我将 RapidSSL/GeoTrust 证书加载到我的 AppEngine 应用程序中。该网站通过 SSL 完美加载到浏览器中。
但是,当我从命令行 (Ubuntu 13.04) 验证证书时,它失败了。这是一般的 SSL 故障,所以我所有的 Python 请求也都失败了(“urllib3”失败,这会导致“请求”失败):
$ openssl s_client -connect www.XYZ.com:443
CONNECTED(00000003)
3073689800:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
我在另一台运行 NGINX 的服务器上使用它的一个 AS 的证书,并且完全没有问题验证:
$ openssl s_client -connect XYZ.com:443
CONNECTED(00000003)
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=gQpQo/GwZhs9/JqYi8P8DsQNFmVC5VQB/OU=GT09052054/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=www.XYZ.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFRjCCBC6gAwIBAgIDDOW3MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
<truncated>
S6YumLnJrUVoCA==
-----END CERTIFICATE-----
subject=/serialNumber=gQpQo/GwZhs9/JqYi8P8DsQNFmVC5VQB/OU=GT09052054/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=www.XYZ.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3023 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: A69E838824AF4F74228A82105A74D708A63CB5FDE042A04072A937A9A25DC1C7
Session-ID-ctx:
Master-Key: 35EACC6FCFA5F901AA355C0379289EE33FEB77334A95EC45A4A9D7CD22E4C944C76F998C2D9AAAF635FD88D02CDB7B08
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5f 78 c7 0c da f1 7b ee-52 7a 4d 36 c0 28 b0 d7 _x....{.RzM6.(..
<truncated>
0090 - 5e fc 2c 37 d4 6f 20 0b-a6 aa 62 f4 df 90 1e 18 ^.,7.o ...b.....
Start Time: 1374291906
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
该站点尚未完成,因此我无法共享域。
如果有任何见解,我将不胜感激。
达斯汀
最佳答案
您使用的是 SNI 还是 VIP?如果您使用的是 SNI,则需要将 -servername 与 openssl 一起使用。
关于linux - AppEngine SSL 从命令行失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/17758488/