AskOverflow.Dev

AskOverflow.Dev Logo AskOverflow.Dev Logo

AskOverflow.Dev Navigation

  • 主页
  • 系统&网络
  • Ubuntu
  • Unix
  • DBA
  • Computer
  • Coding
  • LangChain

Mobile menu

Close
  • 主页
  • 系统&网络
    • 最新
    • 热门
    • 标签
  • Ubuntu
    • 最新
    • 热门
    • 标签
  • Unix
    • 最新
    • 标签
  • DBA
    • 最新
    • 标签
  • Computer
    • 最新
    • 标签
  • Coding
    • 最新
    • 标签
主页 / computer / 问题 / 1579027
Accepted
Roman Riabenko
Roman Riabenko
Asked: 2020-08-20 05:15:48 +0800 CST2020-08-20 05:15:48 +0800 CST 2020-08-20 05:15:48 +0800 CST

如何在 Debian 上解决 SSL 网站验证问题?

  • 772

我正在尝试对我的 Debian 笔记本电脑上的网站安全访问进行故障排除。当我尝试在 Gnome web (Epiphany)、Gnome 提要、urlwatch或中访问该站点时openssl,它会失败。Gnome web 声明该网站无法验证。请参阅下面的输出openssl。但是 Chromium 和 Firefox 加载站点时没有任何问题,并声明连接是安全的。我如何检查它是否是我的系统中的错误,我可以修复,或者网站上的错误配置,Chromium 和 Firefox 只是以某种方式解决?

$ openssl s_client -connect fg.gov.ua:443
CONNECTED(00000003)
depth=0 C = UA, postalCode = 04053, L = Kyiv, street = vul.Sichovykh Striltsiv 17, O = "Deposit Guarantee Fund, State Organisation", OU = IT, CN = *.fg.gov.ua
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = UA, postalCode = 04053, L = Kyiv, street = vul.Sichovykh Striltsiv 17, O = "Deposit Guarantee Fund, State Organisation", OU = IT, CN = *.fg.gov.ua
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:C = UA, postalCode = 04053, L = Kyiv, street = vul.Sichovykh Striltsiv 17, O = "Deposit Guarantee Fund, State Organisation", OU = IT, CN = *.fg.gov.ua
   i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHJjCCBg6gAwIBAgIQdMlRgieLFotpxhGUZykkijANBgkqhkiG9w0BAQsFADCB
lTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMT0wOwYDVQQD
EzRTZWN0aWdvIFJTQSBPcmdhbml6YXRpb24gVmFsaWRhdGlvbiBTZWN1cmUgU2Vy
dmVyIENBMB4XDTIwMDcxNzAwMDAwMFoXDTIxMTAxNTIzNTk1OVowgakxCzAJBgNV
BAYTAlVBMQ4wDAYDVQQREwUwNDA1MzENMAsGA1UEBxMES3lpdjEjMCEGA1UECRMa
dnVsLlNpY2hvdnlraCBTdHJpbHRzaXYgMTcxMzAxBgNVBAoTKkRlcG9zaXQgR3Vh
cmFudGVlIEZ1bmQsIFN0YXRlIE9yZ2FuaXNhdGlvbjELMAkGA1UECxMCSVQxFDAS
BgNVBAMMCyouZmcuZ292LnVhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAtIRBuOW3b3qcA8TJOrl6MIwpDHvNBlLMaqDR8CMJtmIiUZJ+og789eTVbJlc
VbjUjOrRXx+3sIVyYeF4tJWnaEzbhDpSzfzvufr0jFphkDWdYu2gzrKbXjQUUmz2
fzcimEqXC1r/rkUspCMdfk6fXscYMgWfP8Wq9ItMYYdlVrQM5W+T2hC3a3gcw2vM
pr/hg1WIph99ZrazZsE9o8ROLR7GHip9Lua7IfJkyjylFr6IIwnM2N8ave9QeoId
agL20KOeWTVnIm5Iqoa9l4C/45u8m/AJsk4FpWyNlMDnZLcNsJbJD/Arrm+z11BD
uf6cpodB0SI4wgaMYlFWblf5cQIDAQABo4IDWjCCA1YwHwYDVR0jBBgwFoAUF9nW
JSdn+THCSUPZMDZEjGypT+swHQYDVR0OBBYEFJh20/maGIe5ZDHiejh3rT8JxzI7
MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjBKBgNVHSAEQzBBMDUGDCsGAQQBsjEBAgEDBDAlMCMGCCsG
AQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgIwWgYDVR0f
BFMwUTBPoE2gS4ZJaHR0cDovL2NybC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBT3Jn
YW5pemF0aW9uVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNybDCBigYIKwYBBQUH
AQEEfjB8MFUGCCsGAQUFBzAChklodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3Rp
Z29SU0FPcmdhbml6YXRpb25WYWxpZGF0aW9uU2VjdXJlU2VydmVyQ0EuY3J0MCMG
CCsGAQUFBzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTAhBgNVHREEGjAYggsq
LmZnLmdvdi51YYIJZmcuZ292LnVhMIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcA
dQB9PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXNceArmAAAEAwBG
MEQCID6Q5XEksvVz0ljVMfog/BqFK5o01JsVQW2UpFnrj1lzAiAawR6Km293kJ3h
Eh4Su+lnonBz3+cLD/CzFC1cXQLhXQB2AJQgvB6O1Y1siHMfgosiLA3R2k1ebE+U
PWHbTi9YTaLCAAABc1x4Cw0AAAQDAEcwRQIhAP7aecTO1S57pSnARdR7wLYF0zUm
/FZgGvBLR4/bs8yiAiBM+A0miPcT2B1qY3hwA83LyqbTZOEUmb21K/0B4z0XGwB2
AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABc1x4Ct8AAAQDAEcw
RQIgNJzEpbzBvpaXv5AxmjAhcblO1FStCDPUbHxLav5ZzvMCIQDA/3R3G2/i9jD3
vkbhLjIxYmynL/lStRBdshvQV/r0ozANBgkqhkiG9w0BAQsFAAOCAQEAGLxGWkZf
Jz8y1RIMewDTJdW3OWhs0tYpWkdbVyYNUZN2e5Pgn5dmPJDgcF3AE+anNoCgohf3
aV+7x4JMUius/QLu/GH1cSz+to+DvHqE/N8w9oOZOwvAhAkVfTOpyHtDWVVhRWGH
UMtWcl9Jr9JTYk8nDPPSbmLqm7Rc86ZdWcMRwNpgiNVxs0oiR1A2qas3fHHlo01w
sg611jaKHY1Y84IUiDArEhhONJXxYYYSaTnwFAO3gBAq9loPmobnf4WXc51hWsCY
FID/isAye93MZT+ld8/o7sC8p6ImqxjJpwsQP/y2urnoalUoLy0Qg74FQmWEDVsa
UrtX7cbo45eOog==
-----END CERTIFICATE-----
subject=C = UA, postalCode = 04053, L = Kyiv, street = vul.Sichovykh Striltsiv 17, O = "Deposit Guarantee Fund, State Organisation", OU = IT, CN = *.fg.gov.ua

issuer=C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2390 bytes and written 381 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: D05774AA93DE22018DD221D4D56BBA7AC8B2C15ED3BE7BC7C75396FCB75F6FA4
    Session-ID-ctx: 
    Resumption PSK: EA673D1A4985E74D6CA74F5105FF311757CF08251515A0C3F92A39362B66C22CD264B61F87F09EAD2DD3355FEA948503
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 09 64 75 0e e1 89 54 b2-b8 43 89 59 36 88 88 cc   .du...T..C.Y6...
    0010 - 18 50 a2 ef 53 9c d8 f7-8f b2 fa e9 89 a5 73 34   .P..S.........s4
    0020 - 07 4b 64 dc 14 d4 dc e4-be 29 c4 a4 99 b8 da 15   .Kd......)......
    0030 - d1 09 c4 6b fc d0 61 c0-59 5e d8 e7 0a 40 31 ca   ...k..a.Y^...@1.
    0040 - 42 2d 00 9b ae fd e3 b1-50 5e 08 04 46 2c a7 b7   B-......P^..F,..
    0050 - 3b 8a 61 28 c1 23 37 5a-05 23 14 d3 45 91 40 d5   ;.a(.#7Z.#..E.@.
    0060 - b9 ae 3d 3c 6b 61 1b 5f-5e 7a 05 1a b9 10 ab 61   ..=<ka._^z.....a
    0070 - 09 b9 08 6c ab 5e 3b f7-15 7a 98 d5 91 b1 7c 7e   ...l.^;..z....|~
    0080 - a8 45 51 e3 74 24 35 40-ba 7c b8 e5 35 8e a4 22   .EQ.t$5@.|..5.."
    0090 - d4 47 63 59 d2 e2 c7 8b-d2 35 46 27 dc 2f 13 51   .GcY.....5F'./.Q
    00a0 - 6b 8f bf ba 16 0b 18 ae-e2 f0 e9 df 5a 79 56 a1   k...........ZyV.
    00b0 - 76 8d 4c 66 ef 16 07 fd-91 b5 5a f7 87 93 e6 b0   v.Lf......Z.....
    00c0 - ed e5 22 2b 26 9e 70 aa-39 4b 4c c0 c9 ff fc 83   .."+&.p.9KL.....
    00d0 - 22 f8 5c 4f 3c 91 04 c3-88 65 2a ec 6b 78 d0 16   ".\O<....e*.kx..

    Start Time: 1597841026
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 75A45FF3AAA8E24217131F365A8953BEA5FF6D2666A858ECF56F7219F33115DA
    Session-ID-ctx: 
    Resumption PSK: 043BB4F8848D3F069467B3638A887DE50B10A697BDA8D9A18180CC82ACF0D72C67B527AD8ADFC9BAD1DDF08E7C83808F
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 09 64 75 0e e1 89 54 b2-b8 43 89 59 36 88 88 cc   .du...T..C.Y6...
    0010 - c7 09 c9 47 b4 46 29 74-cb ff f6 a1 25 09 73 78   ...G.F)t....%.sx
    0020 - 84 1e 40 a7 40 61 19 39-58 ec 4b 34 20 c9 e7 3f   ..@[email protected] ..?
    0030 - b7 21 1a 30 a7 cb ad c3-e4 53 dd f9 74 b6 4b 08   .!.0.....S..t.K.
    0040 - c9 7f 11 26 a0 77 3f f1-9a ff 58 2a f0 1f aa f9   ...&.w?...X*....
    0050 - 12 52 06 c9 08 25 9c 16-4e f2 f7 43 64 f2 3b 4d   .R...%..N..Cd.;M
    0060 - b1 dc c7 62 94 ce c8 91-1e 66 cb 0d 11 aa 37 3e   ...b.....f....7>
    0070 - 2a 63 14 ad 2d 00 bf 29-09 53 35 fd 33 52 98 5f   *c..-..).S5.3R._
    0080 - 82 5b fd 01 b1 bd 8c 22-81 76 d7 26 32 e7 0e e7   .[.....".v.&2...
    0090 - 9e bd a4 56 bc da 96 75-08 ce e3 76 9c 2d 6a b2   ...V...u...v.-j.
    00a0 - 81 02 70 74 5d e4 92 1a-94 ed 9e db c5 40 68 ff   ..pt]........@h.
    00b0 - 07 f3 f5 69 b5 cb 3b 88-20 7c 17 61 7c 72 be 95   ...i..;. |.a|r..
    00c0 - b9 d1 01 4e 6c 96 b0 4c-a0 30 e1 ae 7f 88 27 81   ...Nl..L.0....'.
    00d0 - 44 1c 7b 7f 23 d8 bc 57-21 df 92 8a af 49 d9 e6   D.{.#..W!....I..

    Start Time: 1597841026
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

编辑:

考虑到答案,我决定检查如果服务器提供链,SSL 验证是否会成功。根据 Firefox 中有关网站的信息,我在本地保存了 Firefox 用于网站的中间证书。有了它,我成功地openssl verify在服务器证书上运行了。我得出结论,我的系统具有必要的根证书。Firefox 可能将中间证书用作解决方法,该证书是从其他地方以前使用缓存的。

$ openssl verify -show_chain -untrusted intermediate.pem server.pem
server.pem: OK
Chain:
depth=0: C = UA, postalCode = 04053, L = Kyiv, street = vul.Sichovykh Striltsiv 17, O = "Deposit Guarantee Fund, State Organisation", OU = IT, CN = *.fg.gov.ua (untrusted)
depth=1: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Organization Validation Secure Server CA (untrusted)
depth=2: C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

作为旁注,我发现我可以ssl_no_verify: true在urlwatch作业配置中使用来跳过验证。

更新:

我通过电子邮件发送了网站的反馈热线,并按照答案中的建议将它们指向 RFC。该网站现在运行良好。

debian ssl
  • 2 2 个回答
  • 1179 Views

2 个回答

  • Voted
  1. Best Answer
    garethTheRed
    2020-08-20T06:23:57+08:002020-08-20T06:23:57+08:00

    您的服务器只发送一个证书 - 颁发给它的证书。

    但是,它应该发送链中的所有证书。如需进一步指导,请将您的服务器管理员指向RFC 5246 第 7.4.2 节,其中明确指出应发送链,而不仅仅是最终实体证书。

    只要您的客户端在其信任锚存储中具有根 CA 证书,它就会使用 TLS 握手中提供的中间和最终实体证书来构建链。

    请注意,Windows 客户端可以通过从嵌入在授权信息访问扩展内的从属证书中的 URL 下载它们来自动从链中获取缺少的父证书。这是一种束手无策的解决方案,通常可以隐藏配置不当的 Web 服务器。Firefox 拒绝这样做。

    • 2
  2. Jaap Joris Vens
    2020-08-20T06:08:35+08:002020-08-20T06:08:35+08:00

    (www.)fg.gov.ua 在 Chromium 和 Firefox 中工作,但在 Epiphany 中没有工作的原因是颁发者证​​书 ( Sectigo RSA Organization Validation Secure Server CA) 受前两者信任,而不是后者。

    令人惊讶的是,在 Linux 上,Chromium 和 Firefox 都使用 Mozilla 的根存储。来自https://www.chromium.org/Home/chromium-security/root-ca-policy:

    在 Linux 上运行时,Google Chrome 使用Mozilla 网络安全服务 (NSS)库来执行证书验证。当从源代码打包或构建时,NSS 包括根据 Mozilla 根证书计划审查的证书。

    然而,Epiphany不包括他们自己的根存储。/etc/ssl/certs大概它使用了大多数 Linux 发行版上可用的证书。我检查了我的,但找不到来自 Sectigo 的任何根证书:

    $ find /etc/ssl/certs -name *Sectigo*
    $ No results found.
    

    要解决此问题,您需要手动添加正确的证书,或单击标有“接受风险并继续”的按钮;)

    • 1

相关问题

  • 使用 docker 获取 http://deb.debian.org/debian/dists/jessie-updates/InRelease 的问题

  • 根分区变成2个分区

  • 续订 letsencrypt SSL 证书后,服务器仅返回响应代码 400

  • Pixelbook 安装 r-base 依赖项时出现 held broken packages 错误

  • 重启 Debian 服务器后目录丢失

Sidebar

Stats

  • 问题 205573
  • 回答 270741
  • 最佳答案 135370
  • 用户 68524
  • 热门
  • 回答
  • Marko Smith

    如何减少“vmmem”进程的消耗?

    • 11 个回答
  • Marko Smith

    从 Microsoft Stream 下载视频

    • 4 个回答
  • Marko Smith

    Google Chrome DevTools 无法解析 SourceMap:chrome-extension

    • 6 个回答
  • Marko Smith

    Windows 照片查看器因为内存不足而无法运行?

    • 5 个回答
  • Marko Smith

    支持结束后如何激活 WindowsXP?

    • 6 个回答
  • Marko Smith

    远程桌面间歇性冻结

    • 7 个回答
  • Marko Smith

    子网掩码 /32 是什么意思?

    • 6 个回答
  • Marko Smith

    鼠标指针在 Windows 中按下的箭头键上移动?

    • 1 个回答
  • Marko Smith

    VirtualBox 无法以 VERR_NEM_VM_CREATE_FAILED 启动

    • 8 个回答
  • Marko Smith

    应用程序不会出现在 MacBook 的摄像头和麦克风隐私设置中

    • 5 个回答
  • Martin Hope
    CiaranWelsh 如何减少“vmmem”进程的消耗? 2020-06-10 02:06:58 +0800 CST
  • Martin Hope
    Jim Windows 10 搜索未加载,显示空白窗口 2020-02-06 03:28:26 +0800 CST
  • Martin Hope
    v15 为什么通过电缆(同轴电缆)的千兆位/秒 Internet 连接不能像光纤一样提供对称速度? 2020-01-25 08:53:31 +0800 CST
  • Martin Hope
    fixer1234 “HTTPS Everywhere”仍然相关吗? 2019-10-27 18:06:25 +0800 CST
  • Martin Hope
    andre_ss6 远程桌面间歇性冻结 2019-09-11 12:56:40 +0800 CST
  • Martin Hope
    Riley Carney 为什么在 URL 后面加一个点会删除登录信息? 2019-08-06 10:59:24 +0800 CST
  • Martin Hope
    zdimension 鼠标指针在 Windows 中按下的箭头键上移动? 2019-08-04 06:39:57 +0800 CST
  • Martin Hope
    jonsca 我所有的 Firefox 附加组件突然被禁用了,我该如何重新启用它们? 2019-05-04 17:58:52 +0800 CST
  • Martin Hope
    MCK 是否可以使用文本创建二维码? 2019-04-02 06:32:14 +0800 CST
  • Martin Hope
    SoniEx2 更改 git init 默认分支名称 2019-04-01 06:16:56 +0800 CST

热门标签

windows-10 linux windows microsoft-excel networking ubuntu worksheet-function bash command-line hard-drive

Explore

  • 主页
  • 问题
    • 最新
    • 热门
  • 标签
  • 帮助

Footer

AskOverflow.Dev

关于我们

  • 关于我们
  • 联系我们

Legal Stuff

  • Privacy Policy

Language

  • Pt
  • Server
  • Unix

© 2023 AskOverflow.DEV All Rights Reserve