我公司有證書https://data.ddl.at,其中有一個 SAN(主題備用名稱)gitlab.ddl.at。這個Gitlab伺服器是內部的,網域只能由我們內部的DNS伺服器解析。作為參考,還有 SANhttps://sicher.ddl.at,它是公開的,並且在瀏覽器中有效。
我已經在 Gitlab-Server 上配置了此證書,當我轉到 時gitlab.ddl.at,該證書由瀏覽器驗證並被視為有效。
當我嘗試使用 Gitlab-Runner 時,問題就出現了。我在另一台機器上安裝並註冊了一個,一開始遇到一些問題後,我讓它連接到主實例,但作業仍然無法簽出子模組,運行程式正在獲取server certificate verification failed.
現在我認為這是問題的根本症狀:如果我運行openssl s_client -connect data.ddl.at:443,我會得到:
CONNECTED(00000005)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Private Organization, serialNumber = FN 374566h, jurisdictionC = AT, jurisdictionL = Wels, jurisdictionST = Oberoesterreich, C = AT, ST = Oberoesterreich, L = Ruestorf, street = Erwin Greiner-Str. 4, OU = GIS, O = DDL GmbH, CN = data.ddl.at
verify return:1
---
Certificate chain
0 s:businessCategory = Private Organization, serialNumber = FN 374566h, jurisdictionC = AT, jurisdictionL = Wels, jurisdictionST = Oberoesterreich, C = AT, ST = Oberoesterreich, L = Ruestorf, street = Erwin Greiner-Str. 4, OU = GIS, O = DDL GmbH, CN = data.ddl.at
i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
---
Server certificate
[...]
最後:Verify return code: 0 (ok)
現在,當我跑步時openssl s_client -connect gitlab.ddl.at:443,我得到:
CONNECTED(00000005)
depth=0 businessCategory = Private Organization, serialNumber = 374566h, jurisdictionC = AT, jurisdictionL = Wels, jurisdictionST = Oberoesterreich, C = AT, ST = Oberoesterreich, L = Ruestorf, street = Erwin Greiner-Stra\C3\9Fe 4, OU = GIS, O = DDL GmbH, CN = data.ddl.at
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 businessCategory = Private Organization, serialNumber = 374566h, jurisdictionC = AT, jurisdictionL = Wels, jurisdictionST = Oberoesterreich, C = AT, ST = Oberoesterreich, L = Ruestorf, street = Erwin Greiner-Stra\C3\9Fe 4, OU = GIS, O = DDL GmbH, CN = data.ddl.at
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:businessCategory = Private Organization, serialNumber = 374566h, jurisdictionC = AT, jurisdictionL = Wels, jurisdictionST = Oberoesterreich, C = AT, ST = Oberoesterreich, L = Ruestorf, street = Erwin Greiner-Stra\C3\9Fe 4, OU = GIS, O = DDL GmbH, CN = data.ddl.at
i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
---
Server certificate
[...]
第一個錯誤是unable to get local issuer certificate.
我也嘗試過使用可公開存取的方法sicher.ddl.at,但出現與 相同的錯誤gitlab.ddl.at。
它獲得的憑證是針對 的data.ddl.at,但它具有 SAN gitlab.ddl.at,這不應該使其有效嗎?我究竟做錯了什麼?
答案1
看起來伺服器gitlab.ddl.at缺少頒發者證書。
如果用戶端和伺服器沒有正確的根證書和中間證書,那麼您可能會遇到驗證錯誤。
我始終確保在伺服器上安裝完整的鏈,以確保所有客戶端都可以獲得鏈中的所有憑證。
你有幾個選擇。
從 匯出完整鏈
data.ddl.at,然後將其匯入gitlab.ddl.at。使用 OpenSSL 等工具將鏈組合成一個證書,然後安裝到
gitlab.ddl.at將鏈中的所有憑證安裝到伺服器。