我已經爲我的開發域「購買」了3年StartSSL免費1類DV證書,並按照他們的說明將其安裝在NGINX上。在瀏覽器中顯示爲net :: ERR_CERT_AUTHORITY_INVALID的StartSSL SSL證書
我注意到,他們提供的nginx證書包含DV證書,其中添加了10個域別名,還有中間證書,他們認爲它應該根據瀏覽器有效(我在Chrome上試過了和Firefox的結果相似)。
證書被顯示爲無效:https://gb.qa.vendigo.build/
但是幾乎所有的SSL驗證工具正顯示出它作爲一個完整的鏈條,完全沒有問題,用一個工具除外:
http://www.sslchecker.com/sslchecker?su=1e9941a064b5bc0b92fbfa310aae796b
顯示缺少'根'證書。但是添加根證書並沒有幫助,實際上,SSL檢查程序(上面列出的)將顯示root作爲存在,但是會列出另一個丟失的證書。下載並安裝這些證書只會使該鏈不斷增長無濟於事。
我現在變得相當卡住了!我是否錯過了一些明顯的東西,或者這只是一個錯誤的證書?
nginx的配置是這樣的:
# gb.qa.vendigo.build
upstream cc574309c4214a6c01eb8d3dbe9f701eee9daf3d {
## Can be connect with "bridge" network
# sample-1.antony-cert-test.11b35827
server 172.17.0.6:80;
## Can be connect with "dockercloud" network
# sample-1.antony-cert-test.11b35827
server 10.7.0.24:80;
}
server {
server_name gb.qa.vendigo.build;
listen 80 ;
listen [::]:80 ;
access_log /var/log/nginx/access.log vhost;
return 301 https://$host$request_uri;
}
server {
server_name gb.qa.vendigo.build;
listen 443 ssl http2 ;
listen [::]:443 ssl http2 ;
access_log /var/log/nginx/access.log vhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20- POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/certs/vendigo.build.crt;
ssl_certificate_key /etc/nginx/certs/vendigo.build.key;
add_header Strict-Transport-Security "max-age=31536000";
location/{
proxy_pass http://cc574309c4214a6c01eb8d3dbe9f701eee9daf3d;
}
}
http://webmasters.stackexchange.com/questions/103405/installing-startssl-certificate-under-apache-gives-sec-error-revoked-certificate – tkausl