有多少 HTTPS 证书具有 google reCaptcha 端点? 我在哪里可以下载它们?
[英]How many HTTPS certificates have the google reCaptcha endpoint? And where can I download them?
问题描述
We have a Java web application that implements reCaptcha validation against URL https://www.google.com/recaptcha/api/siteverify in a microservice in Docker. This has been working for almost 2 years, but this Tuesday 8/06/2021, the app started throwing this exception:
我们有一个 Java web 应用程序,它在 Docker 的微服务中实现了针对 URL https://www.google.com/recaptcha/api/siteverify的 reCaptcha 验证。这已经工作了将近 2 年,但这个周二 8212/06 ,应用程序开始抛出此异常:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1340)
... 89 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 95 common frames omitted
We find that the certificate that we have in Java 11 was one of GlobalSign but with name ending in "R2":我们发现我们在 Java 11 中拥有的证书是 GlobalSign 之一,但名称以“R2”结尾:
Certificate R2 in truststore信任库中的证书 R2
However, in some cases the same Google endpoint returns one with name ending in "R1":但是,在某些情况下,同一个 Google 端点会返回一个名称以“R1”结尾的端点:
Certificate R1 not in Truststore证书 R1 不在信任库中
After we add this certificate R1, the app started to work fine, but is it normal that the same endpoint returns two different certificates?添加此证书 R1 后,应用程序开始正常运行,但同一个端点返回两个不同的证书是否正常? And how can I obtain or add all the possible certificates in my truststore?我如何在我的信任库中获取或添加所有可能的证书? Is there a pool of certificates that we need to add?是否有我们需要添加的证书池?
2 个解决方案
解决方案1
0 2021-06-16 09:05:00
Not an answer (yet?) to the real problem, only to "is it normal", but also much too long for comments.不是真正问题的答案(还没有?),只是“这是否正常”,但评论也太长了。
It is possible for one SSL/TLS server to have more than one certificate, and provide different ones on connection requests, although it would be odd to so for the same domainname;一台 SSL/TLS 服务器可能拥有多个证书,并在连接请求时提供不同的证书,尽管对于相同的域名这样做会很奇怪; this is more common on servers that support multiple domains -- either for different parts or services of one entity, or a CDN or frontend like Cloudflare or Fastly(.) that handles connections for multiple entities, However, in the specific case of www.google.com that is not a single server but hundreds or thousands, all over the world, and it is quite possible that different servers have different certificates, either intentionally (perhaps for testing) or because they are making a change which does not happen instantly everywhere.这在支持多个域的服务器上更为常见——无论是针对一个实体的不同部分或服务,还是针对处理多个实体的连接的 CDN 或前端(如 Cloudflare 或 Fastly(.)),但是,在www.google.com不是单个服务器,而是遍布世界各地的数百或数千个服务器,并且很可能不同的服务器具有不同的证书,或者是故意的(也许是为了测试)或者因为他们正在做出改变而不会立即发生到处。
According to my notes recently www.google.com as accessed from my location was using certs under GTS CA 1O1 with this intermediate cert under GlobalSign Root CA - R2 as shown in your first image.根据我最近的笔记,从我的位置访问的www.google.com使用GTS CA 1O1下的证书和GlobalSign Root CA - R2下的中间证书,如您的第一张图片所示。 Note that intermediate cert expires in 6 months, as does the root it is under, which is a good reason to stop using it.请注意,中间证书在 6 个月后到期,它所在的根目录也是如此,这是停止使用它的一个很好的理由。 ( https://crt.sh/?caid=10 does show two 'cross' certs for R2 under GlobalSign Root CA (see below) with longer expiration, but they are both revoked.) ( https://crt.sh/?caid=10确实显示了GlobalSign Root CA (见下文)下R2的两个“交叉”证书,有效期更长,但它们都被撤销了。)
As of today I get a cert under GTS CA 1C3 under GTS Root R1 -- so far like your second figure -- but then crossed under GlobalSign Root CA WITHOUT R1 .截至今天,我在GTS Root R1下获得了GTS CA 1C3下的证书——到目前为止,就像你的第二个数字一样——但随后在没有R1的GlobalSign Root CA下越过了。 Specifically I get this intermediate cert for GTS CA 1C3 and this cross cert for GTS Root R1 , which are valid until 2027 and 2028 and appear here on the GTS website as GTS CA 1C3 and GTS Root R1 Cross respectively.具体来说,我获得了GTS CA 1C3的中间证书和GTS Root R1的交叉证书,有效期至 2027 年和 2028 年,并在 GTS 网站上分别显示为GTS CA 1C3和GTS Root R1 Cross 。 And this cert for that GlobalSign root -- which in effect is R1, since the other currently known GlobalSign roots are R2-6, but is not named R1 -- has been in at least Java and Mozilla/Firefox truststores for long time;这个 GlobalSign 根的证书——实际上是R1,因为其他当前已知的 GlobalSign 根是 R2-6,但没有命名为R1——至少在 Java 和 Mozilla/Firefox 信任库中已经存在很长时间了; I can't easily check history on others.我不能轻易检查别人的历史。crt.sh doesn't know of ANY cert named with R1 .crt.sh 不知道以 R1 命名的任何证书。 I'd note that Firefox does have in its truststore a root cert for GTS Root R1 (and also R2-R4) which means it could shorten the chain, but doesn't;我注意到 Firefox 在其信任库中确实有GTS Root R1 (以及 R2-R4)的根证书,这意味着它可以缩短链,但不会; AFAICS no Java has any of these GTS roots. AFAICS 编号 Java 具有这些 GTS 根中的任何一个。
Moreover the leaf certs I get have both CommonName and SubjectAltName www.google.com NOT *.google.com .此外,我获得的叶子证书同时具有 CommonName 和 SubjectAltName www.google.com NOT *.google.com 。 This pretty much confirms you are getting a different server than I am.这几乎证实了您获得的服务器与我不同。
It might help if you can extract the "GlobalSign R1" cert you apparently have in some truststore, and post it to be looked at or searched for, and the rest of the chain which you can get with keytool -printcert -rfc -sslserver www.google.com and/or if you can identify which google address(es?) you are getting this cert chain from so others (like me) can try it -- although even one address might anycast to multiple physical servers.如果您可以提取您在某些信任库中显然拥有的“GlobalSign R1”证书,并将其发布以供查看或搜索,以及您可以使用keytool -printcert -rfc -sslserver www.google.com获得的链的 rest,这可能会有所帮助keytool -printcert -rfc -sslserver www.google.com和/或如果您可以确定您从哪个谷歌地址(es?)获得此证书链,以便其他人(如我)可以尝试它 - 尽管即使一个地址也可能选播到多个物理服务器。
解决方案2
0 2022-04-28 22:42:50
You can refer to Google's PKI Repository which lists 5 CAs.您可以参考Google 的 PKI Repository ,其中列出了 5 个 CA。
As per the FAQ , they actually list 36 different CAs in the roots.pem file (as of 28th April, 2022).根据常见问题解答,他们实际上在 roots.pem 文件中列出了 36 个不同的 CA(截至 2022 年 4 月 28 日)。
Ideally you will need to add all those CAs to your trust store to cover all bases.理想情况下,您需要将所有这些 CA 添加到您的信任库中以涵盖所有基础。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.