Windless
订阅/Feed
稗田千秋(i@wind.moe)

Let's Encrypt 新中级证书导致证书链错误解决方法

稗田千秋
Apr.01 2016 daily

昨夜睡前顺手划了一下博客,突然发现出现 NET::ERRCERTDATE_INVALID 的警告,起床后开始寻找解决方案。

先查了一下 log,发现在凌晨时分 crontab 有一个更新 Let's Encrypt 证书的计划任务

Certificate signed!
--2016-04-01 00:00:14--  https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem
Resolving letsencrypt.org (letsencrypt.org)... 23.34.107.238, 2600:140b:1:18e::2a1f, 2600:140b:1:182::2a1f
Connecting to letsencrypt.org (letsencrypt.org)|23.34.107.238|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1675 (1.6K) [application/x-x509-ca-cert]
Saving to: ‘STDOUT’

     0K .                                                     100%  256M=0s

2016-04-01 00:00:15 (256 MB/s) - written to stdout [1675/1675]然后上 StackOverFlow 逛了一圈,找到的解决方案都是另一种证书链错误解决,接着翻阅官方的一些文档看有没有提及解决方案,发现了这样一篇文章 

然后上 StackOverFlow 逛了一圈,找到的解决方案都是另一种证书链错误解决,接着翻阅官方的一些文档看有没有提及解决方案,发现了这样一篇文章 Upcoming intermediate changes

摘录一部分

The new trusted intermediates will be called "Let's Encrypt Authority X3" and "Let's Encrypt Authority X4" and will be in the CT logs and on our web site. The new untrusted intermediates will be "Fake LE Root X1" and "Fake LE Intermediate X1." If you see a certificate from one of the untrusted intermediates on a live website, it was issued against the staging server and should be reissued against production if you want it to be trusted.

大意就是部署上了 Let’s Encrypt Authority X3和 Let\'s Encrypt Authority X4 两个中间证书,增加了对XP的兼容性,另外i X3 和 X1 的Public Key是一致的,感觉问题就出在中间证书这里了,接着回去看批处理脚本内容

chiaki@Server:cat renew.sh
#!/bin/bash
cd /srv/ssl/
python acme_tiny.py --account-key account.key --csr domain.csr --acme-dir /srv/www/challenges/ > signed.crt || exit
wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem
cat signed.crt intermediate.pem > chained.pem

比对连接信息,猜测可能是合并的 fullchain 文件导致的证书链错误,试着将

wget -O - https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > intermediate.pem

改为

wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem 

然后重新签名一次,发现即可正常访问√

--END--
文章创建于 2016-04-01 05:51:45,最后更新 2016-04-01 05:51:45
Comment
尝试加载Disqus评论, 失败则会使用基础模式.
    • play_arrow

    About this site

    version:1.02 Alpha
    博客主题: Lime
    联系方式: i@wind.moe
    写作语言: zh_CN & en_US
    博客遵循 CC BY-NC-SA 4.0许可进行创作

    此外,本博客会基于访客的Request Headers记录部分匿名数据用于统计(Logger的源码见Github),包含Referer, User-Agent & IP Address.个人绝不会主动将数据泄露给第三方