SSL 证书
Summary: Author: 张亚飞 | Read Time: 3 minute read | Published: 2016-05-17
Filed under
—
Categories:
Linux
—
Tags:
Note,
SSL 证书不匹配
更新证书后 nginx 重启失败,报如下错误:
nginx: [emerg] SSL_CTX_use_PrivateKey("/etc/ssl/coam/domains/pyios.com/private.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
/etc/ssl/coam/domains/pyios.com/domain.pem
openssl x509 -noout -modulus -in /etc/ssl/coam/domains/pyios.com/domain.pem | openssl md5
(stdin)= 6461e3f5704d4d71e1d920de23d1e8cb
/etc/ssl/coam/domains/pyios.com/private.key
openssl rsa -noout -modulus -in /etc/ssl/coam/domains/pyios.com/private.key | openssl md5
(stdin)= 6461e3f5704d4d71e1d920de23d1e8cb
发现是一致的,再次查看fullchain.crt发现不一致
/etc/ssl/coam/domains/pyios.com/fullchain.crt
openssl x509 -noout -modulus -in /etc/ssl/coam/domains/pyios.com/fullchain.crt | openssl md5
(stdin)= 47ba8cf81b0f2b46ff6eb63e17a5559c
查看证书发现 /etc/ssl/coam/domains/pyios.com/domain.pem 和 /etc/ssl/coam/domains/pyios.com/domain.pem 中的证书文件不一致;
修改后正确
/etc/ssl/coam/domains/pyios.com/fullchain.crt
openssl x509 -noout -modulus -in /etc/ssl/coam/domains/pyios.com/fullchain.crt | openssl md5
(stdin)= 6461e3f5704d4d71e1d920de23d1e8cb
由于
run_s签发证书过程中断过,导致两次证书文件不一致,下次修复此问题;
查看 SSL 证书
有一次使用 curl 命令在服务端请求 https://git.iirii.com:30443 显示证书验证问题
curl https://git.iirii.com:30443/api/v4/runners -X POST -i
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
那如何判断是否证书配置问题呢,可以通过如下命令查看服务端返回的证书
echo | openssl s_client -showcerts -servername zsauth.aukoo.cn -connect zsauth.aukoo.cn:443 2>/dev/null | openssl x509 -inform pem -noout -text
echo | openssl s_client -showcerts -servername git.iirii.com -connect git.iirii.com:30443 2>/dev/null | openssl x509 -inform pem -noout -text
echo | openssl s_client -showcerts -servername download.hz.gpuez.com -connect download.hz.gpuez.com:443 2>/dev/null | openssl x509 -inform pem -noout -text
显示结果如下
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:d0:2f:07:d9:89:8d:75:7b:e0:21:d0:73:a1:49:aa:3e:1a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Dec 7 11:58:53 2023 GMT
Not After : Mar 6 11:58:52 2024 GMT
Subject: CN = iirii.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a8:55:3e:f6:3b:41:90:62:f0:c6:cb:af:0f:fa:
e0:24:3c:dc:75:67:34:5c:4a:82:cf:70:35:3f:c7:
90:90:ae:0e:e0:ca:6d:b2:29:ad:65:87:3a:c1:70:
24:14:2c:5a:b5:06:b7:55:21:3f:4a:08:b2:a2:a4:
ad:bb:0f:50:f8:60:7e:ae:9b:66:f5:83:ae:1c:24:
c5:ff:52:c1:2f:76:8d:89:90:b0:ad:3a:5b:6e:1a:
7b:70:c7:1f:f4:4e:81:46:14:06:54:94:c9:8b:7f:
bc:df:06:60:27:e5:5d:05:b0:c9:60:97:9e:0e:27:
87:2c:09:63:b7:9c:57:a0:c0:a2:9e:dd:b9:4e:95:
e2:ce:23:3a:df:2f:8f:20:43:10:9c:51:1f:22:eb:
45:12:4b:d5:4c:ea:13:99:5f:b1:9f:84:fb:59:6b:
9b:dd:8e:55:e8:44:dc:97:92:3a:e3:9d:86:dd:d9:
f4:d7:45:cf:f8:12:7d:a6:24:ab:49:61:25:02:fd:
e1:04:74:95:95:32:e2:bd:0f:61:dd:1c:ec:5c:f6:
6b:a0:a9:16:d5:9e:ae:1a:1f:78:d0:a8:d0:e8:a1:
d0:87:bd:01:f5:e3:9f:34:ac:0a:b2:03:9c:d3:38:
79:3d:80:ea:f5:d4:7e:8c:55:9a:a1:77:95:20:8d:
ca:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
A0:A5:72:9D:76:EB:26:DF:FA:6D:4E:02:E1:C9:A1:7E:CD:DF:FD:DE
X509v3 Authority Key Identifier:
14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:*.docker.iirii.com, DNS:*.iirii.com, DNS:iirii.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 3B:53:77:75:3E:2D:B9:80:4E:8B:30:5B:06:FE:40:3B:
67:D8:4F:C3:F4:C7:BD:00:0D:2D:72:6F:E1:FA:D4:17
Timestamp : Dec 7 12:58:53.912 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:CB:56:E4:1B:CF:DA:23:43:86:1C:A4:
34:A1:2D:E7:4D:1D:43:EA:38:F2:17:73:09:02:80:78:
3F:F6:F0:F7:EE:02:21:00:B2:C3:FA:55:F7:EA:35:C3:
36:A9:A2:7A:17:02:55:F0:09:29:F6:C3:3F:DA:BF:61:
2C:72:64:CA:FA:C9:8C:32
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : A2:E2:BF:D6:1E:DE:2F:2F:07:A0:D6:4E:6D:37:A7:DC:
65:43:B0:C6:B5:2E:A2:DA:B7:8A:F8:9A:6D:F5:17:D8
Timestamp : Dec 7 12:58:53.927 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:45:5D:FC:1C:98:7C:2D:BF:3C:86:03:55:
EE:E4:48:22:C4:F6:90:44:99:5A:AA:D2:36:63:73:21:
7B:62:A5:80:02:20:33:18:AD:38:BF:F9:B2:75:A0:07:
8C:45:B4:63:05:D1:A7:9B:2D:3B:0D:F4:EB:2C:80:8E:
2E:F1:DE:F7:35:50
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
15:82:75:db:7d:de:a5:45:cd:d5:44:bc:45:30:26:24:91:a4:
b6:da:2c:01:72:d9:02:29:f5:2e:b8:19:18:31:59:2f:0b:ac:
b9:aa:df:22:8b:a0:8f:14:7a:bb:8a:62:c2:12:ac:a6:09:7c:
50:45:dd:d5:98:fc:45:19:71:b7:05:6a:32:2b:18:86:67:e9:
ec:2d:fb:9d:b9:7c:fb:a3:9e:f9:11:59:61:7f:49:db:b4:9f:
e0:bf:1a:03:57:9c:cd:d1:97:2f:ad:3e:b8:f8:fa:c2:74:36:
d9:06:ab:52:ca:05:53:e2:02:73:d4:6c:00:a9:f9:c1:6b:fe:
31:04:c2:03:a4:75:53:00:40:f4:2f:ba:3c:4c:be:b9:de:49:
3e:46:48:34:e4:c2:30:0e:6c:a8:92:b9:41:03:ef:49:c8:b0:
b2:92:c2:8e:59:3f:25:6b:b9:c7:97:a2:ed:eb:b4:a3:60:91:
19:77:a9:64:88:f7:a8:5c:da:a6:f6:3c:e5:8c:d0:36:07:21:
d1:0c:45:a8:9f:73:0e:a6:87:63:c5:94:30:d8:82:02:e7:56:
ce:99:9b:0d:c1:35:7c:4b:29:28:cf:be:7d:e9:0e:25:20:71:
4f:c5:30:00:4b:ed:d9:a0:d3:01:1d:f6:a3:23:0b:44:8e:55:
96:ce:12:c4
Comments