centos – 无法使用内置CA捆绑包来验证GoDaddy SHA2 SSL证书

CentOS 2020-08-25
我遇到了一个有趣的问题.我们有一个 PHP脚本,它与LTL托运人联系( https://facts.dohrn.com/).该脚本失败,因为它无法验证SSL证书.我去了网站,发现他们使用的是GoDaddy SHA2证书(使用 GoDaddy Certificate Bundles – G2,这是用于SHA2的).

我安装了最新版本的ca-certificate,看起来他们有Go Daddy Root Certificate Authority-G2,但这并不是一回事,并且在所有形式的验证中都失败了.我终于通过复制捆绑包并直接在CURL请求中使用它来使其工作.但这只是一种解决方法.是否还有其他我无法在没有直接安装CA的情况下完成这项工作?

# openssl s_client -connect facts.dohrn.com:443
CONNECTED(00000003) depth=0 OU = Domain Control Validated,CN = facts.dohrn.com verify
error:num=20:unable to get local issuer certificate verify return:1
depth=0 OU = Domain Control Validated,CN = facts.dohrn.com verify
error:num=27:certificate not trusted verify return:1 depth=0 OU =
Domain Control Validated,CN = facts.dohrn.com verify
error:num=21:unable to verify the first certificate verify return:1
— Certificate chain 0 s:/OU=Domain Control Validated/CN=facts.dohrn.com
i:/C=US/ST=Arizona/L=ScottsDale/O=GoDaddy.com,
Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure
Certificate Authority – G2
— Server certificate [certificate removed]
—–END CERTIFICATE—–
subject=/OU=Domain Control Validated/CN=facts.dohrn.com
issuer=/C=US/ST=Arizona/L=ScottsDale/O=GoDaddy.com,
Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure
Certificate Authority – G2
— No client certificate CA names sent
— SSL handshake has read 1470 bytes and written 563 bytes
— New,TLSv1/SSLv3,Cipher is RC4-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion:
NONE SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 1A23000017A7003411F3833970B7FA23C6D782E663CE0C8B17DE4D5A15DEE1A5
Session-ID-ctx:
Master-Key: F6C9C6345A09B7965AF762DE4BEFE8BDD249136BF30D9364598D78CF123F17230B0C25DD552F103BEF9A893F75EAD2B0
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1432044402
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

似乎 https://facts.dohrn.com/处的Web服务器不包含中间证书.

这似乎是他们的配置错误.这绝对是可以预期会导致兼容性问题的因素,因为您实际上只应该依赖具有预先存在根证书的客户端.

请参阅证书链,例如来自SSLLabs result :(您还会注意到SSL设置存在许多其他问题.)

1   Sent by server  facts.dohrn.com 
Fingerprint: 823e3a70f194c646498b2591069b3727ad0014d9 
RSA 2048 bits (e 65537) / SHA256withRSA

2   Extra download  Go Daddy Secure Certificate Authority - G2 
Fingerprint: 27ac9369faf25207bb2627cefaccbe4ef9c319b8 
RSA 2048 bits (e 65537) / SHA256withRSA

3   In trust store  Go Daddy Root Certificate Authority - G2   Self-signed  
Fingerprint: 47beabc922eae80e78783462a79f45c254fde68b 
RSA 2048 bits (e 65537) / SHA256withRSA

我会说你的主要选择是要么试图说服服务提供商修复他们的服务,要么通过向客户端提供他们的服务器应该提供的证书来解决问题.

相关文章

Centos下搭建性能监控Spotlight
Centos下搭建性能监控Spotlight
CentOS 6.3下Strongswan搭建IPSec VPN
CentOS 6.3下Strongswan搭建IPSec VPN
在CentOS6.5上安装Skype与QQ
在CentOS6.5上安装Skype与QQ
阿里云基于centos6.5主机VPN配置
阿里云基于centos6.5主机VPN配置
CentOS 6.3下配置multipah
CentOS 6.3下配置multipah
CentOS安装、配置APR和tomcat-native
CentOS安装、配置APR和tomcat-native