我是从头开始设置SSL的新手,并做了我的第一步。我从RapidSSL购买了我的域的SSL证书,然后按照步骤安装了该证书。通常,该证书有效并且可以在我的Web服务器上运行(nginx v1.4.6-Ubuntu 14.04.1 LTS),但是如果我尝试激活OCSP OCSP,我的nginx error.log中会出现以下错误:
OCSP_basic_verify()失败(SSL:错误:27069065:OCSP例程:OCSP_basic_verify:证书验证错误:验证错误:无法获得本地发行者证书),同时请求证书状态,响应者:gv.symcd.com
我也从命令行使用此命令尝试了它:
openssl s_client -connect mydomain.tld:443 2>&1 </ dev / null
并在我的error.log中得到了“相同”错误:
[...] SSL会话:协议:TLSv1.2密码:ECDHE-RSA-AES256-GCM-SHA384 [...]开始时间:1411583991超时:300(秒)验证返回码:20(无法获取本地代码)发行人证书)
但是,如果下载GeoTrust根证书并尝试使用以下命令:
openssl s_client -connect mydomain.tld:443 -CAfile GeoTrust_Global_CA.pem 2>&1 </ dev / null
验证可以:
[...] SSL会话:协议:TLSv1.2密码:ECDHE-RSA-AES256-GCM-SHA384 [...]开始时间:1411583262超时:300(秒)验证返回码:0(确定)
因此,找不到或未提供GeoTrust根证书。
我的nginx网站配置:
server {
listen 443;
server_name mydomain.tld;
ssl on;
ssl_certificate /etc/ssl/certs/ssl.crt;
ssl_certificate_key /etc/ssl/private/ssl.key;
# Resumption
ssl_session_cache shared:SSL:20m;
# Timeout
ssl_session_timeout 10m;
# Security options
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# OCSP Stapling
# It means that you sent status info about your certificate along with the request,
# instead of making the browser check the certificate with the Certificate Authority.
# This removes a large portion of the SSL overhead, the CloudFlare post above explains it in more detail.
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /etc/ssl/certs/ssl.pem;
#resolver 8.8.8.8 8.8.4.4 valid=300s;
#resolver_timeout 10s;
# This forces every request after this one to be over HTTPS
add_header Strict-Transport-Security "max-age=31536000";[...]};
RapidSSL在他的文档中写道,我应该按照以下顺序将以下证书添加到ssl.crt中:
- myserver.crt
- 中级CA套件(RapidSSL SHA256 CA-G3)
- 中级CA捆绑包(GeoTrust Global CA)
所以我做了...
现在我不知道我在做什么错...希望这里的任何人都能帮助我。
谢谢!