来自LetsEncrypt的SSL证书不受信任

Question

根据https://www.digicert.com/help/，我的https://sqless.ddns.net证书(我的Apache服务)不受信任，因为

SSL证书不受信任，证书不由受信任的权威机构签名(对照Mozilla的根存储进行检查)。如果您从受信任的机构购买了证书，您可能只需要安装一个或多个中间证书。请与您的证书提供程序联系，以便为您的服务器平台执行此操作。

这很奇怪，因为Google和Firefox都会在Chrome上显示绿色挂锁和“安全”。

我使用这教程来在我的服务器上设置SSL。这些是我在C:\xampp\apache\conf\extra\httpd-vhosts.conf中的虚拟主机。

    ServerAdmin myemail@email.com
    ServerName sqless.ddns.net
    
    RewriteEngine On
    # Redirect to the HTTPS site
    RewriteCond %{HTTPS} off
    RewriteRule ^/?(.*)$ https://sqless.ddns.net/$1 [NE,L,R=301]



    ServerAdmin myemail@email.com
    ServerName sqless.ddns.net
    
    RewriteEngine On
    # Redirect to the correct domain name
    RewriteCond %{HTTP_HOST} !^sqless.ddns.net$ [NC]
    RewriteRule ^/?(.*)$ https://sqless.ddns.net/$1 [NE,L,R=301]

    Alias /.well-known C:/xampp/htdocs/.well-known

    SSLEngine on
    SSLCertificateFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-crt.pem"
    SSLCertificateKeyFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-key.pem"
    SSLCertificateChainFile "C:/Users/Morgan/AppData/Roaming/letsencrypt-win-simple/httpsacme-v01.api.letsencrypt.org/sqless.ddns.net-crt.pem"

我使用了Win-Acme的1.8.0版本，位于这里：https://github.com/PKISharp/win-acme/releases

我是不是遗漏了什么？

Answer 1

请参阅本报告更详细的内容：https://www.ssllabs.com/ssltest/analyze.html?d=sqless.ddns.net，它显示“此服务器的证书链不完整。等级上限为B”。

特别是“证书路径”中的“额外下载”部分。您的服务器需要发送中间CA。这意味着SSLCertificateChainFile不能仅仅是SSLCertificateFile中相同的内容。

再看一看你引用的教程，你会发现它显示了你不尊重的区别。您可以在它们的页面上找到CA中间证书：https://letsencrypt.org/certificates/

因此，在您的SSLCertificateChainFile中，您需要的是中间证书，然后是CA证书。从SSLLabs结果中可以看到，您的最终证书是由“让我们加密X3”(中间CA)生成的，该证书本身由"DST X3“签名。如果你去https://letsencrypt.org/certificates/，你可以找到他们两个。

你需要把它们放在一个文件里，一个接一个。那么，您应该得到以下内容：

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

Answer 2

现在，您已经将链指向与证书相同的文件。这不对。

SSLCertificateFile ".../sqless.ddns.net-crt.pem"
SSLCertificateChainFile ".../sqless.ddns.net-crt.pem"

你的链条应该指向中间证书。

• https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem