编辑:由LetsEncrypt论坛的好人解决。在我的证书链中的一个证书之间有一个额外的空间,它设法打破了一切。把这个留给其他人和未来的我,他们可能会碰到这个
我用Python编写了一个CLI聊天程序的服务器和客户端,并使用Ansible、Terraform和Docker进行了部署。为了保护它,我已经从LetsEncrypt生成了一个证书,但是当验证被启用时,客户端会一直失败,“无法获取本地颁发者证书”。显然,这通常是由于不包括完整的证书链造成的,但正如您在这个openssl s_客户端输出中看到的,所有证书都存在:
openssl s_client -connect $hostname:12345
CONNECTED(00000003)
depth=0 CN = $hostname
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = $hostname
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = $hostname
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
AAAAB3NzaC1yc2EAAAADAQABAAACAQDDfgrt1lB5O0CDV+KYY6oRBGAnrrdGdHZ
AZw42obpBaqE8QCqrIDYj4n+Dpc/3lCp0VzubJyCv6nU9JkHnNlmxzDBddlN1/s
/q1l8zas8ZzVG36AmUn/n7OdzeZYTwxGExZ4gI4Ob5DD/8+sByzDRi+XFmGXIEg
/AdozE74j3EqpIfI48n3Q8l7F60psQWbPl63wmxkciDglSBxQ8WQjpiK9BpRTcM
1jxTvSg49wiPKtQfNXXyAXLrW+wRmZqKJEWgOKM+yRBul2PsSmBuihAuUROt5nM
/xmFkKIPHBbWFsE2uw0Kf0FZSxULukJ71qhaYnAlvrRJCFjOtEMpgU0luQMqoV6
8/cQj2EjGUfiBgG3vipZekpK4n4Cuaf4wnLXnl0kYE/8RLVYvNgxO7ZHhw+KQGP
PkTXIDOngMfo+S64zs+OWu3MsKjuK1hEUK/wsZJoYfq2kvLS88M85SpbZc3jM9g
yQbPlPowquTFbMD7XWlsGl8EDnF0UHu9zd1DOeAzFZZNnjo7yYZZdneaSDWKFOu
7bshKZ6vylWMo343G7aan2/BrBAg44mIMvtx00gzQeAH6SlGy6VekACOo02NEYv
VR8sDdRfgYOGKMQCAs4EHnVoJBmyzzBK1FjxiUs0JLiVfrBXUVFrmyvV5ZuSoQd
AAAAB3NzaC1yc2EAAAADAQABAAACAQDDfgrt1lB5O0CDV+KYY6oRBGAnrrdGdHZ
AZw42obpBaqE8QCqrIDYj4n+Dpc/3lCp0VzubJyCv6nU9JkHnNlmxzDBddlN1/s
/q1l8zas8ZzVG36AmUn/n7OdzeZYTwxGExZ4gI4Ob5DD/8+sByzDRi+XFmGXIEg
/AdozE74j3EqpIfI48n3Q8l7F60psQWbPl63wmxkciDglSBxQ8WQjpiK9BpRTcM
1jxTvSg49wiPKtQfNXXyAXLrW+wRmZqKJEWgOKM+yRBul2PsSmBuihAuUROt5nM
/xmFkKIPHBbWFsE2uw0Kf0FZSxULukJ71qhaYnAlvrRJCFjOtEMpgU0luQMqoV6
8/cQj2EjGUfiBgG3vipZekpK4n4Cuaf4wnLXnl0kYE/8RLVYvNgxO7ZHhw+KQGP
PkTXIDOngMfo+S64zs+OWu3MsKjuK1hEUK/wsZJoYfq2kvLS88M85SpbZc3jM9g
yQbPlPowquTFbMD7XWlsGl8EDnF0UHu9zd1DOeAzFZZNnjo7yYZZdneaSDWKFOu
7bshKZ6vylWMo343G7aan2/BrBAg44mIMvtx00gzQeAH6SlGy6VekACOo02NEYv
VR8sDdRfgYOGKMQCAs4EHnVoJBmyzzBK1FjxiUs0JLiVfrBXUVFrmyvV5ZuSoQd
nzxAtQfe0O5rPtP36/VUQ
-----END CERTIFICATE-----
subject=CN = $hostname
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3260 bytes and written 387 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: DD92F8B78D366FDDAD916309267D6FD0CBB8E67D9E5F1CCA9169C8C66055696C
Session-ID-ctx:
Resumption PSK: DD250254F9F199AD9117C4FE70AE9C246020D05896F12BE962912B46BD6C689A5A1F4F6943ADCBF270A8E46BA459D333
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 2f 8d 11 a1 12 75 78 db-cb a8 6b 0d 7e 8e 28 f1 /....ux...k.~.(.
0010 - 8a 07 40 7d 1d 33 81 8f-b4 f9 c7 6c f3 33 96 85 ..@}.3.....l.3..
0020 - 7c 65 ce 2c 36 f6 5c 0e-63 e0 56 45 3a f6 90 97 |e.,6.\.c.VE:...
0030 - b4 44 9c 65 cf 2c 21 19-1c b9 71 3b b7 4f 7c de .D.e.,!...q;.O|.
0040 - e5 63 fa ad 6b f7 e3 be-5d cc 19 4e 99 ae aa 5d .c..k...]..N...]
0050 - d8 8d 6b 3c d5 39 6e 10-8b d0 15 d3 42 05 6e 4a ..k<.9n.....B.nJ
0060 - d4 10 81 37 42 bc c6 85-81 a1 56 59 dd 48 cf 77 ...7B.....VY.H.w
0070 - 98 0c 33 4c be 48 f2 a2-25 c9 e6 82 c9 83 93 2f ..3L.H..%....../
0080 - 09 8f 0c 81 82 70 ef e5-92 2f 8f 17 aa 25 f2 65 .....p.../...%.e
0090 - 0c 24 59 95 b0 d5 c4 e8-50 eb bb 86 e9 dd 6a 2d .$Y.....P.....j-
00a0 - 46 80 2a 75 7d 33 ec 8c-eb f5 4d 23 c1 bb bc 39 F.*u}3....M#...9
00b0 - 2f f4 9c af fd 93 bb f3-4f 03 c6 4e 49 b6 8b b6 /.......O..NI...
00c0 - 43 d9 af 0c 2e 4a ce ce-7d 61 f9 a3 6c 98 0a 42 C....J..}a..l..B
Start Time: 1621755879
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 8A4D19F77A1D7FBF838C7F8293A66E81BC053C7BF09AB240686BBD6C05EEC46F
Session-ID-ctx:
Resumption PSK: 102D108EBC577EA1B9FBF72E71FA908767BCC7F755AA766384C772F6FE4016A079CEDF3169329B4557DA2678F2855577
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 2f 8d 11 a1 12 75 78 db-cb a8 6b 0d 7e 8e 28 f1 /....ux...k.~.(.
0010 - 17 c7 bc b0 7c af c7 69-da 04 8d 39 33 12 b6 83 ....|..i...93...
0020 - 50 89 60 90 93 73 37 7e-30 84 5b 84 ba 60 83 51 P.`..s7~0.[..`.Q
0030 - 92 a9 63 6b 6b a5 a7 a5-cc bd 09 7f 1f 43 3e ed ..ckk........C>.
0040 - dd 4e f1 5b 1e 77 75 59-dd 61 d2 77 9b b9 c0 c2 .N.[.wuY.a.w....
0050 - b1 9b a4 c6 2b f9 95 96-0b 15 17 5f 5e 11 50 90 ....+......_^.P.
0060 - 54 84 fc a3 39 d2 3c 43-5d c8 dd 52 b8 f3 11 a9 T...9.<C]..R....
0070 - ae fd 0b 91 d2 9f e5 28-6a d5 66 7f b0 7c 06 98 .......(j.f..|..
0080 - 40 06 3a 2f 28 e2 58 fc-a0 58 a1 af 62 6f df 12 @.:/(.X..X..bo..
0090 - 56 69 16 db c1 24 4b dd-6b 87 3a 63 91 1d e6 1d Vi...$K.k.:c....
00a0 - 8f 61 9c 18 b6 db 1c 15-5c 3d a8 a4 fd 4e 44 3b .a......\=...ND;
00b0 - aa 03 6f 69 f6 55 5a b9-5c d3 73 ae bd 32 a5 03 ..oi.UZ.\.s..2..
00c0 - 49 5c 9b 06 68 be 99 fb-9a 39 a1 a5 80 e8 04 eb I\..h....9......
Start Time: 1621755879
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
Max Early Data: 0
---
这是在服务器上加载证书的上下文:
self.context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) # Context wrapper to apply TLS over sockets
self.context.load_cert_chain(certfile='acme_chain.pem', keyfile="acme_key.pem")
我将编辑添加,我使用的Terraform ACME模块提供给我的链有3个证书长,为我提供了站点证书、Let's Encrypt's证书和ISRG RootX1证书以及一个密钥pem文件。DST根CA是丢失的证书吗?如果是这样,我将不得不提交一份bug报告并找到另一个ACME客户端
不可能是这样的。方便的是,他们拥有完全相同的链,只有3个证书
目前没有回答
相关问题 更多 >
编程相关推荐