Warning: file_get_contents(/data/phpspider/zhask/data//catemap/9/ssl/3.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Google app engine 上载Google App Engine的通配符SSL证书会给出;SSL证书引用托管域之外的子域。”;_Google App Engine_Ssl_Certificate_Ssl Certificate_Google Apps - Fatal编程技术网
Fatal编程技术网
  • google-app-engine/
  • Google app engine 上载Google App Engine的通配符SSL证书会给出;SSL证书引用托管域之外的子域。”;

Google app engine 上载Google App Engine的通配符SSL证书会给出;SSL证书引用托管域之外的子域。”;

google-app-engine ssl certificate

Google app engine 上载Google App Engine的通配符SSL证书会给出;SSL证书引用托管域之外的子域。”;,google-app-engine,ssl,certificate,ssl-certificate,google-apps,Google App Engine,Ssl,Certificate,Ssl Certificate,Google Apps,我目前正在谷歌应用程序域中使用自签名通配符证书(请参阅) 假设域是example.com。我还注册了子域api.example.com和staging.example.com 自签名证书适用于*.api.example.com 它很好用 但是,当我尝试上载CA签名的证书时(请参阅),会收到错误消息“SSL证书引用托管域之外的子域” CA签名证书有点复杂,但它解析为,对于*.api.example.com(和*.staging.example.com)也是如此 CA证书有什么问题导致此错误?我猜您

我目前正在谷歌应用程序域中使用自签名通配符证书(请参阅)

假设域是example.com。我还注册了子域api.example.com和staging.example.com

自签名证书适用于*.api.example.com

它很好用

但是,当我尝试上载CA签名的证书时(请参阅),会收到错误消息“SSL证书引用托管域之外的子域”

CA签名证书有点复杂,但它解析为,对于*.api.example.com(和*.staging.example.com)也是如此

CA证书有什么问题导致此错误?

我猜您没有正确设置自定义域。看

我猜您需要添加:

  • soundtrackyourbrand.com
  • staging.soundtrackyourbrand.com
  • api.soundtrackyourbrand.com
  • *.staging.soundtrackyourbrand.com
  • *.api.soundtrackyourbrand.com
由于SSL包含许多主题备选名称,因此无法访问自定义域列表。

基于此错误,Google App似乎在抱怨证书包含Google App不知道的子域

您提到:*.staging.soundtrackyourbrand.com包含在内。确保谷歌应用程序知道这个子域/区域(以及soundtrackyourbrand.com),因为这就是为什么它会把你击退

您需要的区域包括:

  • soundtrackyourbrand.com
  • staging.soundtrackyourbrand.com
  • api.soundtrackyourbrand.com
如果无法添加这些记录,则需要重新生成更特定于您所在区域的证书

或者,您可能未正确设置第一个区域。例如,soundtrackyourbrand.com应该是api.soundtrackyourbrand.com和staging.soundtrackyourbrand.com作为记录的唯一区域

但是,当我尝试上载CA签名的证书时(请参阅),会收到错误消息“SSL证书引用托管域之外的子域”

我发现配置有两个问题。一个与PKI相关,另一个与DNS相关

我知道PKI问题会导致一些用户代理出现问题。我不确定DNS问题,但这可能是问题所在,因为您的错误消息引用了“托管域之外的子域”。他们可能不是唯一的问题

服务器的证书缺少验证所需的中间证书。这是PKI中一个众所周知的问题,它被称为“哪个目录”问题。在这个问题中,客户机不知道从何处获取用于签署最终实体证书的缺少的中间证书

根据CA签署的pastie():

链中缺少“StartCom Class 2主中间服务器CA”中间服务器

您可以从Startcom的中获取缺少的中间体。你要找的是。快速转储验证
sub.class2.server.ca.pem
的主题是否是服务器证书的颁发者:

$ openssl x509 -in sub.class2.server.ca.pem -inform PEM -noout -text 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 26 (0x1a)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
        Validity
            Not Before: Oct 24 20:57:09 2007 GMT
            Not After : Oct 24 20:57:09 2017 GMT
        Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
    ...
CA证书有什么问题导致此错误

您应该在PEM编码的服务器证书之后,将以下内容粘贴到服务器的证书文件中。本质上,服务器的证书文件将包含两个证书

-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NzA5WhcNMTcxMDI0MjA1NzA5WjCB
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4k85L6GMmoWtCA4IPlfyiAEh
G5SpbOK426oZGEY6UqH1D/RujOqWjJaHeRNAUS8i8gyLhw9l33F0NENVsTUJm9m8
H/rrQtCXQHK3Q5Y9upadXVACHJuRjZzArNe7LxfXyz6CnXPrB0KSss1ks3RVG7RL
hiEs93iHMuAW5Nq9TJXqpAp+tgoNLorPVavD5d1Bik7mb2VsskDPF125w2oLJxGE
d2H2wnztwI14FBiZgZl1Y7foU9O6YekO+qIw80aiuckfbIBaQKwn7UhHM7BUxkYa
8zVhwQIpkFR+ZE3EMFICgtffziFuGJHXuKuMJxe18KMBL47SLoc6PbQpZ4rEAwID
AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
VR0OBBYEFBHbI0X9VMxqcW+EigPXvvcBLyaGMB8GA1UdIwQYMBaAFE4L7xqkQFul
F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAnQfh7pB2MWcWRXCMy4SLS1doRKWJwfJ+
yyiL9edwd9W29AshYKWhdHMkIoDW2LqNomJdCTVCKfs5Y0ULpLA4Gmj0lRPM4EOU
7Os5GuxXKdmZbfWEzY5zrsncavqenRZkkwjHHMKJVJ53gJD2uSl26xNnSFn4Ljox
uMnTiOVfTtIZPUOO15L/zzi24VuKUx3OrLR2L9j3QGPV7mnzRX2gYsFhw3XtsntN
rCEnME5ZRmqTF8rIOS0Bc2Vb6UGbERecyMhK76F2YC2uk/8M1TMTn08Tzt2G8fz4
NVQVqFvnhX76Nwn/i7gxSZ4Nbt600hItuO3Iw/G2QqBMl3nf/sOjn6H0bSyEd6Si
BeEX/zHdmvO4esNSwhERt1Axin/M51qJzPeGmmGSTy+UtpjHeOBiS0N9PN7WmrQQ
oUCcSyrcuNDUnv3xhHgbDlePaVRCaHvqoO91DweijHOZq1X1BwnSrzgDapADDC+P
4uhDwjHpb62H5Y29TiyJS1HmnExUdsASgVOb7KD8LJzaGJVuHjgmQid4YAjff20y
6NjAbx/rJnWfk/x7G/41kNxTowemP4NVCitOYoIlzmYwXSzg+RkbdbmdmFamgyd6
0Y+NWZP8P3PXLrQsldiL98l+x/ydrHIEH9LMF/TtNGCbnkqXBP7dcg5XVFEGcE3v
qhykguAzx/Q=
-----END CERTIFICATE-----
然后要求客户端“信任”Startcom的根证书(
CN=Startcom证书颁发机构
)。如果他们信任Startcom的根证书,则您的服务器证书将验证:

# Download Startcom's roots
$ wget https://www.startssl.com/certs/ca-bundle.pem
--2014-02-07 05:08:52--  https://www.startssl.com/certs/ca-bundle.pem
...

# Verify the server certificate using the Startcom root
$ openssl verify -CAfile ca-bundle.pem 8402243+intermediate.pem
8402243+intermediate.pem: OK
还有一件事我注意到了。某些主机正在解析OK:

$ dig staging.soundtrackyourbrand.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> staging.soundtrackyourbrand.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22761
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;staging.soundtrackyourbrand.com. IN    A

;; ANSWER SECTION:
staging.soundtrackyourbrand.com. 3599 IN A  194.9.94.85
staging.soundtrackyourbrand.com. 3599 IN A  194.9.94.86
或者,通过提供开始授权(SOA)记录将其作为子域。但我不确定谷歌将如何在其验证例程中处理它,因此只给它一个地址资源记录可能更容易。

谷歌应用程序只支持一个级别的通配符子域,*.api和*.staging.soundtrackyourbrand.com是两个级别的

情况可能并非如此,由于自签名证书仅适用于*.api.soundtrackyourbrand.com,对吗?正如我对Michael Pasqualone所说的,自签名证书的区域和名称没有问题,所以我怀疑这里的情况是否如此? 
$ dig staging.soundtrackyourbrand.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> staging.soundtrackyourbrand.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22761
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;staging.soundtrackyourbrand.com. IN    A

;; ANSWER SECTION:
staging.soundtrackyourbrand.com. 3599 IN A  194.9.94.85
staging.soundtrackyourbrand.com. 3599 IN A  194.9.94.86

$ dig api.soundtrackyourbrand.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> api.soundtrackyourbrand.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33966
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;api.soundtrackyourbrand.com.   IN  A

;; AUTHORITY SECTION:
soundtrackyourbrand.com. 1755   IN  SOA ns1.loopia.se. registry.loopia.se. 1391644800 10800 3600 604800 86400

;; Query time: 0 msec
;; SERVER: 172.16.1.10#53(172.16.1.10)
;; WHEN: Fri Feb  7 05:30:05 2014
;; MSG SIZE  rcvd: 103

api.soundtrackyourbrand.com.    IN    A   194.9.94.85