Android 平板电脑上的 RapidSSL 证书不受信任
我已使用 DirectAdmin 在网站地址已删除上安装了带有中间证书的 RapidSSL 证书。 RapidSSL 安装检查器报告安装成功。
然而,当我在装有 Android 2.2 的 Archos 10.0 平板电脑上访问该网站时,它抱怨该证书不是由受信任的机构颁发的。它在我的 Android 2.3 索尼爱立信 Arc(手机)上运行良好。
我可以做些什么来在服务器端解决此问题(无需触摸平板电脑)?显然,如果该版本的 Android 根本不信任 RapidSSL,我无能为力,但也许我的 CA 链配置错误或其他什么?
I've installed a RapidSSL certificate, with intermediate certificate, on the site address removed, using DirectAdmin. The RapidSSL installation checker reports a successful installation.
However, when I visit the site on an Archos 10.0 tablet with Android 2.2, it complains that the certificate was not issued by a trusted authority. It works fine on my Sony Ericsson Arc (phone) with Android 2.3.
Is there anything I can do to fix this on the server side (without touching the tablet)? Obviously if that version of Android simply doesn't trust RapidSSL, I can't do anything, but maybe there's a misconfiguration with my CA chain or something?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
我知道回复晚了,但我也遇到了同样的问题。在服务器端安装 RapidSSL 和 GeoTrust 的 CA 解决了我的问题。
http://support.servertastic.com/ rapidssl-and-geotrust-certificate-not-trusted-on-mobile-device/
这是您需要的 RapidSSL 和 Geotrust CA 捆绑包。
https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER /RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
一些提供商的文档:
Late response I know, but I had the same problem. Installing the CA for both RapidSSL and GeoTrust on the server-side solved it for me.
http://support.servertastic.com/rapidssl-and-geotrust-certificate-not-trusted-on-mobile-device/
This is the RapidSSL and Geotrust CA bundle you need.
https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
Documentation of some providers:
看来(新的)GeoTrust Root CA 并未安装在各种移动设备上:
http://support.servertastic.com/ Rapidssl-and-geotrust-certificate-not-trusted-on-mobile-device/
您可以将该 CA 交叉引用到其他已知的根 CA。
我将跨根 CA 证书添加到 ca-bundle/intermediate Cert。之后它就可以在 Android 上运行:
复制 Geotrust Cross Root CA 证书:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426&actp=search&viewlocale=en_US&searchid=1283360269668
添加该十字将根 CA 证书添加到 RapidSSL 和 Geotrust CA 捆绑文件中:
https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER /RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
然后安装这个新的捆绑文件:服务器上的 middle.pem 或 ca-bundle.crt。
It seems, that the (new) GeoTrust Root CA is not installed on various mobile devices:
http://support.servertastic.com/rapidssl-and-geotrust-certificate-not-trusted-on-mobile-device/
You can cross-reference that CA to other known Root-CAs.
I added the Cross-Root CA Cert to the ca-bundle/intermediate Cert. After that it worked on Android:
Copy Geotrust Cross Root CA Certificate:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426&actp=search&viewlocale=en_US&searchid=1283360269668
Add that Cross Root CA Cert to the RapidSSL and Geotrust CA bundle file:
https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem
Then install this new bundle file as intermediate.pem or ca-bundle.crt on your Server.
我遇到了同样的问题,但它与 RapidSSL 或 GeoTrust 证书的支持无关:在提供 SSL 证书链时,我以错误的顺序将服务器和中间证书连接在一起。
因此,请确保您的服务器证书位于捆绑包中的第一位,例如:
cat server.pem middle.pem >捆绑.pemI had the same problem, but it had nothing to do with the support of RapidSSL's or GeoTrust's certificates: I had concatenated the server and intermediate certificates together in the wrong order, when serving the SSL certificate chain.
So make sure your server's certificate comes first in the bundle, e.g.:
cat server.pem intermediate.pem > bundle.pem你好,就我而言(Geotrust RapidSSL),CentOS 6,apache2 设置,Android 设备的受信任 SSL 是:
问题是 apache 不需要捆绑证书。
只需将您在来自 Geotrust 的邮件中找到的 crt 放在
-----开始证书-----
-----END CERTIFICATE----- 在domain.crt 文件中,根据您的意愿命名,并
-----开始证书-----
-----证书结束-----
..不要错过任何破折号...
并放在中间.crt 文件中
Hello in my case (Geotrust RapidSSL), CentOS 6, apache2 settings, trusted SSL for Android devices are:
The catch is that apache does not need bundle certificate.
Just place your crt found in mail from Geotrust
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE----- in domain.crt file, named as you wish, and
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
.. dont miss any dash...
and plased in a intermediate.crt file
是的,可以修复。您需要做的是将根证书(即 RapipSSL 服务器的公钥 - 在您的情况下,它是“GeoTrust Global CA”)加载到 Android 设备中,以便它知道信任该证书颁发机构。有一个问题Android StackExchange 建议采用多种方法来执行此操作。在这种情况下...不幸的是,在服务器端修复此问题的唯一方法是从受信任的提供商处购买 SSL 证书在您想要使用该网站的所有设备上。遗憾的是,这几乎总是意味着从最大的 CA 购买更昂贵的 SSL 证书。 (例如,根据我的经验,带有 iOS 和 WinMobile 的手持设备不信任 RapidSSL 系列,但母公司 GeoTrust 的基础级证书却受信任。)
或者...您可以为最终用户提供有关如何信任证书的文档在他们的设备上。
Yes, it's fixable. What you need to do is load the root certificate (that is, the public key of the RapipSSL server--in your case, it's the "GeoTrust Global CA") into the Android device so it knows to trust that certificate authority.There's a question on the Android StackExchange that suggests multiple ways you can do this.In that case... unfortunately, the only way to fix it on the server side is to buy an SSL certificate from a provider that is trusted on all the devices you want to use the site. Sadly, this almost always means buying the more expensive SSL certificates from the biggest CAs. (E.g. in my experience, the RapidSSL line was not trusted by handhelds with iOS and WinMobile, but the parent company GeoTrust's base-level certificate was.)
Or... you could provide documentation for your end-users on how to trust the cert on their devices.