apache - NET::ERR_CERT_AUTHORITY_INVALID 带有 Letsencrypt 证书

问题描述

我的Chrome Version 92.0.4515.159 (Official Build) (64-bit)浏览器说：NET::ERR_CERT_AUTHORITY_INVALID请求https://www.europasprak.com/页面时。

该页面https://incomplete-chain.badssl.com/说：

incomplete-chain.badssl.com

节目SSL Check https://www.sslshopper.com/ssl-checker.html#hostname=europasprak.com:443：

europasprak.com resolves to 51.178.39.8     
Server Type: Apache/2.4.46 (Unix) OpenSSL/1.1.1j PHP/7.3.9  
The certificate will expire in 89 days. Remind me   
The hostname (europasprak.com) is correctly listed in the certificate.  
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

我刚刚创建了证书：

sudo certbot certonly --webroot -w /home/europasprak/dev/learnintouch/www.europasprak -d europasprak.com -d www.europasprak.com \
  -m example@example.com --agree-tos --staging

它给了我证书文件。

我可以看到它不需要更新：

sudo certbot certonly --webroot -w /home/europasprak/dev/learnintouch/www.europasprak -d europasprak.com -d www.europasprak.com --dry-run

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert not due for renewal, but simulating renewal for dry run
Simulating renewal of an existing certificate for europasprak.com and www.europasprak.com
Performing the following challenges:
http-01 challenge for europasprak.com
http-01 challenge for www.europasprak.com
Using the webroot path /home/europasprak/dev/learnintouch/www.europasprak for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - The dry run was successful.

certbot 版本：

sudo certbot --version
certbot 1.12.0

这是我在apache/conf/extra/httpd-ssl.conf文件中的 Apache 配置：

<VirtualHost _default_:443>
ServerName www.europasprak.com:443
ServerAdmin example@example.se
ErrorLog "/home/europasprak/programs/install/apache/logs/error_log"
TransferLog "/home/europasprak/programs/install/apache/logs/access_log"
SSLEngine on
SSLCertificateFile "/etc/letsencrypt/live/europasprak.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/europasprak.com/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/europasprak.com/fullchain.pem"

这是我在apache/conf/extra/httpd-vhosts.conf文件中的 Apache 配置：

<VirtualHost *:443>
  ServerName www.europasprak.com
  ServerAlias europasprak.com
  DocumentRoot /home/europasprak/dev/learnintouch/www.europasprak
  CustomLog /home/europasprak/programs/install/logs/learnintouch-access_log combined
  <Directory "/home/europasprak/dev/learnintouch/www.europasprak">
    Include /home/europasprak/dev/learnintouch/engine/setup/url_rewrite.conf
    AllowOverride All
    Require all granted
  </Directory>
  AddDefaultCharset UTF-8
  SSLEngine on
  SSLCertificateFile "/etc/letsencrypt/live/europasprak.com/cert.pem"
  SSLCertificateKeyFile "/etc/letsencrypt/live/europasprak.com/privkey.pem"
  SSLCertificateChainFile "/etc/letsencrypt/live/europasprak.com/fullchain.pem"
</VirtualHost>

一些附加命令显示：

13:12 $ curl -v https://incomplete-chain.badssl.com
*   Trying 104.154.89.105:443...
* TCP_NODELAY set
* Connected to incomplete-chain.badssl.com (104.154.89.105) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

stephane@stephane-pc:~$ openssl s_client -connect incomplete-chain.badssl.com:443 -servername incomplete-chain.badssl.com
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com
   i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGqDCCBZCgAwIBAgIQCvBs2jemC2QTQvCh6x1Z/TANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMjAwMzIzMDAwMDAwWhcN
MjIwNTE3MTIwMDAwWjBuMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5p
YTEVMBMGA1UEBxMMV2FsbnV0IENyZWVrMRwwGgYDVQQKExNMdWNhcyBHYXJyb24g
VG9ycmVzMRUwEwYDVQQDDAwqLmJhZHNzbC5jb20wggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDCBOz4jO4EwrPYUNVwWMyTGOtcqGhJsCK1+ZWesSssdj5s
wEtgTEzqsrTAD4C2sPlyyYYC+VxBXRMrf3HES7zplC5QN6ZnHGGM9kFCxUbTFocn
n3TrCp0RUiYhc2yETHlV5NFr6AY9SBVSrbMo26r/bv9glUp3aznxJNExtt1NwMT8
U7ltQq21fP6u9RXSM0jnInHHwhR6bCjqN0rf6my1crR+WqIW3GmxV0TbChKr3sMP
R3RcQSLhmvkbk+atIgYpLrG6SRwMJ56j+4v3QHIArJII2YxXhFOBBcvm/mtUmEAn
hccQu3Nw72kYQQdFVXz5ZD89LMOpfOuTGkyG0cqFAgMBAAGjggNhMIIDXTAfBgNV
HSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUne7Be4ELOkdp
cRh9ETeTvKUbP/swIwYDVR0RBBwwGoIMKi5iYWRzc2wuY29tggpiYWRzc2wuY29t
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
awYDVR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Et
c2hhMi1nNi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2Nh
LXNoYTItZzYuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIDMHwGCCsG
AQUFBwEBBHAwbjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
MEYGCCsGAQUFBzAChjpodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
cnRTSEEyU2VjdXJlU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF+BgorBgEE
AdZ5AgQCBIIBbgSCAWoBaAB2ALvZ37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaO
HtGFAAABcQhGXioAAAQDAEcwRQIgDfWVBXEuUZC2YP4Si3AQDidHC4U9e5XTGyG7
SFNDlRkCIQCzikrA1nf7boAdhvaGu2Vkct3VaI+0y8p3gmonU5d9DwB2ACJFRQdZ
VSRWlj+hL/H3bYbgIyZjrcBLf13Gg1xu4g8CAAABcQhGXlsAAAQDAEcwRQIhAMWi
Vsi2vYdxRCRsu/DMmCyhY0iJPKHE2c6ejPycIbgqAiAs3kSSS0NiUFiHBw7QaQ/s
GO+/lNYvjExlzVUWJbgNLwB2AFGjsPX9AXmcVm24N3iPDKR6zBsny/eeiEKaDf7U
iwXlAAABcQhGXnoAAAQDAEcwRQIgKsntiBqt8Au8DAABFkxISELhP3U/wb5lb76p
vfenWL0CIQDr2kLhCWP/QUNxXqGmvr1GaG9EuokTOLEnGPhGv1cMkDANBgkqhkiG
9w0BAQsFAAOCAQEA0RGxlwy3Tl0lhrUAn2mIi8LcZ9nBUyfAcCXCtYyCdEbjIP64
xgX6pzTt0WJoxzlT+MiK6fc0hECZXqpkTNVTARYtGkJoljlTK2vAdHZ0SOpm9OT4
RLfjGnImY0hiFbZ/LtsvS2Zg7cVJecqnrZe/za/nbDdljnnrll7C8O5naQuKr4te
uice3e8a4TtviFwS/wdDnJ3RrE83b1IljILbU5SV0X1NajyYkUWS7AnOmrFUUByz
MwdGrM6kt0lfJy/gvGVsgIKZocHdedPeECqAtq7FAJYanOsjNN9RbBOGhbwq0/FP
CC01zojqS10nGowxzOiqyB4m6wytmzf0QwjpMw==
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Walnut Creek, O = Lucas Garron Torres, CN = *.badssl.com

issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2414 bytes and written 445 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 6D14962A68C1190A92BF35C87CBBD88EFF179361453CB59CA14F318BB3A84CCE
    Session-ID-ctx: 
    Master-Key: C1A08B4ED09A6E57535700BE20EF728A5DFA768733A6D122C83C0136F50B8B0CEC766F1B6A658A63AC4D61C2C2B05149
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 5b d5 ed df 6b dc 79 68-af a2 3e 33 a2 72 4a fe   [...k.yh..>3.rJ.
    0010 - 68 8d 8b a9 27 e6 35 d8-0a 73 14 96 c3 e2 6c 7f   h...'.5..s....l.
    0020 - d6 51 09 7e 83 08 4c 9c-c9 f9 a3 f4 58 55 bd 67   .Q.~..L.....XU.g
    0030 - b3 11 1b e8 fe 02 be a9-b8 9a e3 78 8c 90 54 20   ...........x..T 
    0040 - e0 b6 c0 c9 62 e4 37 ee-9a f1 aa 54 41 5c 13 7b   ....b.7....TA\.{
    0050 - 59 07 16 9d 5f 7d 47 c8-b0 52 a1 b5 d1 6c 28 33   Y..._}G..R...l(3
    0060 - 2c 1d 90 24 65 a1 de 67-be 09 78 ff 1c 20 ba ca   ,..$e..g..x.. ..
    0070 - 29 c9 27 7c e9 6a 85 95-39 0c a2 80 27 1f f9 24   ).'|.j..9...'..$
    0080 - 13 cb 98 08 d7 fc b4 1b-56 7a d4 ae bc 82 a3 e5   ........Vz......
    0090 - 9a b4 03 e2 51 70 b1 be-b1 ab 51 3b cf 3d 92 96   ....Qp....Q;.=..
    00a0 - d0 d9 f1 b8 2c 94 ad bc-f6 50 60 85 43 6d 7c 81   ....,....P`.Cm|.
    00b0 - 66 e1 c4 36 ae 5b 36 56-e6 f5 57 ce 97 ee d3 c4   f..6.[6V..W.....
    00c0 - 8e 93 df a9 01 77 99 77-10 c8 7a e6 82 fe 06 19   .....w.w..z.....

    Start Time: 1630235514
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---

read:errno=0

openssl x509 -in  -noout -issuer
Can't open -noout for reading, No such file or directory
140596603377024:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('-noout','r')
140596603377024:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
unable to load certificate

openssl x509 -in cert.pem -noout -issuer
issuer=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3

我终于对证书文件进行了一些验证：

europasprak@vps-3506b083:/etc/letsencrypt/live/europasprak.com$ openssl x509 -in cert.pem -noout -issuer
issuer=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3

europasprak@vps-3506b083:/etc/letsencrypt/live/europasprak.com$ openssl x509 -in chain.pem -noout -subject
subject=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3

europasprak@vps-3506b083:/etc/letsencrypt/live/europasprak.com$ openssl verify -untrusted chain.pem
(This command hangs indefinitely)

europasprak@vps-3506b083:/etc/letsencrypt/live/europasprak.com$ openssl crl2pkcs7 -nocrl -certfile fullchain.pem | openssl pkcs7 -print_certs -noout
subject=CN = europasprak.com
issuer=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
subject=C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
issuer=C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
subject=C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Pretend Pear X1
issuer=C = US, O = (STAGING) Internet Security Research Group, CN = (STAGING) Doctored Durian Root CA X3

标签： apachessl-certificatelets-encrypt

apache - NET::ERR_CERT_AUTHORITY_INVALID 带有 Letsencrypt 证书

问题描述

解决方案

推荐阅读