未通知的证书已过期 [英] Openssl telling certificate has expired when it has not
问题描述
我遇到有关 curl 和 openssl 报告客户端证书已过期的问题,即使它不是之前日期是未来:
I'm having an issue with curl and openssl reporting a client certificate as expired, even though it's notAfter date is in the future:
# echo | openssl s_client -showcerts -connect example.com:443 2>&1 | grep Verify
Verify return code: 10 (certificate has expired)
但
# echo | openssl s_client -showcerts -connect example.com:443 2>&1 | openssl x509 -noout -dates
notBefore=Oct 17 00:00:00 2011 GMT
notAfter=Oct 21 12:00:00 2014 GMT
系统日期正确。 Firefox也没有显示该网站的证书的任何错误。我尝试的Openssl版本是 OpenSSL 1.0.1e-fips 2013年2月11日和 OpenSSL 1.0.1f 2014年1月6日。我发现了一个类似的问题,这里,作者声称
System date is correct. Firefox is not showing any error for that site's cert either. Openssl versions I tried are OpenSSL 1.0.1e-fips 11 Feb 2013 and OpenSSL 1.0.1f 6 Jan 2014. I've found a similar-looking issue here where the author claims that the issue is missing in openssl 0.9.8, but present in 1.0.1.
为什么会发生这种情况?
Why is this happening?
推荐答案
我的问题是证书已过期,但不是这个特殊的证书,而是签名链中的一个。
My problem was that the certificate did expire, but not this particular one, but one in the signing chain.
,for google此命令 openssl s_client -showcerts -connect google.com:443< / dev / null | openssl x509 -noout -dates 显示:
For example, for google this command openssl s_client -showcerts -connect google.com:443 </dev/null | openssl x509 -noout -dates shows:
notBefore=Oct 6 12:37:54 2016 GMT
notAfter=Dec 29 12:28:00 2016 GMT
c> openssl s_client -showcerts -connect google.com:443< / dev / null 不显示1,但显示3个证书(随附在 --- BEGIN / END CERTIFICATE- - parts),第一个是google,它是一个实际检查。为了验证这一点,我复制了(可能会有一个较少的手动方式)第一个到 / tmp / google 和最后一个到 / tmp / geotrust ,现在运行 openssl x509 -noout -dates< / tmp / google 给我:
However just openssl s_client -showcerts -connect google.com:443 </dev/null shows not 1, but 3 certificates (enclosed in ---BEGIN/END CERTIFICATE--- parts), the first one is of google and it is the one actually checked. To verify this, I've copied (there should probably be a less manual way) the first one to /tmp/google and the last one to /tmp/geotrust, now running openssl x509 -noout -dates < /tmp/google gives me:
notBefore=Oct 6 12:37:54 2016 GMT
notAfter=Dec 29 12:28:00 2016 GMT
这匹配第一个命令的输出,和 openssl x509 -noout -dates< / tmp / geotrust :
Which matches the first command's output, and openssl x509 -noout -dates < /tmp/geotrust:
notBefore=May 21 04:00:00 2002 GMT
notAfter=Aug 21 04:00:00 2018 GMT
这是不同的,所以最后我的问题是,一个高级权威证书确实过时。
Which is different and was not shown before. So in the end my problem was that for one of the higher authority certificates was indeed outdated.
和BTW作为评论的问题建议升级操作系统来解决这个问题 - 我想象的原因是一样的。操作系统带有一系列根证书,所以如果你有疯狂的旧操作系统,其中一些可能会过期,你可以升级这些根证书,或整个操作系统来解决这个问题。
And BTW as the comment to the question suggests upgrading OS to fix this issue - I imagine the cause is the same. OS comes with a bunch of root certificates, so if you have crazy old OS, some of those might expire, you can either upgrade those root certs, or the whole OS to fix the issue.
也很方便地知道运行没有 showcerts 给你一个很好的认证链的视图 - openssl s_client -connect google.com: 443< / dev / null :
Also handy to know that running without showcerts gives you a nice view of the cert chain - openssl s_client -connect google.com:443 </dev/null:
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
所有这些都不需要过期。
All of these need not to be expired.
这篇关于未通知的证书已过期的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
