apache - SSL 证书不可信任 (COMODO)

Question

我正在让服务器为 PCI DSS 做好准备。除了我无法解决的问题外，没有其他问题。 PCI 扫描器 ( https://www.hackerguardian.com/ )，说 SSL 证书不可信:

SSL Certificate Cannot Be Trusted 443 / tcp / www

我已从链中删除所有其他证书，只留下一个专为该服务器购买的证书。它由 COMODO 签署，被认为是值得信赖的。这是证书转储:

openssl x509 -in /usr/local/psa/var/certificates/cert-f1nb7M -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e6:3c:e1:95:56:07:3c:f7:4c:5e:b3:bd:06:6d:37:f0
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Extended Validation Secure Server CA
        Validity
            Not Before: Nov 17 00:00:00 2015 GMT
            Not After : Dec  3 23:59:59 2017 GMT
        Subject: serialNumber=04045342/1.3.6.1.4.1.311.60.2.1.3=GB/businessCategory=Private Organization, C=GB/postalCode=BN27 2BY,
            ST=East Sussex, L=Hailsham/street=Station Road/street=Unit 10 Swan Business Centre, O=Fuss 3 Solutions Ltd,
            OU=COMODO EV SSL, CN=www.fuss3inkandtoner.co.uk
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                ...................
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
            keyid:39:DA:FF:CA:28:14:8A:A8:74:13:08:B9:E4:0E:A9:D2:FA:7E:9D:69

            X509v3 Subject Key Identifier:
                D1:C0:72:40:F1:A4:47:A6:FF:32:C4:56:6F:EF:F5:1E:40:6A:72:DC
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 1.3.6.1.4.1.6449.1.2.1.5.1
                  CPS: https://secure.comodo.com/CPS

            X509v3 CRL Distribution Points:

                Full Name:
              URI:http://crl.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crl

            Authority Information Access:
                CA Issuers - URI:http://crt.comodoca.com/COMODORSAExtendedValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name:
                DNS:www.fuss3inkandtoner.co.uk, DNS:fuss3inkandtoner.co.uk
            1.3.6.1.4.1.11129.2.4.2:
            ............
    Signature Algorithm: sha256WithRSAEncryption
         ...............

证书是真实的，没有过期且域名匹配。我尝试过其他在线诊断工具，如 https://www.ssllabs.com/ssltest/analyze.html?d=fuss3inkandtoner.co.uk每个人都说证书很好。除了 hackersguardian.com，我需要通过 PCI 合规性。

我不是系统管理员，此证书是由其他人安装的(我认为是托管支持的系统管理员)。我需要你的建议来解决这个问题。提前谢谢你。

Answer 1

这是误报。当来自 COMODO (hackerguardian.com) 的安全扫描器报告 COMODO (!) 颁发的错误证书时，这是一件非常奇怪的事情。