b 5c 74 da ff be-a8 98 3f 54 f9 fa 59 15 .Dk\t.....?T..Y.
Compression: 1 (zlib compression)
Start Time: 1298072476
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
问题可能出在第 3 行:验证错误:num=19:证书链中的自签名证书。这意味着什么?我的证书适用于 localhost.com 吗?
更新
在浏览器中,我接受了我的自签名证书(我明确地将我的证书添加到系统中的私有证书列表中),因此,即使我收到 verify error:num=19:self证书链中的签名证书 在我的应用程序中,我使用以下代码通过 SSL 发出 HTTP 请求,
require 'uri'
require 'net/https'
host = "https://<subdomain>.localhost.com"
path = "/users/1.json"
uri = URI.parse("#{host}#{path}")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
# I think here is necessary to verify connections using 'http.verify_mode = OpenSSL::SSL::VERIFY_PEER':
# in localhost using that the connection will fault, but in production mode
# (when I will deploy the application) I think I MUST use 'VERIFY_PEER'
http.ca_file = File.join(File.dirname("<certificate_folder>/wildcard.certificate/ca.db.certs/"), "01.pem")
http.start do
response = http.get("#{host}#{path}")
@test_response = JSON(response.body)["profile"]
end
连接实际上是通过 SSL 进行的? “VERIFY_PEER”意味着什么?
I am using a self generated wildcard SSL certificate and I would like to know if the following is a problem and, if so, what I can do to fix that. Certificate is for my web Ruby on Rails 3 application running on localhost.
I am using a Mac OS running "Snow Leopard" 1.6.6. Typing in the Terminal
<my_user_name>$ openssl s_client -connect localhost.com:443
I get the following:
CONNECTED(00000003)
depth=1 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = My Name\Surname
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=*localhost.com
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICJDCCAY0CAQEwDQYJKoZIhvcNAQEEBQAwWTELMAkGA1UEBhMCQVUxEzARBgNV
BAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0
ZDESMBAGA1UEAwwJU2VyZ2lvIEwuMB4XDTExMDIxODIwMDAwOFoXDTEyMDIxODIw
MDAwOFowXDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNV
BAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEVMBMGA1UEAwwMKnBqdG5hbWUu
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDDM46dH9rWKy5sNKBwJ7oo
wytsjw8fFLRskJGE0QqgKpz5ZtYK8yC/kifI4gpWZYVySePmVqHR6+wpv8Ry1KVx
Bl2qhF6ssLBbc5bvOK4eF2Rx9LNAZ/ndy+0q07DVsnAMMCxhNmegltCG1JZhazCG
g7elPm2pIQLAQvKlFSJwkQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBADO7XJbOASZM
Bm/XElq1AuVU1dR6/wkowLOxCn8+KWsUmyIdZj1yL8+83nhhG/yekzOr25n/I0SQ
zN1aUi3oX5vXlx8vp2xQsnug2BM/InfQxOn+90JjhZYPbCokH9ifzYsNj7fvGg57
KZ4et2jSfchxFMRqqoPutdOp/gNKw3me
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=*localhost.com
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=My Name\Surname
---
No client certificate CA names sent
---
SSL handshake has read 1944 bytes and written 409 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 63BE474E62950D542BCBE30F72F80C28851EE23EA15BA34AE3E3E46AB5615505
Session-ID-ctx:
Master-Key: 9E8A8F7F4E824A2B251D5A28E3A133AC761BA8EDB237073973D2B1AE0AE0A31ADDADA2315F33B443B3F29D382070FC6C
Key-Arg : None
PSK identity: None
PSK identity hint: None
TLS session ticket:
0000 - 10 b0 f3 4d 96 90 d3 65-22 d4 bf 09 27 8c a0 af ...M...e"...'...
0010 - d3 79 5c 9a cf d9 5b e1-3f aa 46 56 55 9b 55 50 .y\...[.?.FVU.UP
0020 - 8b 49 99 07 bc 35 e0 bc-e1 1d 4e 61 f0 aa 33 57 .I...5....Na..3W
0030 - 1d 37 0b dd 51 ae 81 ea-df 8e 6e 25 ff f7 2b ff .7..Q.....n%..+.
0040 - e9 88 79 e4 57 2a b2 f2-61 22 df 86 f0 24 57 a7 ..y.W*..a"...$W.
0050 - 06 13 b5 71 47 dc d5 ac-c2 61 89 75 6e 03 45 cc ...qG....a.un.E.
0060 - 14 69 0c 72 3a 4a 00 b3-4f d8 8d 44 2d 66 cb 40 .i.r:J..O..D-f.@
0070 - 80 c8 9b e2 12 9f 0d b4-58 6e a1 c7 bb fe 92 6d ........Xn.....m
0080 - b8 b7 b7 f0 dc 1c ab fd-44 a4 25 96 c6 09 09 a1 ........D.%.....
0090 - aa ff c0 dc 53 6b 30 13-30 f3 44 f6 78 b1 43 c7 ....Sk0.0.D.x.C.
00a0 - ca 88 9d 63 41 d3 c1 a1-af fa 36 e2 9c fd 0e 62 ...cA.....6....b
00b0 - c4 44 6b 5c 74 da ff be-a8 98 3f 54 f9 fa 59 15 .Dk\t.....?T..Y.
Compression: 1 (zlib compression)
Start Time: 1298072476
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
The issue, maybe, is on line 3: verify error:num=19:self signed certificate in certificate chain. What that means? Is my certificate working for localhost.com?
UPDATE
In browser I accepted my sel-signed certificate (I explicitly added my certificate to the list of private certificates in the system), so, even I get verify error:num=19:self signed certificate in certificate chain and in my application I use the following code to make HTTP requests over SSL
require 'uri'
require 'net/https'
host = "https://<subdomain>.localhost.com"
path = "/users/1.json"
uri = URI.parse("#{host}#{path}")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
# I think here is necessary to verify connections using 'http.verify_mode = OpenSSL::SSL::VERIFY_PEER':
# in localhost using that the connection will fault, but in production mode
# (when I will deploy the application) I think I MUST use 'VERIFY_PEER'
http.ca_file = File.join(File.dirname("<certificate_folder>/wildcard.certificate/ca.db.certs/"), "01.pem")
http.start do
response = http.get("#{host}#{path}")
@test_response = JSON(response.body)["profile"]
end
the connection is actually going over SSL? 'VERIFY_PEER' means something?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
SSL 通过检查主机的证书来验证主机的有效性。
每个证书都是:
如果它由另一个证书签名,它将检查签名它的证书。
现在,在某些时候,为了验证证书是否有效,它必须将该证书与系统上拥有的“有效”证书存储相匹配(例如:Firefox 维护自己的存储,Windows 有自己的存储, ETC。)。如果它将层次结构中的某个证书与存储相匹配,则它会将该证书视为有效,因此由它签名的所有证书都是有效的。
但是,如果证书是自签名的并且不在存储中,那么它将拒绝它,或者警告您它无法验证该证书。
如果证书用于测试应用程序,或者用于规模非常有限的部署(您可以要求人们将您的证书添加到他们的存储中),那么这是可以的。但是,如果您计划将应用程序移动到 somedomain.com 的生产站点,那么您可能需要购买该域的证书。
注意:无论哪种情况,您为 localhost 拥有的自签名证书仅对“localhost”有效,即使通过 IP 在 Intranet 上访问它也无效
SSL verifies the validity of a host by checking the certificate of the host.
Every certificate is either:
If it is signed by another certificate, it checks the certificate that signed it.
Now, at some point, to verify if a certificate is valid or not, it has to match that certificate against a store of 'valid' certificates it has on the system (Eg: Firefox maintains its own store, Windows has its own store, etc.). If it matches some certificate in the hierarchy against the store, then it treats that certificate as valid, and therefore all certificates signed by it are valid.
However, if the certificate is self-signed and isn't in the store, then it will reject it, or warn you that it cannot verify the certificate.
If the certificate is for you to test out an application, or for a very limited scale deployment where you can ask people to add your certificate to their store, this is alright. However, if you are planning to move your application to a production site at somedomain.com, then you will probably need to buy a certificate for that domain.
Note: in either case, the self-signed certificate you have for localhost is valid only for 'localhost', not even if it is accessed on an intranet via IP
[SSL] 证书的目的是证明主机是它所声称的主机,而不是假主机。为此,证书由证书颁发机构颁发,证书颁发机构[应该正确]检查请求证书的个人或组织的身份。因此,自签名证书不能可靠地识别主机(即使它是本地主机)。因此,大多数应用程序在看到证书链中的自签名证书时都会报告验证错误。唯一的例外是[通常]当证书被显式添加到系统中的私有证书列表中时 - 在这种情况下,它被视为有效。
因此,如果您在计算机上创建了用于测试目的的自签名证书,则可以将其添加到受信任列表中。否则(如果您需要公共主机的证书),您将需要从证书颁发机构之一购买证书。
The purpose of certificates [in SSL] is to prove that the host is the one it claims to be and not the fake one. To do this certificates are issued by certificate authorities, who [are supposed to properly] check the identity of the person or organization that requests a certificate. Consequently, self-signed certificate doesn't reliably identify the host (even if it's a localhost). So most applications report a validation error when they see a self-signed certificate in a chain of certificates. The only exception is [usually] when the certificate is explicitly added to the list of private certificates in the system - in this case it's accepted as valid.
Consequently, if you have created your self-signed certificate for test purposes on your computer, then you can add it to trusted list. Otherwise (if you need a certificate for a public host), you will need to buy a certificate from one of certificate authorities.