SSL 根证书过期问题排查
Summary: Author: 张亚飞 | Read Time: 6 minute read | Published: 2023-12-25
Filed under
—
Categories:
ACME
—
Tags:
ACME,
Lets encrypt,
SSL 根证书过期问题排查
背景
一次配置 www.iirii.com 使用 Lets encrypt 颁发的 SSL 证书,并部署到 k8s 集群
浏览器打开正常 https://www.iirii.com,但是使用 curl 命令访问域名,认证提示如下错误:
$ curl https://www.iirii.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
分析原因
iirii.com.crt 证书配置如下
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgISA9AvB9mJjXV74CHQc6FJqj4aMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzEyMDcxMTU4NTNaFw0yNDAzMDYxMTU4NTJaMBQxEjAQBgNVBAMT
CWlpcmlpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhVPvY7
QZBi8MbLrw/64CQ83HVnNFxKgs9wNT/HkJCuDuDKbbIprWWHOsFwJBQsWrUGt1Uh
P0oIsqKkrbsPUPhgfq6bZvWDrhwkxf9SwS92jYmQsK06W24ae3DHH/ROgUYUBlSU
yYt/vN8GYCflXQWwyWCXng4nhywJY7ecV6DAop7duU6V4s4jOt8vjyBDEJxRHyLr
RRJL1UzqE5lfsZ+E+1lrm92OVehE3JeSOuOdht3Z9NdFz/gSfaYkq0lhJQL94QR0
lZUy4r0PYd0c7Fz2a6CpFtWerhofeNCo0Oih0Ie9AfXjnzSsCrIDnNM4eT2A6vXU
foxVmqF3lSCNyl8CAwEAAaOCAiwwggIoMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
oKVynXbrJt/6bU4C4cmhfs3f/d4wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wNQYD
VR0RBC4wLIISKi5kb2NrZXIuaWlyaWkuY29tggsqLmlpcmlpLmNvbYIJaWlyaWku
Y29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGMRFwSWAAABAMA
SDBGAiEAy1bkG8/aI0OGHKQ0oS3nTR1D6jjyF3MJAoB4P/bw9+4CIQCyw/pV9+o1
wzaponoXAlXwCSn2wz/av2EscmTK+smMMgB1AKLiv9Ye3i8vB6DWTm03p9xlQ7DG
tS6i2reK+Jpt9RfYAAABjERcEmcAAAQDAEYwRAIgRV38HJh8Lb88hgNV7uRIIsT2
kESZWqrSNmNzIXtipYACIDMYrTi/+bJ1oAeMRbRjBdGnmy07DfTrLICOLvHe9zVQ
MA0GCSqGSIb3DQEBCwUAA4IBAQAVgnXbfd6lRc3VRLxFMCYkkaS22iwBctkCKfUu
uBkYMVkvC6y5qt8ii6CPFHq7imLCEqymCXxQRd3VmPxFGXG3BWoyKxiGZ+nsLfud
uXz7o575EVlhf0nbtJ/gvxoDV5zN0ZcvrT64+PrCdDbZBqtSygVT4gJz1GwAqfnB
a/4xBMIDpHVTAED0L7o8TL653kk+Rkg05MIwDmyokrlBA+9JyLCyksKOWT8la7nH
l6Lt67SjYJEZd6lkiPeoXNqm9jzljNA2ByHRDEWon3MOpodjxZQw2IIC51bOmZsN
wTV8Sykoz7596Q4lIHFPxTAAS+3ZoNMBHfajIwtEjlWWzhLE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
使用 OpenSSL 提取证书信息
以上证书分两段,我们分别打印出来
第一段
$ openssl x509 -text -in iirii.com.1.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:d0:2f:07:d9:89:8d:75:7b:e0:21:d0:73:a1:49:aa:3e:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R3
Validity
Not Before: Dec 7 11:58:53 2023 GMT
Not After : Mar 6 11:58:52 2024 GMT
Subject: CN=iirii.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a8:55:3e:f6:3b:41:90:62:f0:c6:cb:af:0f:fa:
e0:24:3c:dc:75:67:34:5c:4a:82:cf:70:35:3f:c7:
90:90:ae:0e:e0:ca:6d:b2:29:ad:65:87:3a:c1:70:
24:14:2c:5a:b5:06:b7:55:21:3f:4a:08:b2:a2:a4:
ad:bb:0f:50:f8:60:7e:ae:9b:66:f5:83:ae:1c:24:
c5:ff:52:c1:2f:76:8d:89:90:b0:ad:3a:5b:6e:1a:
7b:70:c7:1f:f4:4e:81:46:14:06:54:94:c9:8b:7f:
bc:df:06:60:27:e5:5d:05:b0:c9:60:97:9e:0e:27:
87:2c:09:63:b7:9c:57:a0:c0:a2:9e:dd:b9:4e:95:
e2:ce:23:3a:df:2f:8f:20:43:10:9c:51:1f:22:eb:
45:12:4b:d5:4c:ea:13:99:5f:b1:9f:84:fb:59:6b:
9b:dd:8e:55:e8:44:dc:97:92:3a:e3:9d:86:dd:d9:
f4:d7:45:cf:f8:12:7d:a6:24:ab:49:61:25:02:fd:
e1:04:74:95:95:32:e2:bd:0f:61:dd:1c:ec:5c:f6:
6b:a0:a9:16:d5:9e:ae:1a:1f:78:d0:a8:d0:e8:a1:
d0:87:bd:01:f5:e3:9f:34:ac:0a:b2:03:9c:d3:38:
79:3d:80:ea:f5:d4:7e:8c:55:9a:a1:77:95:20:8d:
ca:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
A0:A5:72:9D:76:EB:26:DF:FA:6D:4E:02:E1:C9:A1:7E:CD:DF:FD:DE
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.docker.iirii.com, DNS:*.iirii.com, DNS:iirii.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:
67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17
Timestamp : Dec 7 12:58:53.912 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:CB:56:E4:1B:CF:DA:23:43:86:1C:A4:
34:A1:2D:E7:4D:1D:43:EA:38:F2:17:73:09:02:80:78:
3F:F6:F0:F7:EE:02:21:00:B2:C3:FA:55:F7:EA:35:C3:
36:A9:A2:7A:17:02:55:F0:09:29:F6:C3:3F:DA:BF:61:
2C:72:64:CA:FA:C9:8C:32
Signed Certificate Timestamp:
Version : v1(0)
Log ID : A2:E2:BF:D6:1E:DE:2F:2F:07:A0:D6:4E:6D:37:A7:DC:
65:43:B0:C6:B5:2E:A2:DA:B7:8A:F8:9A:6D:F5:17:D8
Timestamp : Dec 7 12:58:53.927 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:45:5D:FC:1C:98:7C:2D:BF:3C:86:03:55:
EE:E4:48:22:C4:F6:90:44:99:5A:AA:D2:36:63:73:21:
7B:62:A5:80:02:20:33:18:AD:38:BF:F9:B2:75:A0:07:
8C:45:B4:63:05:D1:A7:9B:2D:3B:0D:F4:EB:2C:80:8E:
2E:F1:DE:F7:35:50
Signature Algorithm: sha256WithRSAEncryption
15:82:75:db:7d:de:a5:45:cd:d5:44:bc:45:30:26:24:91:a4:
b6:da:2c:01:72:d9:02:29:f5:2e:b8:19:18:31:59:2f:0b:ac:
b9:aa:df:22:8b:a0:8f:14:7a:bb:8a:62:c2:12:ac:a6:09:7c:
50:45:dd:d5:98:fc:45:19:71:b7:05:6a:32:2b:18:86:67:e9:
ec:2d:fb:9d:b9:7c:fb:a3:9e:f9:11:59:61:7f:49:db:b4:9f:
e0:bf:1a:03:57:9c:cd:d1:97:2f:ad:3e:b8:f8:fa:c2:74:36:
d9:06:ab:52:ca:05:53:e2:02:73:d4:6c:00:a9:f9:c1:6b:fe:
31:04:c2:03:a4:75:53:00:40:f4:2f:ba:3c:4c:be:b9:de:49:
3e:46:48:34:e4:c2:30:0e:6c:a8:92:b9:41:03:ef:49:c8:b0:
b2:92:c2:8e:59:3f:25:6b:b9:c7:97:a2:ed:eb:b4:a3:60:91:
19:77:a9:64:88:f7:a8:5c:da:a6:f6:3c:e5:8c:d0:36:07:21:
d1:0c:45:a8:9f:73:0e:a6:87:63:c5:94:30:d8:82:02:e7:56:
ce:99:9b:0d:c1:35:7c:4b:29:28:cf:be:7d:e9:0e:25:20:71:
4f:c5:30:00:4b:ed:d9:a0:d3:01:1d:f6:a3:23:0b:44:8e:55:
96:ce:12:c4
-----BEGIN CERTIFICATE-----
MIIFADCCA+igAwIBAgISA9AvB9mJjXV74CHQc6FJqj4aMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzEyMDcxMTU4NTNaFw0yNDAzMDYxMTU4NTJaMBQxEjAQBgNVBAMT
CWlpcmlpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKhVPvY7
QZBi8MbLrw/64CQ83HVnNFxKgs9wNT/HkJCuDuDKbbIprWWHOsFwJBQsWrUGt1Uh
P0oIsqKkrbsPUPhgfq6bZvWDrhwkxf9SwS92jYmQsK06W24ae3DHH/ROgUYUBlSU
yYt/vN8GYCflXQWwyWCXng4nhywJY7ecV6DAop7duU6V4s4jOt8vjyBDEJxRHyLr
RRJL1UzqE5lfsZ+E+1lrm92OVehE3JeSOuOdht3Z9NdFz/gSfaYkq0lhJQL94QR0
lZUy4r0PYd0c7Fz2a6CpFtWerhofeNCo0Oih0Ie9AfXjnzSsCrIDnNM4eT2A6vXU
foxVmqF3lSCNyl8CAwEAAaOCAiwwggIoMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
oKVynXbrJt/6bU4C4cmhfs3f/d4wHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v
nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s
ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wNQYD
VR0RBC4wLIISKi5kb2NrZXIuaWlyaWkuY29tggsqLmlpcmlpLmNvbYIJaWlyaWku
Y29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDw
AHcAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGMRFwSWAAABAMA
SDBGAiEAy1bkG8/aI0OGHKQ0oS3nTR1D6jjyF3MJAoB4P/bw9+4CIQCyw/pV9+o1
wzaponoXAlXwCSn2wz/av2EscmTK+smMMgB1AKLiv9Ye3i8vB6DWTm03p9xlQ7DG
tS6i2reK+Jpt9RfYAAABjERcEmcAAAQDAEYwRAIgRV38HJh8Lb88hgNV7uRIIsT2
kESZWqrSNmNzIXtipYACIDMYrTi/+bJ1oAeMRbRjBdGnmy07DfTrLICOLvHe9zVQ
MA0GCSqGSIb3DQEBCwUAA4IBAQAVgnXbfd6lRc3VRLxFMCYkkaS22iwBctkCKfUu
uBkYMVkvC6y5qt8ii6CPFHq7imLCEqymCXxQRd3VmPxFGXG3BWoyKxiGZ+nsLfud
uXz7o575EVlhf0nbtJ/gvxoDV5zN0ZcvrT64+PrCdDbZBqtSygVT4gJz1GwAqfnB
a/4xBMIDpHVTAED0L7o8TL653kk+Rkg05MIwDmyokrlBA+9JyLCyksKOWT8la7nH
l6Lt67SjYJEZd6lkiPeoXNqm9jzljNA2ByHRDEWon3MOpodjxZQw2IIC51bOmZsN
wTV8Sykoz7596Q4lIHFPxTAAS+3ZoNMBHfajIwtEjlWWzhLE
-----END CERTIFICATE-----
检查了 Issuer、Subject、Not Before、Not After 及 X509v3 Subject Alternative Name 均正常。
第二段
$ openssl x509 -text -in iirii.com.2.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0a:01:41:42:00:00:01:53:85:73:6a:0b:85:ec:a7:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
Validity
Not Before: Mar 17 16:40:46 2016 GMT
Not After : Mar 17 16:40:46 2021 GMT
Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9c:d3:0c:f0:5a:e5:2e:47:b7:72:5d:37:83:b3:
68:63:30:ea:d7:35:26:19:25:e1:bd:be:35:f1:70:
92:2f:b7:b8:4b:41:05:ab:a9:9e:35:08:58:ec:b1:
2a:c4:68:87:0b:a3:e3:75:e4:e6:f3:a7:62:71:ba:
79:81:60:1f:d7:91:9a:9f:f3:d0:78:67:71:c8:69:
0e:95:91:cf:fe:e6:99:e9:60:3c:48:cc:7e:ca:4d:
77:12:24:9d:47:1b:5a:eb:b9:ec:1e:37:00:1c:9c:
ac:7b:a7:05:ea:ce:4a:eb:bd:41:e5:36:98:b9:cb:
fd:6d:3c:96:68:df:23:2a:42:90:0c:86:74:67:c8:
7f:a5:9a:b8:52:61:14:13:3f:65:e9:82:87:cb:db:
fa:0e:56:f6:86:89:f3:85:3f:97:86:af:b0:dc:1a:
ef:6b:0d:95:16:7d:c4:2b:a0:65:b2:99:04:36:75:
80:6b:ac:4a:f3:1b:90:49:78:2f:a2:96:4f:2a:20:
25:29:04:c6:74:c0:d0:31:cd:8f:31:38:95:16:ba:
a8:33:b8:43:f1:b1:1f:c3:30:7f:a2:79:31:13:3d:
2d:36:f8:e3:fc:f2:33:6a:b9:39:31:c5:af:c4:8d:
0d:1d:64:16:33:aa:fa:84:29:b6:d4:0b:c0:d8:7d:
c3:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Authority Information Access:
OCSP - URI:http://isrg.trustid.ocsp.identrust.com
CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c
X509v3 Authority Key Identifier:
keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.root-x1.letsencrypt.org
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl
X509v3 Subject Key Identifier:
A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Signature Algorithm: sha256WithRSAEncryption
dd:33:d7:11:f3:63:58:38:dd:18:15:fb:09:55:be:76:56:b9:
70:48:a5:69:47:27:7b:c2:24:08:92:f1:5a:1f:4a:12:29:37:
24:74:51:1c:62:68:b8:cd:95:70:67:e5:f7:a4:bc:4e:28:51:
cd:9b:e8:ae:87:9d:ea:d8:ba:5a:a1:01:9a:dc:f0:dd:6a:1d:
6a:d8:3e:57:23:9e:a6:1e:04:62:9a:ff:d7:05:ca:b7:1f:3f:
c0:0a:48:bc:94:b0:b6:65:62:e0:c1:54:e5:a3:2a:ad:20:c4:
e9:e6:bb:dc:c8:f6:b5:c3:32:a3:98:cc:77:a8:e6:79:65:07:
2b:cb:28:fe:3a:16:52:81:ce:52:0c:2e:5f:83:e8:d5:06:33:
fb:77:6c:ce:40:ea:32:9e:1f:92:5c:41:c1:74:6c:5b:5d:0a:
5f:33:cc:4d:9f:ac:38:f0:2f:7b:2c:62:9d:d9:a3:91:6f:25:
1b:2f:90:b1:19:46:3d:f6:7e:1b:a6:7a:87:b9:a3:7a:6d:18:
fa:25:a5:91:87:15:e0:f2:16:2f:58:b0:06:2f:2c:68:26:c6:
4b:98:cd:da:9f:0c:f9:7f:90:ed:43:4a:12:44:4e:6f:73:7a:
28:ea:a4:aa:6e:7b:4c:7d:87:dd:e0:c9:02:44:a7:87:af:c3:
34:5b:b4:42
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
查看此证书为 CA 证书, Not After 发现显示过期时间为 Mar 17 16:40:46 2021 GMT,问题找到了,是签发的 CA 证书不对,已经过期。
在 Let’s Encrypt 官网查到了一条和该 CA 根证书过期的说明: DST Root CA X3 Expiration (September 2021)
Comments