Heroku SSL问题给我验证失败

Question

I updated my all certificate on heroku with this command

heroku certs:add heroku.pem server.key -a myapp --bypass

heroku.pem has below details

-----BEGIN CERTIFICATE----- 
entrustcert.crt
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
L1Cchain.txt
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
L1Croot.txt
-----END CERTIFICATE-----

when I run test on server its give me this result

SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.

I have entrust SSL certificate.

Please help me to solve this issue

command that I use for test :

curl -kvI "my HTTPS domain name" 

Answer 1

Try this guide.

Also the official documentation states

Next add your certificate, any intermediate certificates, and private key to the endpoint with the certs:add command

It is somewhat in contradiction with the guide above because it doesn't say anything about root CA certificate. But I would definitely try the guide and if it does not work I would remove root certificate from heroku.pem.

Answer 2

Please help me to solve this issue

Curl should no be claiming error 19. Error 19 is OpenSSL's X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN . You have at least two problems.

---

First, you're sending a certificate chain that includes your root. Don't send the root in the certificate chain. Only send the end entity (server) certificate and any intermediates required to build a chain to the trusted root. If there are no intermediates, then only send the end entity (server) certificate.

If I am reading your post correctly, that means:

-----BEGIN CERTIFICATE----- 
server cert (entrustcert.crt)
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
intermediate cert (L1Cchain.txt)
-----END CERTIFICATE----- 

---

Second, you need Curl to trust your root. I don't really use Curl, so I don't know how to pass in a single root to trust. Looking through the curl(1) man pages , it does not appear Curl allows you to specify a trust point. So curl is probably the wrong tool for the job.

Here's how you do it with OpenSSL's s_client (the CAfile option):

printf "GET / HTTP/1.0\r\n" | openssl s_client \
    -connect example.com:443 \
    -CAfile <root to trust>

The -CAfile will use one of the Entrust roots at Entrust Root Certificates - SSL . But I don't know which one since you're not sharing a URL or domain.

You can drop the printf if you want, and just use openssl s_client . But s_client won't finish until the socket is closed (or CTRL C is pressed).

With an OpenSSL s_client trace, you will be able to determine the intermediates required to build the chain, too. For an example of interpreting s_client results, see s_client verify certificate failed, but browser accept and Can't verify CA certificate unless CApath or CAfile used .

---

Third, the -k option is a client side key option. I don't believe you need it since you are not sending a client certificate. But I don't believe this is part of your problem, either.

---

I have entrust SSL certificate.

Finally, you can get free Class 1 certificates from Startcom . They are trusted by default in most desktop and mobile browsers.

While Startcom issues the certificates for free, they do charge for revocation because that's what costs money. Others charge for the revocation up front and pocket the money if not needed.