我目前在我們的Google Apps域使用自簽名通配符證書(請參閱http://pastie.org/8402240)。爲Google App Engine上傳通配符SSL證書給出了「SSL證書引用子域在受管域之外」。
可以說域是example.com。我還註冊了子域api.example.com和staging.example.com。
自簽名證書用於* .api.example.com。
它工作得很好。
但是,當我嘗試上載CA簽名證書時(請參閱http://pastie.org/8402243),我收到錯誤消息「SSL證書引用子域在受管域以外」。
CA簽名證書有點複雜,但它解析爲http://pastie.org/8402255,它也是* .api.example.com(AND * .staging.example.com)。
CA證書導致此錯誤的問題是什麼?
我的猜測是你沒有正確設置你的自定義域。請參閱Google's Using a Custom Domain documentation, specifically the section on Wildcard Subdomain Mapping。
我猜你需要添加:
要作爲SSL的自定義域列表包含了不少主題替代名稱。
根據該錯誤,Google App似乎抱怨證書中包含Google App未知的子域。
您提到:* .staging.soundtrackyourbrand.com包含在內。確保谷歌應用程序知道這個子域/區域(以及soundtrackyourbrand.com),因爲這是爲什麼它將你擊倒。
你需要有區域是:
如果您不能添加這些記錄您將需要重新生成一個更專用於您的區域的證書。
或者,您可能已經錯誤地設置了第一個區域。例如,soundtrackyourbrand.com應該是您的只有區域與api.soundtrackyourbrand.com & staging.soundtrackyourbrand.com是A記錄。
正如我對邁克爾帕斯卡龍所說 - 區域和名稱不是自簽名證書的問題,所以我懷疑這是什麼情況? – user1147646
但是,當我嘗試上載CA簽名證書時(請參閱http://pastie.org/8402243),我收到錯誤消息「SSL證書引用子域在受管域以外」。
我看到配置有兩個問題。一個是PKI相關的,另一個是DNS相關的。
我知道PKI問題會導致一些用戶代理出現問題。我不確定DNS問題,但可能是問題,因爲您的錯誤消息引用「託管域外的子域」。而且它們可能不是唯一的問題。
服務器的證書缺少驗證所需的中間證書。這在PKI中是一個衆所周知的問題,它被稱爲「哪個目錄」問題。在這個問題中,客戶端不知道去哪裏獲取用於簽署最終實體證書的缺失中間證書。
按照CA簽署pastie(http://pastie.org/8402243):
$ openssl x509 -in 8402243.pem -inform PEM -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 108388 (0x1a764)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
Validity
Not Before: Oct 3 05:15:45 2013 GMT
Not After : Oct 4 10:34:27 2015 GMT
Subject: C=SE, ST=Stockholm, L=Stockholm, O=S.Biz AB, CN=api.example.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a9:76:dc:c7:5c:1a:ab:cf:dc:0b:6d:4b:1a:83:
...
7e:45:cb:cc:9f:14:e4:6c:b9:22:fa:d8:0f:5c:69:
76:2b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Key Identifier:
FC:EE:69:80:9D:A1:0C:43:C6:24:CE:85:F6:00:C9:65:CD:4A:AF:D4
X509v3 Authority Key Identifier:
keyid:11:DB:23:45:FD:54:CC:6A:71:6F:84:8A:03:D7:BE:F7:01:2F:26:86
X509v3 Subject Alternative Name:
DNS:api.example.com, DNS:example.com, DNS:staging.example.com, DNS:*.staging.example.com, DNS:*.api.example.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.2
Policy: 1.3.6.1.4.1.23223.1.2.3
CPS: http://www.startssl.com/policy.pdf
User Notice:
Organization: StartCom Certification Authority
Number: 1
Explicit Text: This certificate was issued ...
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.startssl.com/crt2-crl.crl
Authority Information Access:
OCSP - URI:http://ocsp.startssl.com/sub/class2/server/ca
CA Issuers - URI:http://aia.startssl.com/certs/sub.class2.server.ca.crt
X509v3 Issuer Alternative Name:
URI:http://www.startssl.com/
Signature Algorithm: sha256WithRSAEncryption
97:2c:96:ee:80:ca:1f:27:55:e0:60:68:6b:5e:ea:44:a7:bb:
...
64:6e:1a:0b:9b:bd:10:e6:ac:48:60:cd:51:ac:46:57:fa:61:
13:32:65:a5
你缺少你的鏈中的 「StartCom 2級初級中級服務器CA」 中間。
您可以從Startcom的CA certs獲取缺失的中間人。你正在尋找的是sub.class2.server.ca.pem。快速轉儲驗證主題的sub.class2.server.ca.pem是您的服務器證書的發行人:
$ openssl x509 -in sub.class2.server.ca.pem -inform PEM -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 26 (0x1a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
Validity
Not Before: Oct 24 20:57:09 2007 GMT
Not After : Oct 24 20:57:09 2017 GMT
Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
...
有什麼不對的CA證書導致此錯誤?
你應該的PEM編碼的服務器證書後,以下內容粘貼到你的服務器證書文件,。實質上,您的服務器的證書文件將包含兩個證書。
-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NzA5WhcNMTcxMDI0MjA1NzA5WjCB
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4k85L6GMmoWtCA4IPlfyiAEh
G5SpbOK426oZGEY6UqH1D/RujOqWjJaHeRNAUS8i8gyLhw9l33F0NENVsTUJm9m8
H/rrQtCXQHK3Q5Y9upadXVACHJuRjZzArNe7LxfXyz6CnXPrB0KSss1ks3RVG7RL
hiEs93iHMuAW5Nq9TJXqpAp+tgoNLorPVavD5d1Bik7mb2VsskDPF125w2oLJxGE
d2H2wnztwI14FBiZgZl1Y7foU9O6YekO+qIw80aiuckfbIBaQKwn7UhHM7BUxkYa
8zVhwQIpkFR+ZE3EMFICgtffziFuGJHXuKuMJxe18KMBL47SLoc6PbQpZ4rEAwID
AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
VR0OBBYEFBHbI0X9VMxqcW+EigPXvvcBLyaGMB8GA1UdIwQYMBaAFE4L7xqkQFul
F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAnQfh7pB2MWcWRXCMy4SLS1doRKWJwfJ+
yyiL9edwd9W29AshYKWhdHMkIoDW2LqNomJdCTVCKfs5Y0ULpLA4Gmj0lRPM4EOU
7Os5GuxXKdmZbfWEzY5zrsncavqenRZkkwjHHMKJVJ53gJD2uSl26xNnSFn4Ljox
uMnTiOVfTtIZPUOO15L/zzi24VuKUx3OrLR2L9j3QGPV7mnzRX2gYsFhw3XtsntN
rCEnME5ZRmqTF8rIOS0Bc2Vb6UGbERecyMhK76F2YC2uk/8M1TMTn08Tzt2G8fz4
NVQVqFvnhX76Nwn/i7gxSZ4Nbt600hItuO3Iw/G2QqBMl3nf/sOjn6H0bSyEd6Si
BeEX/zHdmvO4esNSwhERt1Axin/M51qJzPeGmmGSTy+UtpjHeOBiS0N9PN7WmrQQ
oUCcSyrcuNDUnv3xhHgbDlePaVRCaHvqoO91DweijHOZq1X1BwnSrzgDapADDC+P
4uhDwjHpb62H5Y29TiyJS1HmnExUdsASgVOb7KD8LJzaGJVuHjgmQid4YAjff20y
6NjAbx/rJnWfk/x7G/41kNxTowemP4NVCitOYoIlzmYwXSzg+RkbdbmdmFamgyd6
0Y+NWZP8P3PXLrQsldiL98l+x/ydrHIEH9LMF/TtNGCbnkqXBP7dcg5XVFEGcE3v
qhykguAzx/Q=
-----END CERTIFICATE-----
然後客戶需要「信任」Startcom的根證書(CN=StartCom Certification Authority)。如果他們信任Startcom的根證書,那麼你的服務器證書將驗證:
# Download Startcom's roots
$ wget https://www.startssl.com/certs/ca-bundle.pem
--2014-02-07 05:08:52-- https://www.startssl.com/certs/ca-bundle.pem
...
# Verify the server certificate using the Startcom root
$ openssl verify -CAfile ca-bundle.pem 8402243+intermediate.pem
8402243+intermediate.pem: OK
下面是我注意到一兩件事。有些主機解決OK:
$ dig staging.soundtrackyourbrand.com
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> staging.soundtrackyourbrand.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22761
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;staging.soundtrackyourbrand.com. IN A
;; ANSWER SECTION:
staging.soundtrackyourbrand.com. 3599 IN A 194.9.94.85
staging.soundtrackyourbrand.com. 3599 IN A 194.9.94.86
但一些主機不能正確解析:
$ dig api.soundtrackyourbrand.com
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> api.soundtrackyourbrand.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33966
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;api.soundtrackyourbrand.com. IN A
;; AUTHORITY SECTION:
soundtrackyourbrand.com. 1755 IN SOA ns1.loopia.se. registry.loopia.se. 1391644800 10800 3600 604800 86400
;; Query time: 0 msec
;; SERVER: 172.16.1.10#53(172.16.1.10)
;; WHEN: Fri Feb 7 05:30:05 2014
;; MSG SIZE rcvd: 103
我相信你應該有類似的地址資源記錄:
api.soundtrackyourbrand.com. IN A 194.9.94.85
或者,使它是一個通過提供權限開始(SOA)記錄的子域。但我不確定谷歌將如何處理它的驗證程序,因此只需給它一個地址資源記錄就可以更容易。
谷歌應用的廣告僅支持一個級別通配符子域名,* .API和* .staging.soundtrackyourbrand.com是兩個級別的
這可能並非如此,因爲自簽名證書是隻罰款* .api.soundtrackyourbrand.com,對嗎? – user1147646