不知何故,今天我的 Seafile 用戶端突然拋出了這個錯誤。我不相信這是一個 Seafile 問題,因為我的 openssl 拋出了完全相同的錯誤:
user@nb-user:~$ echo |openssl s_client -connect seafile.mydomain.ch:443
CONNECTED(00000003)
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 2 Primary Intermediate Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/description=5RygJ9fx8e2SBLzw/C=CH/ST=Thurgau/L=Frauenfeld/O=mydomain GmbH/CN=*.mydomain.ch/[email protected]
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGqzCCBZOgAwIBAgIDAjmGMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0
[... some more lines]
-----END CERTIFICATE-----
subject=/description=5RygJ9fx8e2SBLzw/C=CH/ST=Thurgau/L=Frauenfeld/O=mydomain GmbH/CN=*.mydomain.ch/[email protected]
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3997 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 96E1F6B9E123F8F8C1C1E8FB0DBACDBBE76ECB3E2CF5C46C1FD2CF46833C8212
Session-ID-ctx:
Master-Key: 25837E1786B0CC60E676D0694319641CD0887F9CAF48A820F1C0D6ABA6FDE0742551816ACD2A4885B0D3FC143716B1F6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 88 15 c0 c5 30 04 63 d6-ff 7c 72 c4 12 84 7b d6 ....0.c..|r...{.
0010 - 73 33 8d 91 7c da ce 22-23 d0 31 fb c1 7f 1c 9c s3..|.."#.1.....
[... some more lines]
Start Time: 1424953937
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
對我來說,鏈條部分看起來正是它應該有的樣子。 apacheconf 也應該沒問題:
root@i-can-haz-data ~ # cat /etc/apache2/sites-enabled/seafile.conf
<VirtualHost *:443>
ServerName seafile.mydomain.ch
DocumentRoot /opt/seafile/www
[... seafile specific things]
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/custom/wildcardmydomain.ch.crt
SSLCertificateKeyFile /etc/ssl/custom/wildcardmydomain.ch.key
SSLCertificateChainFile /etc/ssl/custom/wildcardmydomain.ch.chain.crt
[... seafile specific things]
</VirtualHost>
我找不到我的問題是什麼...(ca-certificates 安裝在我的 lubuntu 14.04 上)。他們的網站不適用,因為他們連結了他們的 1 類證書,但我的證書是由他們的 2 類證書頒發的。
答案1
verify error:num=20:unable to get local issuer certificate
OpenSSL 的此錯誤表示程式無法驗證憑證的頒發者或所提供鏈的最頂層憑證。在某些情況下可能會發生這種情況,例如:
- 憑證的憑證鏈不是由另一方提供的,或者它沒有憑證鏈(它是自簽署的)。
- 根憑證不在受信任根憑證的本機資料庫中。
未提供受信任根憑證的本機資料庫,因此 OpenSSL 不會查詢該資料庫。若要明確給予證書的路徑,請使用
-CApath或-CAfile選項。對於 Debian 和 Ubuntu,例如:-CApath /etc/ssl/certs/ -CAfile /etc/ssl/certs/ca-certificates.crt從而導致
openssl s_client -connect example.com:443 -CApath /etc/ssl/certs/ openssl s_client -connect example.com:443 -CAfile /etc/ssl/certs/ca-certificates.crt
後者需要更多資訊。有一個開啟 Ubuntu 中 OpenSSL 的錯誤報告自2009年以來:
使用 -CApath 似乎將 -CAfile 設為 /etc/ssl/certs/ca-certificates.crt 的預設值。
無論您給出什麼路徑 by -CApath,它都可能有效,因為-CAfile也設定為其預設值(之前為空)。所以,不要依賴 OpenSSL 驗證憑證的預設行為透過本地證書資料庫,它可能是假的!