[除錯] SSL Certificate Troubleshooting 記錄

發表於 2020-05-13 更新於 2020-11-19 分類於 Linux 閱讀次數： Disqus：文章字數： 232 所需閱讀時間 ≈ 1 分鐘

利用 openssl-cli 來測試目標 domain

1	openssl s_client -connect example.com:443

檢視輸出訊息，會顯示 Certificate chain、Server certificate、Verification、SSL handshake 等資訊

---
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.example.com
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
---
SSL handshake has read 2283 bytes and written 420 bytes
Verification error: unable to verify the first certificate
---

根據輸出我們知道是 certificate chain 斷了無法驗證上游，利用以下指令將 domain cert 與 intermediate cert 重新合併
1
cat domain.crt gd_bundle-g2-g1.crt > combined_domain.crt

到 web server 將合併過後的 certificate 替換上去，重新測試後就可以發現 certificate chain 重新接上了

---
Certificate chain
 0 s:OU = Domain Control Validated, CN = *.example.com
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
 3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
   i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
---
SSL handshake has read 5709 bytes and written 420 bytes
Verification: OK
---