linux – 来自基于OpenSSL的分层证书颁发机构的Nginx和客户端证书

前端之家收集整理的这篇文章主要介绍了linux – 来自基于OpenSSL的分层证书颁发机构的Nginx和客户端证书前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我正在尝试设置根证书颁发机构,从属证书颁发机构,并生成由Debian Squeeze上的Nginx 0.7.67接受的任何此CA签名的客户端证书.我的问题是根CA签名的客户端证书工作正常,而从属CA签名的一个导致“400 Bad Request.SSL证书错误”.

第1步:Nginx虚拟主机配置:

  1. server {
  2.  
  3. server_name test.local;
  4.  
  5. access_log /var/log/Nginx/test.access.log;
  6.  
  7. listen 443 default ssl;
  8. keepalive_timeout 70;
  9.  
  10. ssl_protocols SSLv3 TLSv1;
  11. ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
  12. ssl_certificate /etc/Nginx/ssl/server.crt;
  13. ssl_certificate_key /etc/Nginx/ssl/server.key;
  14. ssl_client_certificate /etc/Nginx/ssl/client.pem;
  15. ssl_verify_client on;
  16. ssl_session_cache shared:SSL:10m;
  17. ssl_session_timeout 5m;
  18.  
  19. location / {
  20. proxy_pass http://testsite.local/;
  21. }
  22. }

第2步:根和从属CA的PKI基础架构组织(基于this文章):

  1. # mkdir ~/pki && cd ~/pki
  2. # mkdir rootCA subCA
  3. # cp -v /etc/ssl/openssl.cnf rootCA/
  4. # cd rootCA/
  5. # mkdir certs private crl newcerts; touch serial; echo 01 > serial; touch index.txt; touch crlnumber; echo 01 > crlnumber
  6. # cp -Rvp * ../subCA/

rootCA / openssl.cnf几乎没有变化:

  1. [ CA_default ]
  2.  
  3. dir = . # Where everything is kept
  4. ...
  5. certificate = $dir/certs/rootca.crt # The CA certificate
  6. ...
  7. private_key = $dir/private/rootca.key # The private key

和subCA / openssl.cnf:

  1. [ CA_default ]
  2.  
  3. dir = . # Where everything is kept
  4. ...
  5. certificate = $dir/certs/subca.crt # The CA certificate
  6. ...
  7. private_key = $dir/private/subca.key # The private key

第3步:自签名根CA证书生成

  1. # openssl genrsa -out ./private/rootca.key -des3 2048
  2. # openssl req -x509 -new -key ./private/rootca.key -out certs/rootca.crt -config openssl.cnf
  3. Enter pass phrase for ./private/rootca.key:
  4. You are about to be asked to enter information that will be incorporated
  5. into your certificate request.
  6. What you are about to enter is what is called a Distinguished Name or a DN.
  7. There are quite a few fields but you can leave some blank
  8. For some fields there will be a default value,If you enter '.',the field will be left blank.
  9. -----
  10. Country Name (2 letter code) [AU]:
  11. State or Province Name (full name) [Some-State]:
  12. Locality Name (eg,city) []:
  13. Organization Name (eg,company) [Internet Widgits Pty Ltd]:
  14. Organizational Unit Name (eg,section) []:
  15. Common Name (eg,YOUR name) []:rootca
  16. Email Address []:

第4步:从属CA证书生成

  1. # cd ../subCA
  2. # openssl genrsa -out ./private/subca.key -des3 2048
  3. # openssl req -new -key ./private/subca.key -out subca.csr -config openssl.cnf
  4. Enter pass phrase for ./private/subca.key:
  5. You are about to be asked to enter information that will be incorporated
  6. into your certificate request.
  7. What you are about to enter is what is called a Distinguished Name or a DN.
  8. There are quite a few fields but you can leave some blank
  9. For some fields there will be a default value,YOUR name) []:subca
  10. Email Address []:
  11.  
  12. Please enter the following 'extra' attributes
  13. to be sent with your certificate request
  14. A challenge password []:
  15. An optional company name []:

步骤5:根CA证书的从属CA证书签名:

  1. # cd ../rootCA/
  2. # openssl ca -in ../subCA/subca.csr -extensions v3_ca -config openssl.cnf
  3. Using configuration from openssl.cnf
  4. Enter pass phrase for ./private/rootca.key:
  5. Check that the request matches the signature
  6. Signature ok
  7. Certificate Details:
  8. Serial Number: 1 (0x1)
  9. Validity
  10. Not Before: Feb 4 10:49:43 2013 GMT
  11. Not After : Feb 4 10:49:43 2014 GMT
  12. Subject:
  13. countryName = AU
  14. stateOrProvinceName = Some-State
  15. organizationName = Internet Widgits Pty Ltd
  16. commonName = subca
  17. X509v3 extensions:
  18. X509v3 Subject Key Identifier:
  19. C9:E2:AC:31:53:81:86:3F:CD:F8:3D:47:10:FC:E5:8E:C2:DA:A9:20
  20. X509v3 Authority Key Identifier:
  21. keyid:E9:50:E6:BF:57:03:EA:6E:8F:21:23:86:BB:44:3D:9F:8F:4A:8B:F2
  22. DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca
  23. serial:9F:FB:56:66:8D:D3:8F:11
  24.  
  25. X509v3 Basic Constraints:
  26. CA:TRUE
  27. Certificate is to be certified until Feb 4 10:49:43 2014 GMT (365 days)
  28. Sign the certificate? [y/n]:y
  29.  
  30. 1 out of 1 certificate requests certified,commit? [y/n]y
  31. ...
  32. # cd ../subCA/
  33. # cp -v ../rootCA/newcerts/01.pem certs/subca.crt

步骤6:根CA(对于Nginx虚拟主机)生成和签名服务器证书:

  1. # cd ../rootCA
  2. # openssl genrsa -out ./private/server.key -des3 2048
  3. # openssl req -new -key ./private/server.key -out server.csr -config openssl.cnf
  4. Enter pass phrase for ./private/server.key:
  5. You are about to be asked to enter information that will be incorporated
  6. into your certificate request.
  7. What you are about to enter is what is called a Distinguished Name or a DN.
  8. There are quite a few fields but you can leave some blank
  9. For some fields there will be a default value,YOUR name) []:test.local
  10. Email Address []:
  11.  
  12. Please enter the following 'extra' attributes
  13. to be sent with your certificate request
  14. A challenge password []:
  15. An optional company name []:
  16. # openssl ca -in server.csr -out certs/server.crt -config openssl.cnf

步骤7:客户端#1证书生成和根CA签名:

  1. # openssl genrsa -out ./private/client1.key -des3 2048
  2. # openssl req -new -key ./private/client1.key -out client1.csr -config openssl.cnf
  3. Enter pass phrase for ./private/client1.key:
  4. You are about to be asked to enter information that will be incorporated
  5. into your certificate request.
  6. What you are about to enter is what is called a Distinguished Name or a DN.
  7. There are quite a few fields but you can leave some blank
  8. For some fields there will be a default value,YOUR name) []:Client #1
  9. Email Address []:
  10.  
  11. Please enter the following 'extra' attributes
  12. to be sent with your certificate request
  13. A challenge password []:
  14. An optional company name []:
  15. # openssl ca -in client1.csr -out certs/client1.crt -config openssl.cnf

步骤8:客户端#1证书转换为PKCS12格式:

  1. # openssl pkcs12 -export -out certs/client1.p12 -inkey private/client1.key -in certs/client1.crt -certfile certs/rootca.crt

步骤9:下属CA生成和签署客户端#2证书:

  1. # cd ../subCA/
  2. # openssl genrsa -out ./private/client2.key -des3 2048
  3. # openssl req -new -key ./private/client2.key -out client2.csr -config openssl.cnf
  4. Enter pass phrase for ./private/client2.key:
  5. You are about to be asked to enter information that will be incorporated
  6. into your certificate request.
  7. What you are about to enter is what is called a Distinguished Name or a DN.
  8. There are quite a few fields but you can leave some blank
  9. For some fields there will be a default value,YOUR name) []:Client #2
  10. Email Address []:
  11.  
  12. Please enter the following 'extra' attributes
  13. to be sent with your certificate request
  14. A challenge password []:
  15. An optional company name []:
  16. # openssl ca -in client2.csr -out certs/client2.crt -config openssl.cnf

步骤10:客户端#2证书转换为PKCS12格式:

  1. # openssl pkcs12 -export -out certs/client2.p12 -inkey private/client2.key -in certs/client2.crt -certfile certs/subca.crt

步骤11:将服务器证书和私钥传递给Nginx(使用OS超级用户权限执行):

  1. # cd ../rootCA/
  2. # cp -v certs/server.crt /etc/Nginx/ssl/
  3. # cp -v private/server.key /etc/Nginx/ssl/

步骤12:将根CA和从属CA证书传递给Nginx(使用OS超级用户权限执行):

  1. # cat certs/rootca.crt > /etc/Nginx/ssl/client.pem
  2. # cat ../subCA/certs/subca.crt >> /etc/Nginx/ssl/client.pem

client.pem文件如下所示:

  1. # cat /etc/Nginx/ssl/client.pem
  2. -----BEGIN CERTIFICATE-----
  3. MIID6TCCAtGgAwIBAgIJAJ/7VmaN048RMA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNV
  4. BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
  5. aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMTBnJvb3RjYTAeFw0xMzAyMDQxMDM1NTda
  6. ...
  7. -----END CERTIFICATE-----
  8. Certificate:
  9. Data:
  10. Version: 3 (0x2)
  11. Serial Number: 1 (0x1)
  12. ...
  13. -----BEGIN CERTIFICATE-----
  14. MIID4DCCAsigAwIBAgIBatanBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJBVTET
  15. MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
  16. dHkgTHRkMQ8wDQYDVQQDEwZyb290Y2EwHhcNMTMwMjA0MTA0OTQzWhcNMTQwMjA0
  17. ...
  18. -----END CERTIFICATE-----

看起来一切正常:

  1. # service Nginx reload
  2. # Reloading Nginx configuration: Enter PEM pass phrase:
  3. # Nginx.
  4. #

步骤13:在浏览器中安装* .p12证书(在我的情况下为Firefox)给出了我上面提到的问题.客户端#1 = 200 OK,客户端#2 = 400错误请求/ SSL证书错误.任何想法我该怎么办?

更新1:SSL连接测试尝试的结果:

  1. # openssl s_client -connect test.local:443 -CAfile ~/pki/rootCA/certs/rootca.crt -cert ~/pki/rootCA/certs/client1.crt -key ~/pki/rootCA/private/client1.key -showcerts
  2. Enter pass phrase for tmp/testcert/client1.key:
  3. CONNECTED(00000003)
  4. depth=1 C = AU,ST = Some-State,O = Internet Widgits Pty Ltd,CN = rootca
  5. verify return:1
  6. depth=0 C = AU,CN = test.local
  7. verify return:1
  8. ---
  9. Certificate chain
  10. 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.local
  11. i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca
  12. -----BEGIN CERTIFICATE-----
  13. MIIDpjCCAo6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJBVTET
  14. MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ
  15. dHkgTHRkMQ8wDQYDVQQDEwZyb290Y2EwHhcNMTMwMjA0MTEwNjAzWhcNMTQwMjA0
  16. ...
  17. -----END CERTIFICATE-----
  18. 1 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca
  19. i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca
  20. -----BEGIN CERTIFICATE-----
  21. MIID6TCCAtGgAwIBAgIJAJ/7VmaN048RMA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNV
  22. BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX
  23. aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMTBnJvb3RjYTAeFw0xMzAyMDQxMDM1NTda
  24. ...
  25. -----END CERTIFICATE-----
  26. ---
  27. Server certificate
  28. subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=test.local
  29. issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca
  30. ---
  31. Acceptable client certificate CA names
  32. /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca
  33. /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=subca
  34. ---
  35. SSL handshake has read 3395 bytes and written 2779 bytes
  36. ---
  37. New,TLSv1/SSLv3,Cipher is AES256-SHA
  38. Server public key is 2048 bit
  39. Secure Renegotiation IS supported
  40. Compression: zlib compression
  41. Expansion: zlib compression
  42. SSL-Session:
  43. Protocol : TLSv1
  44. Cipher : AES256-SHA
  45. Session-ID: 15BFC2029691262542FAE95A48078305E76EEE7D586400F8C4F7C516B0F9D967
  46. Session-ID-ctx:
  47. Master-Key: 23246CF166E8F3900793F0A2561879E5DB07291F32E99591BA1CF53E6229491FEAE6858BFC9AACAF271D9C3706F139C7
  48. Key-Arg : None
  49. PSK identity: None
  50. PSK identity hint: None
  51. SRP username: None
  52. TLS session ticket:
  53. 0000 - c2 5e 1d d2 b5 6d 40 23-b2 40 89 e4 35 75 70 07 .^...m@#.@..5up.
  54. 0010 - 1b bb 2b e6 e0 b5 ab 10-10 bf 46 6e aa 67 7f 58 ..+.......Fn.g.X
  55. 0020 - cf 0e 65 a4 67 5a 15 ba-aa 93 4e dd 3d 6e 73 4c ..e.gZ....N.=nsL
  56. 0030 - c5 56 f6 06 24 0f 48 e6-38 36 de f1 b5 31 c5 86 .V..$.H.86...1..
  57. ...
  58. 0440 - 4c 53 39 e3 92 84 d2 d0-e5 e2 f5 8a 6a a8 86 b1 LS9.........j...
  59.  
  60. Compression: 1 (zlib compression)
  61. Start Time: 1359989684
  62. Timeout : 300 (sec)
  63. Verify return code: 0 (ok)
  64. ---

客户端#2和根CA证书似乎一切正常,但请求返回400错误请求错误

  1. # openssl s_client -connect test.local:443 -CAfile ~/pki/rootCA/certs/rootca.crt -cert ~/pki/subCA/certs/client2.crt -key ~/pki/subCA/private/client2.key -showcerts
  2. Enter pass phrase for tmp/testcert/client2.key:
  3. CONNECTED(00000003)
  4. depth=1 C = AU,CN = test.local
  5. verify return:1
  6. ...
  7. Compression: 1 (zlib compression)
  8. Start Time: 1359989989
  9. Timeout : 300 (sec)
  10. Verify return code: 0 (ok)
  11. ---
  12. GET / HTTP/1.0
  13.  
  14. HTTP/1.1 400 Bad Request
  15. Server: Nginx/0.7.67
  16. Date: Mon,04 Feb 2013 15:00:43 GMT
  17. Content-Type: text/html
  18. Content-Length: 231
  19. Connection: close
  20.  
  21. <html>
  22. <head><title>400 The SSL certificate error</title></head>
  23. <body bgcolor="white">
  24. <center><h1>400 Bad Request</h1></center>
  25. <center>The SSL certificate error</center>
  26. <hr><center>Nginx/0.7.67</center>
  27. </body>
  28. </html>
  29. closed

客户端#2证书和从属CA证书的验证失败:

  1. # openssl s_client -connect test.local:443 -CAfile ~/pki/subCA/certs/subca.crt -cert ~/pki/subCA/certs/client2.crt -key ~/pki/subCA/private/client2.key -showcerts
  2. Enter pass phrase for tmp/testcert/client2.key:
  3. CONNECTED(00000003)
  4. depth=1 C = AU,CN = rootca
  5. verify error:num=19:self signed certificate in certificate chain
  6. verify return:0
  7. ...
  8. Compression: 1 (zlib compression)
  9. Start Time: 1359990354
  10. Timeout : 300 (sec)
  11. Verify return code: 19 (self signed certificate in certificate chain)
  12. ---
  13. GET / HTTP/1.0
  14.  
  15. HTTP/1.1 400 Bad Request
  16. ...

串联CA证书和客户端#2仍然会出现400错误请求错误(但客户端#1仍然可以正常运行):

  1. # cat certs/rootca.crt ../subCA/certs/subca.crt > certs/concatenatedca.crt
  2. # openssl s_client -connect test.local:443 -CAfile ~/pki/rootCA/certs/concatenatedca.crt -cert ~/pki/subCA/certs/client2.crt -key ~/pki/subCA/private/client2.key -showcerts
  3. Enter pass phrase for tmp/testcert/client2.key:
  4. CONNECTED(00000003)
  5. depth=1 C = AU,CN = test.local
  6. verify return:1
  7. ---
  8. ...
  9. Compression: 1 (zlib compression)
  10. Start Time: 1359990772
  11. Timeout : 300 (sec)
  12. Verify return code: 0 (ok)
  13. ---
  14. GET / HTTP/1.0
  15.  
  16. HTTP/1.1 400 Bad Request
  17. ...

更新2:我已设法通过启用调试重新编译Nginx.以下是Client#1轨道成功连接的部分:

  1. 2013/02/05 14:08:23 [debug] 38701#0: *119 accept: <MY IP ADDRESS> fd:3
  2. 2013/02/05 14:08:23 [debug] 38701#0: *119 event timer add: 3: 60000:2856497512
  3. 2013/02/05 14:08:23 [debug] 38701#0: *119 kevent set event: 3: ft:-1 fl:0025
  4. 2013/02/05 14:08:23 [debug] 38701#0: *119 malloc: 28805200:660
  5. 2013/02/05 14:08:23 [debug] 38701#0: *119 malloc: 28834400:1024
  6. 2013/02/05 14:08:23 [debug] 38701#0: *119 posix_memalign: 28860000:4096 @16
  7. 2013/02/05 14:08:23 [debug] 38701#0: *119 http check ssl handshake
  8. 2013/02/05 14:08:23 [debug] 38701#0: *119 https ssl handshake: 0x16
  9. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL server name: "test.local"
  10. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL_do_handshake: -1
  11. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL_get_error: 2
  12. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL handshake handler: 0
  13. 2013/02/05 14:08:23 [debug] 38701#0: *119 verify:1,error:0,depth:1,subject:"/C=AU /ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca",issuer: "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca"
  14. 2013/02/05 14:08:23 [debug] 38701#0: *119 verify:1,depth:0,subject:"/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Client #1",issuer: "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca"
  15. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL_do_handshake: 1
  16. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL: TLSv1,cipher: "AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1"
  17. 2013/02/05 14:08:23 [debug] 38701#0: *119 http process request line
  18. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL_read: -1
  19. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL_get_error: 2
  20. 2013/02/05 14:08:23 [debug] 38701#0: *119 http process request line
  21. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL_read: 1
  22. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL_read: 524
  23. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL_read: -1
  24. 2013/02/05 14:08:23 [debug] 38701#0: *119 SSL_get_error: 2
  25. 2013/02/05 14:08:23 [debug] 38701#0: *119 http request line: "GET / HTTP/1.1"

以下是Client#2轨道不成功连接的部分:

  1. 2013/02/05 13:51:34 [debug] 38701#0: *112 accept: <MY_IP_ADDRESS> fd:3
  2. 2013/02/05 13:51:34 [debug] 38701#0: *112 event timer add: 3: 60000:2855488975
  3. 2013/02/05 13:51:34 [debug] 38701#0: *112 kevent set event: 3: ft:-1 fl:0025
  4. 2013/02/05 13:51:34 [debug] 38701#0: *112 malloc: 28805200:660
  5. 2013/02/05 13:51:34 [debug] 38701#0: *112 malloc: 28834400:1024
  6. 2013/02/05 13:51:34 [debug] 38701#0: *112 posix_memalign: 28860000:4096 @16
  7. 2013/02/05 13:51:34 [debug] 38701#0: *112 http check ssl handshake
  8. 2013/02/05 13:51:34 [debug] 38701#0: *112 https ssl handshake: 0x16
  9. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL server name: "test.local"
  10. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL_do_handshake: -1
  11. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL_get_error: 2
  12. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL handshake handler: 0
  13. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL_do_handshake: -1
  14. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL_get_error: 2
  15. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL handshake handler: 0
  16. 2013/02/05 13:51:34 [debug] 38701#0: *112 verify:0,error:20,subject:"/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=subca",issuer: "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca"
  17. 2013/02/05 13:51:34 [debug] 38701#0: *112 verify:0,error:27,issuer: "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootca"
  18. 2013/02/05 13:51:34 [debug] 38701#0: *112 verify:1,subject:"/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=Client #2",issuer: "/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=subca"
  19. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL_do_handshake: 1
  20. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL: TLSv1,cipher: "AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1"
  21. 2013/02/05 13:51:34 [debug] 38701#0: *112 http process request line
  22. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL_read: 1
  23. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL_read: 524
  24. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL_read: -1
  25. 2013/02/05 13:51:34 [debug] 38701#0: *112 SSL_get_error: 2
  26. 2013/02/05 13:51:34 [debug] 38701#0: *112 http request line: "GET / HTTP/1.1"

所以我得到OpenSSL错误#20然后#27.根据验证documentation

  1. 20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate
  2.  
  3. the issuer certificate could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.
  4.  
  5. 27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted
  6.  
  7. the root CA is not marked as trusted for the specified purpose.

解决方法

据我所理解,
  1. ssl_verify_depth 2;

应该做的伎俩.有关详情,请参见http://nginx.org/r/ssl_verify_depth.

猜你在找的Linux相关文章