问题描述
我正在使用自己的CA并为HTTPS服务器创建了证书。我已通过和。
I am using my own CA and have created a certificate for the HTTPS server. I have installed the root CA certificate through this set of instructions and this set of instructions.
openssl s_client 在我连接到我的网站时验证SSL证书并将CApath提供给 / etc / ssl / certs /
The openssl s_client verifies the SSL certificate when I connect to my website and give it the CApath to /etc/ssl/certs/
但是当我使用 ERR_SSL_SERVER_CERT_BAD_FORMAT 时,Chromium会抱怨尝试连接。
But Chromium complains with a ERR_SSL_SERVER_CERT_BAD_FORMAT when I try to connect.
我目前很遗憾如何查看具体导致Chromium阻止我网站的内容。当我进入Chromium的设置并查看已安装的根CA证书时,我的根CA就会出现。
I am currently lost as to how to see what specifically is causing Chromium to block my website. When I go into Chromium's settings and view the installed root CA certificates, my root CA is present.
我怀疑它可能是X509v3扩展中的缺失字段。
输出 openssl x509 -text -in https-server.crt :
I have a suspicion it could be a missing field in the X509v3 extension.The output of openssl x509 -text -in https-server.crt:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = Pennsylvania, CN = expandingdev.l5.ca
Validity
Not Before: Dec 6 03:05:24 2017 GMT
Not After : Dec 6 03:05:24 2019 GMT
Subject: C = US, ST = Pennsylvania, CN = tseng.l5.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b8:7a:00:cf:e9:55:8d:ec:48:cc:00:57:e3:b5:
30:c4:a3:95:75:c4:a7:12:c8:11:91:d6:51:c3:9f:
45:56:5b:f2:25:36:fb:32:e5:d3:76:44:90:ba:f9:
20:1b:65:09:0a:63:a2:d7:7a:14:7d:ba:a6:24:fa:
dc:82:51:3b:32:6c:f1:3a:fb:4d:e4:1c:65:74:95:
4e:a6:bf:cb:49:f8:95:31:3a:d4:7a:90:09:d5:7c:
8c:90:d3:5a:10:a0:23:aa:22:75:84:19:dc:a7:ba:
ec:c4:fa:94:fb:12:b3:d4:b1:bc:66:7e:e8:43:a0:
d2:f8:f2:6d:00:3c:ef:43:f6:8b:9d:6b:7b:43:84:
8a:fb:f6:97:c8:18:59:2d:b2:4b:3c:ff:03:f7:90:
2a:d6:32:44:3d:08:52:e9:1d:34:9a:67:6c:a4:62:
3a:d9:78:bf:10:b1:63:38:b1:8d:25:a4:11:c3:6a:
c6:19:c0:59:1b:ac:0b:41:60:48:f1:fc:6b:e7:9d:
c9:5b:b8:fb:cc:03:94:0c:b2:18:80:46:f2:df:c2:
c7:ce:49:85:00:9d:8a:73:95:af:5f:aa:5d:88:11:
46:9f:ff:6f:67:17:04:d1:d6:12:a3:f0:5a:56:34:
1f:ec:a7:d0:3f:a3:df:f4:22:04:db:4f:ec:0c:cf:
83:67
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:tseng.l5.ca, DNS:localhost
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
C9:D8:8B:23:17:C2:BA:3F:35:0A:69:7C:73:5B:B9:98:54:09:79:F7
Signature Algorithm: sha256WithRSAEncryption
00:b0:89:0a:f0:67:e3:3d:72:ec:5a:58:04:b2:a1:5d:d7:fb:
69:1d:e7:30:2f:04:f1:48:3c:55:a8:e9:1f:a6:3f:c9:98:37:
1b:72:94:52:04:47:51:a0:0e:5a:36:7e:16:c7:2f:d0:37:cb:
0e:3d:3d:bc:8b:b0:31:46:91:92:d0:19:59:38:29:eb:c3:39:
5f:93:aa:07:6a:3d:c2:37:b9:45:5d:33:06:91:7f:e5:c6:59:
9d:69:3a:59:f5:73:c1:61:67:95:cc:33:5c:46:25:eb:27:fc:
5c:f9:cd:ce:a7:08:05:03:cb:3c:5f:ad:1f:89:7f:be:38:fd:
43:84:94:fe:0e:6e:47:52:aa:0b:bf:f0:d6:e3:34:c6:80:6c:
7a:c7:33:25:a1:e0:b2:23:c5:85:b8:a4:e8:de:c2:2f:ca:3f:
f5:5f:21:b3:f8:c0:f1:d9:9e:8f:c4:b5:a2:fa:33:8b:33:69:
f6:bb:fb:7c:e1:06:e9:98:f5:2c:70:c7:ef:72:fd:2e:c4:c4:
f4:6a:1d:5d:46:be:4c:ec:07:fd:79:20:56:51:b1:cf:87:76:
bf:54:27:82:95:a2:2e:33:0d:6d:78:0f:7a:d3:bd:70:06:35:
b8:ac:d2:d1:79:78:64:80:b1:77:75:5a:6e:b2:ae:1d:c2:72:
7f:99:3f:63
-----BEGIN CERTIFICATE-----
MIIDQDCCAigCAQEwDQYJKoZIhvcNAQELBQAwQTELMAkGA1UEBhMCVVMxFTATBgNV
BAgMDFBlbm5zeWx2YW5pYTEbMBkGA1UEAwwSZXhwYW5kaW5nZGV2Lmw1LmNhMB4X
DTE3MTIwNjAzMDUyNFoXDTE5MTIwNjAzMDUyNFowOjELMAkGA1UEBhMCVVMxFTAT
BgNVBAgMDFBlbm5zeWx2YW5pYTEUMBIGA1UEAwwLdHNlbmcubDUuY2EwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4egDP6VWN7EjMAFfjtTDEo5V1xKcS
yBGR1lHDn0VWW/IlNvsy5dN2RJC6+SAbZQkKY6LXehR9uqYk+tyCUTsybPE6+03k
HGV0lU6mv8tJ+JUxOtR6kAnVfIyQ01oQoCOqInWEGdynuuzE+pT7ErPUsbxmfuhD
oNL48m0APO9D9ouda3tDhIr79pfIGFktsks8/wP3kCrWMkQ9CFLpHTSaZ2ykYjrZ
eL8QsWM4sY0lpBHDasYZwFkbrAtBYEjx/GvnnclbuPvMA5QMshiARvLfwsfOSYUA
nYpzla9fql2IEUaf/29nFwTR1hKj8FpWNB/sp9A/o9/0IgTbT+wMz4NnAgMBAAGj
TzBNMCEGA1UdEQQaMBiCC3RzZW5nLmw1LmNhgglsb2NhbGhvc3QwCQYDVR0TBAIw
ADAdBgNVHQ4EFgQUydiLIxfCuj81Cml8c1u5mFQJefcwDQYJKoZIhvcNAQELBQAD
ggEBAACwiQrwZ+M9cuxaWASyoV3X+2kd5zAvBPFIPFWo6R+mP8mYNxtylFIER1Gg
Dlo2fhbHL9A3yw49PbyLsDFGkZLQGVk4KevDOV+TqgdqPcI3uUVdMwaRf+XGWZ1p
Oln1c8FhZ5XMM1xGJesn/Fz5zc6nCAUDyzxfrR+Jf744/UOElP4ObkdSqgu/8Nbj
NMaAbHrHMyWh4LIjxYW4pOjewi/KP/VfIbP4wPHZno/EtaL6M4szafa7+3zhBumY
9Sxwx+9y/S7ExPRqHV1GvkzsB/15IFZRsc+Hdr9UJ4KVoi4zDW14D3rTvXAGNbis
0tF5eGSAsXd1Wm6yrh3Ccn+ZP2M=
-----END CERTIFICATE-----
我正在运行Chromium Version 63.0.3239.84(Developer Build)构建在Debian 9.3上,运行在Debian 9.3(64位)上。通过谷歌浏览器浏览时,我的Android 6.0手机上也出现此错误。
I am running Chromium Version 63.0.3239.84 (Developer Build) built on Debian 9.3, running on Debian 9.3 (64-bit). I am also getting this error on my Android 6.0 phone when browsing via Google Chrome.
为什么Chromium会抱怨并且不让我进入我的网站?
Why is Chromium complaining and not letting me proceed to my website?
网站:
CA证书:
推荐答案
Version: 1 (0x0)
...
X509v3 extensions:
X509v3 Subject Alternative Name:
I不知道你是如何创建这个证书的。但基本上你已经创建了一个X509v3扩展名的X509.1证书。但是,这些扩展仅对X509.3而不是X509.1证书有效。这就是为什么Chrome正确地抱怨证书无效。
I have no idea how you created this certificates. But essentially you've created a X509.1 certificate with X509v3 extension. But, these extensions are only valid for X509.3 and not X509.1 certificates. That's why Chrome correctly complains about an invalid certificate.
这篇关于Chromium 6.3中的ERR_SSL_SERVER_CERT_BAD_FORMAT的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!