MySSL检测证书链不完整的解决办法
2020-08-03
现象
- 服务器安装了证书且开启SSL配置,但是浏览器任然提示”链接不安全”,如下图所示:
-
使用MySSL证书验证工具验证时,提示证书链不完整:
原因
经过排查,服务器中安装的证书信息仅包含us-b.fun.crt证书信息,缺少root_bundle.crt信息。
TrustAsia TLS RSA CA提供的CRT证书内容包含两部分,域名证书信息+根证书信息:
-----BEGIN CERTIFICATE-----
MIIFojCCBIqgAwIBAgIQCGmzSr/oNPbM5ZhnQrxolTANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJDTjElMCMGA1UEChMcVHJ1c3RBc2lhIFRlY2hub2xvZ2llcywg
SW5jLjEdMBsGA1UECxMURG9tYWluIFZhbGlkYXRlZCBTU0wxHTAbBgNVBAMTFFRy
dXN0QXNpYSBUTFMgUlNBIENBMB4XDTIwMDczMDAwMDAwMFoXDTIxMDczMDEyMDAw
MFowFzEVMBMGA1UEAxMMd3d3LnVzLWIuZnVuMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA5j6BI9jEbGIx6Ui5AB7qJsPwHc7/OXKmXY1KeedGXUbdEJ2u
jdL7GbPpx4psUoDr1tfj7mSpd6QlLCqYPwA8XnvcwIhSBe0S7UtjF+35g0zzIP7L
T2B7kZjet0659WuXXktwhLKdPgEH0Rl6YYmXeuRVYTGzmn/jjKngpFRNDiyxLp0N
kXRXdNybp2qu+hkhAP8IWVbL8VNF+ARuJ2+mKWi0H4A1t/SRb1XSjs8ezO11Tjg2
z1BlJhXivE42O90je5d9Evxcf4Laos9a64WWYm09LrF6eb3gOBsovvTjkdL+Eqna
Wk7iRXhswrsNf0PyZEShjqs+tc/VBMr/dvE5YQIDAQABo4ICjTCCAokwHwYDVR0j
BBgwFoAUf9OZ86BHDjEAVlYijrfMnt3KAYowHQYDVR0OBBYEFDdQPY7bBwc6+EIa
4FloFEhLbhTpMCEGA1UdEQQaMBiCDHd3dy51cy1iLmZ1boIIdXMtYi5mdW4wDgYD
VR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBMBgNV
HSAERTBDMDcGCWCGSAGG/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5k
aWdpY2VydC5jb20vQ1BTMAgGBmeBDAECATCBkgYIKwYBBQUHAQEEgYUwgYIwNAYI
KwYBBQUHMAGGKGh0dHA6Ly9zdGF0dXNlLmRpZ2l0YWxjZXJ0dmFsaWRhdGlvbi5j
b20wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jYWNlcnRzLmRpZ2l0YWxjZXJ0dmFsaWRh
dGlvbi5jb20vVHJ1c3RBc2lhVExTUlNBQ0EuY3J0MAkGA1UdEwQCMAAwggEFBgor
BgEEAdZ5AgQCBIH2BIHzAPEAdgD2XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvM
TvFk4wAAAXOf3oYbAAAEAwBHMEUCIEc0QXP0G8xlwo5eWpTBYoxqushCyLh68KYb
eCeHO1NtAiEAzL9Mt5QAWAHclIsTEdvpEFeZBCffZ+JMV7oGbRVWgr4AdwBc3EOS
/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scOygAAAXOf3oZPAAAEAwBIMEYCIQCd
KaLISeJLv1LtPAVWCUigwAvC3EAcHsYVgx8ItuFmhwIhAOx0PIl1UaOgaPDxlVZJ
exJ367Gxre9twD6SGsar9Ij1MA0GCSqGSIb3DQEBCwUAA4IBAQAwH73WQYQVccmE
Cg/3NAKHW3AyOobMx3GZz08AF85Y8ONX1CHyJktsWCdgvfW6dFfax+7SIqP0TOeh
kGvkU49GMIuIqtS5TxOFstcYTtZLPmeCDplRVaXHmipTb442NfkTKztCoQ2M86sY
2i/36lm7+E3AsQG7Gx+TcOJlfUj6O7TtlYV45W8GObZQqrOJFleGc35u86iV/QFi
vQjt+url7gKYiEXtM/xVkz4wyhLifQ15w3yk6Zu75B9FHZrXX6EP9DDWwACDyzHX
yFzKpPd4Bt0o9sDZFrkLjuHlWsA+iovibbxOc0JFqF2Vrj7ePRUsx5L4r2RpTb5+
yJJb50uQ
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIErjCCA5agAwIBAgIQBYAmfwbylVM0jhwYWl7uLjANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzEyMDgxMjI4MjZaFw0yNzEyMDgxMjI4MjZaMHIxCzAJBgNVBAYTAkNO
MSUwIwYDVQQKExxUcnVzdEFzaWEgVGVjaG5vbG9naWVzLCBJbmMuMR0wGwYDVQQL
ExREb21haW4gVmFsaWRhdGVkIFNTTDEdMBsGA1UEAxMUVHJ1c3RBc2lhIFRMUyBS
U0EgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgWa9X+ph+wAm8
Yh1Fk1MjKbQ5QwBOOKVaZR/OfCh+F6f93u7vZHGcUU/lvVGgUQnbzJhR1UV2epJa
e+m7cxnXIKdD0/VS9btAgwJszGFvwoqXeaCqFoP71wPmXjjUwLT70+qvX4hdyYfO
JcjeTz5QKtg8zQwxaK9x4JT9CoOmoVdVhEBAiD3DwR5fFgOHDwwGxdJWVBvktnoA
zjdTLXDdbSVC5jZ0u8oq9BiTDv7jAlsB5F8aZgvSZDOQeFrwaOTbKWSEInEhnchK
ZTD1dz6aBlk1xGEI5PZWAnVAba/ofH33ktymaTDsE6xRDnW97pDkimCRak6CEbfe
3dXw6OV5AgMBAAGjggFPMIIBSzAdBgNVHQ4EFgQUf9OZ86BHDjEAVlYijrfMnt3K
AYowHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUwDgYDVR0PAQH/BAQD
AgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjASBgNVHRMBAf8ECDAG
AQH/AgEAMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au
ZGlnaWNlcnQuY29tMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwzLmRpZ2lj
ZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwTAYDVR0gBEUwQzA3Bglg
hkgBhv1sAQIwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29t
L0NQUzAIBgZngQwBAgEwDQYJKoZIhvcNAQELBQADggEBAK3dVOj5dlv4MzK2i233
lDYvyJ3slFY2X2HKTYGte8nbK6i5/fsDImMYihAkp6VaNY/en8WZ5qcrQPVLuJrJ
DSXT04NnMeZOQDUoj/NHAmdfCBB/h1bZ5OGK6Sf1h5Yx/5wR4f3TUoPgGlnU7EuP
ISLNdMRiDrXntcImDAiRvkh5GJuH4YCVE6XEntqaNIgGkRwxKSgnU3Id3iuFbW9F
UQ9Qqtb1GX91AJ7i4153TikGgYCdwYkBURD8gSVe8OAco6IfZOYt/TEwii1Ivi1C
qnuUlWpsF1LdQNIdfbW3TSe0BhQa7ifbVIfvPWHYOu3rkg1ZeMo6XRU9B4n5VyJY
RmE=
-----END CERTIFICATE-----
我在使用 openssl x509 -in us-b.fun.crt -out us-b.fun.pem 将crt转为pem时丢失了根证书信息。
解决
服务器pem文件中增加根证书信息即可。
补充根证书信息后,浏览器不再提示连接不安全,MySSL验证结果证书链信息完整。
