1. 首頁
  2. 問答
  3. 從命令行AppEngine SSL失敗

從命令行AppEngine SSL失敗

2013-07-20 82 views
0

我在我的AppEngine應用程序中加載了RapidSSL/GeoTrust證書。網站使用SSL完美加載到瀏覽器中。從命令行AppEngine SSL失敗

但是,當我從命令行(Ubuntu 13.04)驗證證書時,它失敗。這是一個普通的SSL失敗,所以我所有的Python請求失敗,太(「urllib3」失敗,煽動「請求」失敗):

$ openssl s_client -connect www.XYZ.com:443 
CONNECTED(00000003) 
3073689800:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: 
--- 
no peer certificate available 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 0 bytes and written 225 bytes 
--- 
New, (NONE), Cipher is (NONE) 
Secure Renegotiation IS NOT supported 
Compression: NONE 
Expansion: NONE 
---

我使用該證書對其AS的一個在另一個服務器上運行NGINX,驗證完全沒有問題:

$ openssl s_client -connect XYZ.com:443 
CONNECTED(00000003) 
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA 
verify error:num=20:unable to get local issuer certificate 
verify return:0 
--- 
Certificate chain 
0 s:/serialNumber=gQpQo/GwZhs9/JqYi8P8DsQNFmVC5VQB/OU=GT09052054/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=www.XYZ.com 
    i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 
    i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
MIIFRjCCBC6gAwIBAgIDDOW3MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT 
<truncated> 
S6YumLnJrUVoCA== 
-----END CERTIFICATE----- 
subject=/serialNumber=gQpQo/GwZhs9/JqYi8P8DsQNFmVC5VQB/OU=GT09052054/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=www.XYZ.com 
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA 
--- 
No client certificate CA names sent 
--- 
SSL handshake has read 3023 bytes and written 375 bytes 
--- 
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA 
Server public key is 2048 bit 
Secure Renegotiation IS supported 
Compression: NONE 
Expansion: NONE 
SSL-Session: 
    Protocol : TLSv1.1 
    Cipher : ECDHE-RSA-AES256-SHA 
    Session-ID: A69E838824AF4F74228A82105A74D708A63CB5FDE042A04072A937A9A25DC1C7 
    Session-ID-ctx: 
    Master-Key: 35EACC6FCFA5F901AA355C0379289EE33FEB77334A95EC45A4A9D7CD22E4C944C76F998C2D9AAAF635FD88D02CDB7B08 
    Key-Arg : None 
    PSK identity: None 
    PSK identity hint: None 
    SRP username: None 
    TLS session ticket lifetime hint: 300 (seconds) 
    TLS session ticket: 
    0000 - 5f 78 c7 0c da f1 7b ee-52 7a 4d 36 c0 28 b0 d7 _x....{.RzM6.(.. 
    <truncated> 
    0090 - 5e fc 2c 37 d4 6f 20 0b-a6 aa 62 f4 df 90 1e 18 ^.,7.o ...b..... 

    Start Time: 1374291906 
    Timeout : 300 (sec) 
    Verify return code: 20 (unable to get local issuer certificate) 
    ---

該網站還沒有完成,所以我不能共享該域名。

我很感激任何見解。

Dustin

來源

2013-07-20 Dustin Oprea

回答

1

您使用的是SNI還是VIP?如果您使用的是SNI,則需要使用openssl的-servername。 Ahahaha。

來源

2013-07-20 06:12:49

+0

Ahahaha。我愛你,男人(SNI)。爲什麼我不需要爲我的NGINX服務器做這件事?我如何從代碼(特別是Python'請求')做到這一點? –

+0

您的NGINX服務器可能不需要使用SNI,因爲它只知道單個證書,所以它不需要「思考」要提供哪個證書。只有當您嘗試從同一個IP地址提供多個域和多個證書時才需要SNI。 tes –

+0

關於Python,Python 2.x中的標準SSL包不支持SNI。有些圖書館可能自己添加了它。另外,App Engine上的URLFetch服務支持SNI。 –

相關問題

 相關問題