Azure 托管网站证书链 (comodo) 间歇性地不发送完整链
Azure hosted website certificate chain (comodo) intermittently doesn't send full chain
我们在 Azure 中托管一个网站。我们托管的服务有 6 个实例。在该服务上,我们添加了一个覆盖该站点的证书,并且具有如下所示的身份验证链:
our certificate
Comodo RDAOrganisation Validation Secure Server CA (2014 - 2029)
Comodo RSA certification Authority (2000 - 2020)
USERTrust (2000 - 2020)
我们可以在浏览器中看到,对于我们发出的任何请求,这条链似乎正确存在并且 SSL 握手可以完成。
我们有一位客户报告说他们在远程连接到我们时遇到了一些问题。他们一直在使用 openssl 来尝试验证它的来源。
我的知识不足之处在于解释此输出,我想知道您是否可以帮助我们或我们的客户找出差异或确定下一步。
运行 的命令是
$ openssl s_client -CApath /etc/ssl/certs/ -connect <our service uri>
成功案例输出:
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA verify return:1
depth=0 C = DK, <certificate information pertianing to our company >
---
Certificate chain
0 s:/C=DK/<certificate information pertianing to our company >
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
Key is the same between both requests
-----END CERTIFICATE-----
subject=/C=DK/<certificate information pertianing to our company >
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5052 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: <session id hidden>
Session-ID-ctx:
Master-Key: <key hidden>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1436543517
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
在不成功的情况下:
CONNECTED(00000003)
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0
---
Certificate chain
0 s:/C=DK/<certificate information pertianing to our company >
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
Key is the same between both requests
-----END CERTIFICATE-----
subject=/C=DK/<certificate information pertianing to our company >
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3649 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: <session id hidden>
Session-ID-ctx:
Master-Key: <key hidden>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1436543605
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
我可以看到这些是不同的,我可以看到深度字段是不同的,(我不确定这意味着什么,但假设这表明身份验证链 openssl 得到了多远) .我还可以看到链本身在成功案例中与不成功案例中似乎有所不同,添加了
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
我的问题是什么会导致这种情况发生,这是服务器问题还是用户问题(特别是要记住,对于大多数用户的大多数请求,这似乎工作得很好),我们是否需要采取任何后续步骤来确定问题?
感谢您的宝贵时间:)
原来这与我们的服务定义和服务配置文件有关。在其中,我们包含了我们想要提供的证书,但不是它的身份验证链。
MS 支持建议我们尝试 http://blogs.msdn.com/b/azuredevsupport/archive/2010/02/24/how-to-install-a-chained-ssl-certificate.aspx 作为手动配置服务器实例的替代方法。
/JR
我们在 Azure 中托管一个网站。我们托管的服务有 6 个实例。在该服务上,我们添加了一个覆盖该站点的证书,并且具有如下所示的身份验证链:
our certificate
Comodo RDAOrganisation Validation Secure Server CA (2014 - 2029)
Comodo RSA certification Authority (2000 - 2020)
USERTrust (2000 - 2020)
我们可以在浏览器中看到,对于我们发出的任何请求,这条链似乎正确存在并且 SSL 握手可以完成。
我们有一位客户报告说他们在远程连接到我们时遇到了一些问题。他们一直在使用 openssl 来尝试验证它的来源。
我的知识不足之处在于解释此输出,我想知道您是否可以帮助我们或我们的客户找出差异或确定下一步。
运行 的命令是
$ openssl s_client -CApath /etc/ssl/certs/ -connect <our service uri>
成功案例输出:
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA verify return:1
depth=0 C = DK, <certificate information pertianing to our company >
---
Certificate chain
0 s:/C=DK/<certificate information pertianing to our company >
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
Key is the same between both requests
-----END CERTIFICATE-----
subject=/C=DK/<certificate information pertianing to our company >
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 5052 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: <session id hidden>
Session-ID-ctx:
Master-Key: <key hidden>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1436543517
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
在不成功的情况下:
CONNECTED(00000003)
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Organization Validation Secure Server CA verify error:num=20:unable to get local issuer certificate verify return:0
---
Certificate chain
0 s:/C=DK/<certificate information pertianing to our company >
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
Key is the same between both requests
-----END CERTIFICATE-----
subject=/C=DK/<certificate information pertianing to our company >
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3649 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: <session id hidden>
Session-ID-ctx:
Master-Key: <key hidden>
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1436543605
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
我可以看到这些是不同的,我可以看到深度字段是不同的,(我不确定这意味着什么,但假设这表明身份验证链 openssl 得到了多远) .我还可以看到链本身在成功案例中与不成功案例中似乎有所不同,添加了
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
我的问题是什么会导致这种情况发生,这是服务器问题还是用户问题(特别是要记住,对于大多数用户的大多数请求,这似乎工作得很好),我们是否需要采取任何后续步骤来确定问题?
感谢您的宝贵时间:)
原来这与我们的服务定义和服务配置文件有关。在其中,我们包含了我们想要提供的证书,但不是它的身份验证链。
MS 支持建议我们尝试 http://blogs.msdn.com/b/azuredevsupport/archive/2010/02/24/how-to-install-a-chained-ssl-certificate.aspx 作为手动配置服务器实例的替代方法。
/JR