堆栈内存溢出
  简体   繁体   English

SSL 证书配置错误

[英]SSL cert misconfigured

 原文  2020-01-07 08:20:10       php/ apache/ ssl/ ssl-certificate

问题描述

Basically facebook scraper ( https://developers.facebook.com/tools/debug/og/object/ ) tells that:基本上facebook刮板( https://developers.facebook.com/tools/debug/og/object/ )告诉:

Curl Error : SSL_CACERT SSL certificate problem: unable to get local issuer certificate

Tested my site's url here: https://whatsmychaincert.com/?mysite.com在这里测试了我网站的网址: https : //whatsmychaincert.com/?mysite.com

and this tells: my site is misconfigured.这说明:我的网站配置错误。 This is the chain it should be using.这是它应该使用的链。

I'm scared to download the chain file from this site as I guess I already have it all from GoDaddy .我害怕从这个站点下载链文件,因为我想我已经从GoDaddy那里得到了它。

Coming back to my facebook scraper problem.回到我的 facebook刮板问题。 I did google search and found that the Curl error is due to PHP version.我做了谷歌搜索,发现 Curl 错误是由于 PHP 版本造成的。 As I checked, I have latest PHP running.当我检查时,我正在运行最新的 PHP。 But I still downloaded cacert.pem from official site and added in the same folder where my ssl certs reside(/etc/ssl/certs).但我仍然从官方网站下载了 cacert.pem 并添加到我的 ssl 证书所在的同一文件夹中(/etc/ssl/certs)。 Then edited php.ini located /opt/bitnami/php/etc .然后编辑位于/opt/bitnami/php/etc 的php.ini 。

so it reads:所以它写道:

 curl.cainfo ="/etc/ssl/certs/cacert.pem"

Restarted apache still the issue persisted.重启apache问题依旧。 So I focused on fixing the SSL cert issue.所以我专注于修复 SSL 证书问题。

This is how my default-ssl.conf looks like:这是我的 default-ssl.conf 的样子:

SSLCertificateFile  /etc/ssl/certs/a639a4be86615af.crt
SSLCertificateKeyFile /etc/ssl/certs/mysite.key

SSLCertificateChainFile /etc/ssl/certs/mysite.com.chain.crt (downloaded from https://whatsmychaincert.com/)

SSLCACertificateFile /etc/ssl/certs/a639a4be86615af.pem

Bytheway my site shows https connection.顺便说一下,我的网站显示 https 连接。 But in Firefox I dont see any images loaded.但在 Firefox 中,我没有看到加载任何图像。 Could that related to the (unable to get local issuer certificate)这可能与(无法获得本地发行人证书)有关

What's wrong with my configuration?我的配置有什么问题? How do I fix it?我如何解决它?

EDIT: I'm using wordpress bitnami set.So I edited two paths for the ssl config.编辑:我正在使用 wordpress bitnami set.So 我为 ssl 配置编辑了两个路径。 /etc/apache2/sites-available/default-ssl.conf and /opt/bitnami/apache2/conf/extra/httpd-ssl.conf /etc/apache2/sites-available/default-ssl.conf/opt/bitnami/apache2/conf/extra/httpd-ssl.conf

My latest SSL config file:我最新的 SSL 配置文件:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin hello@mysite.com
        ServerName mysite.com

        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine on

        SSLCertificateFile      /etc/ssl/certs/b8ad60af28cd1745.crt
        SSLCertificateKeyFile /etc/ssl/private/mysite.key
        SSLCertificateChainFile /etc/ssl/certs/b8ad60af28cd1745.pem

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
              SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
              SSLOptions +StdEnvVars
        </Directory>

    </VirtualHost>
</IfModule>

1 个解决方案

解决方案1
 2 已采纳  2020-01-07 15:33:54

Unlike browsers PHP Curl doesn't reconstruct the certificate tree from other sources.与浏览器不同,PHP Curl 不会从其他来源重建证书树。 So if your cert tree is incomplete, CURL cannot verify your site certificate.因此,如果您的证书树不完整,CURL 将无法验证您的站点证书。

Your VirtualHost configuration should have following:您的 VirtualHost 配置应具有以下内容:

  • SSLCertificateFile - your site certificate SSLCertificateFile - 您的站点证书
  • SSLCertificateKeyFile - key for the CertificateFile SSLCertificateKeyFile - CertificateFile 的密钥
  • SSLCertificateChainFile - file containing all intermediate certificates from leaf to root (so curl can connect your certificate to the one in /etc/ssl/certs/cacert.pem ) SSLCertificateChainFile - 包含从叶子到根的所有中间证书的文件(因此 curl 可以将您的证书连接到/etc/ssl/certs/cacert.pem证书)

Since 2.4.8 you can put all certificates from leaf to root into SSLCertificateFile ( https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile )从 2.4.8 开始,您可以将所有证书从叶到根放入 SSLCertificateFile ( https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile )

You can test your SSL configuration using https://www.ssllabs.com/ssltest/index.html which also reports incomplete certificate tree.您可以使用https://www.ssllabs.com/ssltest/index.html测试您的 SSL 配置,它也会报告不完整的证书树。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 PHP 丢失 - SSL 证书 - Subdreamer - PHP missing - SSL cert - Subdreamer 在PHP中使用ssl cert时出错 - Error using ssl cert with PHP PHP CURL和SSL证书(或证书链) - PHP CURL and SSL certificate (or cert chain) 需要SSL证书才能连接到安全的Web服务 - Need SSL Cert for connecting to secure web service cURL错误-Laravel + Mailgun的SSL证书 - cURL error - SSL cert with Laravel + Mailgun WordPress-SSL CA证书(路径?访问权限?) - Wordpress - SSL CA cert (path? access rights?) 验证CA证书是否正常(Localhost上的SSL错误) - Verify that the CA cert is OK (SSL Error on Localhost) 证书x509 Laravel身份验证SSL - cert x509 Laravel auth SSL cURL是否由于SSL证书拒绝而失败? - cURL Failing Due To SSL Cert Rejection? 通过SSL的php SOAP调用-如何在请求中将证书,密钥和CA证书卡在一起? - php SOAP call over SSL - How do I jam a cert, key, and CA cert together in the request?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM