Relk's 工作手札

在 Cloud-Native 汪洋中載浮載沉的 SRE - Service Restart Engineer

0%

[除錯] SSL Certificate Troubleshooting 記錄

  1. 利用 openssl-cli 來測試目標 domain

    1
    openssl s_client -connect example.com:443
  2. 檢視輸出訊息,會顯示 Certificate chainServer certificateVerificationSSL handshake 等資訊

    1
    2
    3
    4
    5
    6
    7
    8
    ---
    Certificate chain
    0 s:OU = Domain Control Validated, CN = *.example.com
    i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
    ---
    SSL handshake has read 2283 bytes and written 420 bytes
    Verification error: unable to verify the first certificate
    ---
  1. 根據輸出我們知道是 certificate chain 斷了無法驗證上游, 利用以下指令將 domain certintermediate cert 重新合併

    1
    cat domain.crt gd_bundle-g2-g1.crt > combined_domain.crt
  2. 到 web server 將合併過後的 certificate 替換上去,重新測試後就可以發現 certificate chain 重新接上了

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    ---
    Certificate chain
    0 s:OU = Domain Control Validated, CN = *.example.com
    i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
    1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
    i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
    2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
    i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
    3 s:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
    i:C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
    ---
    SSL handshake has read 5709 bytes and written 420 bytes
    Verification: OK
    ---

Follow me at the links below