apache - openssl s_client -connect www.verisign.com:443 错误无法获取本地颁发者证书
雷雷
怪我咯2017-05-16 17:05:54
把 Server certificate这一部分拷贝出来,就是
-----BEGIN CERTIFICATE-----
MIIG0jCCBbqgAwIBAgIQRHT74McgkNIJ4CcjNXxCZzANBgkqhkiG9w0BAQUFADCB
vjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE4MDYGA1UEAxMv
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBTR0MgQ0Ew
HhcNMTQwMTE2MDAwMDAwWhcNMTYwMTE2MjM1OTU5WjCCASYxEzARBgsrBgEEAYI3
PAIBAxMCVVMxGTAXBgsrBgEEAYI3PAIBAhMIRGVsYXdhcmUxHTAbBgNVBA8TFFBy
aXZhdGUgT3JnYW5pemF0aW9uMRAwDgYDVQQFEwcyMTU4MTEzMQswCQYDVQQGEwJV
UzEOMAwGA1UEERQFOTQwNDMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcU
DU1vdW50YWluIFZpZXcxGTAXBgNVBAkUEDM1MCBFbGxpcyBTdHJlZXQxHTAbBgNV
BAoUFFN5bWFudGVjIENvcnBvcmF0aW9uMSQwIgYDVQQLFBtJbmZyYXN0cnVjdHVy
ZSBPcGVyYXRpb25zICAxGTAXBgNVBAMUEHd3dy52ZXJpc2lnbi5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrG90iUEhTlnwtoAfqXUHUPBQo3JEK
BWEewf8/71RFR0O6J5mxF88ODxs/HRGK1wrd8WClqnhMBsvITNB9m+escDpBWpwG
NZp4TaYW9HxxtZ7heaeJjso8M/k3NHdXuFsuPw5L8xxOv9aI0H87LMmImenLxCRm
pJQNAKe+jfNTqpuK1tUEYdLzR0n4u76ZDcGSYSplbCjLcamLTHAhijQQWiUgWC0f
Unm4z2zyzT4QwzXIfuf7BCSLfCGY3/KuKO4vybtiUg6ALqMW3JjA149r6DHjIkib
wq2wJhFnspm74y0wJq3GE5avUyUrz8XoXexSJPTRuz6jyVayEXeDZvcJAgMBAAGj
ggJfMIICWzCB1QYDVR0RBIHNMIHKghB3d3cudmVyaXNpZ24uY29tggx2ZXJpc2ln
bi5jb22CEHd3dy52ZXJpc2lnbi5uZXSCDHZlcmlzaWduLm5ldIIRd3d3LnZlcmlz
aWduLm1vYmmCDXZlcmlzaWduLm1vYmmCD3d3dy52ZXJpc2lnbi5ldYILdmVyaXNp
Z24uZXWCFWZvcm1zLndzLnN5bWFudGVjLmNvbYINc3NscmV2aWV3LmNvbYIRd3d3
LnNzbHJldmlldy5jb22CD3d3dy5zeW1hdXRoLmNvbTAJBgNVHRMEAjAAMA4GA1Ud
DwEB/wQEAwIFoDAoBgNVHSUEITAfBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG
+EIEATBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcGMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMwHQYDVR0OBBYEFFhbQy8r9duhEyHt
180crp3UFY8gMB8GA1UdIwQYMBaAFE5DyB127zdTek/yWG+U8zji1b3fMD4GA1Ud
HwQ3MDUwM6AxoC+GLWh0dHA6Ly9FVkludGwtY3JsLnZlcmlzaWduLmNvbS9FVklu
dGwyMDA2LmNybDB2BggrBgEFBQcBAQRqMGgwKwYIKwYBBQUHMAGGH2h0dHA6Ly9F
VkludGwtb2NzcC52ZXJpc2lnbi5jb20wOQYIKwYBBQUHMAKGLWh0dHA6Ly9FVklu
dGwtYWlhLnZlcmlzaWduLmNvbS9FVkludGwyMDA2LmNlcjANBgkqhkiG9w0BAQUF
AAOCAQEAPSZt7qa0z7AbV78LQ20T2c587Pb389khyLLyxQSx/nKqtYIs0sH9qvsd
rqEk3ThUYbTfI4Owh0a87uCCpBTPf/1c1581waHoId7VibSq3IwR71RPhSJu9zmL
J/GSjs/NWcVgbpUI7JRQlyqffVmMn3w3La/NZBSXspFSMzmDG0G+hUZJJYPabrfi
nsedFav2e5BihDgGISbMhxeXGuSsQYLbOF8B9JPUwgBnDCO6IgKGeww+Zb3Uh1FB
mCydpZlP4Qn8tkaegGMXtlv4rzdt7wtKpELSbhotQHlWr06hD9XUlh7UOBvShhM7
UDhMFUQ0HjLf/9A11pb71CRaoHfFbQ==
-----END CERTIFICATE-----
存成CA.cert
openssl s_client -CAfile CA.cert -connect www.verisign.com:443
伊谢尔伦2017-05-16 17:05:54
<VirtualHost _default_:443>
SSLProxyEngine on
SSLEngine on
#SSLSessionCacheTimeout 2100
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/common/server.crt
SSLCertificateKeyFile /etc/httpd/common/server.key
SSLCertificateChainFile /etc/httpd/common/server_intermediate.pem
Include conf/conf/xxx.conf
</VirtualHost>
这是我在apache上面的配置文件, 浏览器已经认可了证书, 但是用openssl验证的时候
CONNECTED(00000003)
depth=0 ....................
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 ........................
verify error:num=27:certificate not trusted
verify return:1
depth=0 ....................
verify error:num=21:unable to verify the first certificate
verify return:1
Verify return code: 21 (unable to verify the first certificate)
漂亮男人2017-05-16 17:05:54
openssl s_client -connect www.verisign.com:443 -CApath /etc/ca-certificates
先弄明白 SSL/TLS 的具体过程,再看 man s_client。