Google app engine 上载Google App Engine的通配符SSL证书会给出;SSL证书引用托管域之外的子域。”;
我目前正在谷歌应用程序域中使用自签名通配符证书(请参阅) 假设域是example.com。我还注册了子域api.example.com和staging.example.com 自签名证书适用于*.api.example.com 它很好用 但是,当我尝试上载CA签名的证书时(请参阅),会收到错误消息“SSL证书引用托管域之外的子域” CA签名证书有点复杂,但它解析为,对于*.api.example.com(和*.staging.example.com)也是如此Google app engine 上载Google App Engine的通配符SSL证书会给出;SSL证书引用托管域之外的子域。”;,google-app-engine,ssl,certificate,ssl-certificate,google-apps,Google App Engine,Ssl,Certificate,Ssl Certificate,Google Apps,我目前正在谷歌应用程序域中使用自签名通配符证书(请参阅) 假设域是example.com。我还注册了子域api.example.com和staging.example.com 自签名证书适用于*.api.example.com 它很好用 但是,当我尝试上载CA签名的证书时(请参阅),会收到错误消息“SSL证书引用托管域之外的子域” CA签名证书有点复杂,但它解析为,对于*.api.example.com(和*.staging.example.com)也是如此 CA证书有什么问题导致此错误?我猜您
CA证书有什么问题导致此错误?我猜您没有正确设置自定义域。看 我猜您需要添加:
- soundtrackyourbrand.com
- staging.soundtrackyourbrand.com
- api.soundtrackyourbrand.com
- *.staging.soundtrackyourbrand.com
- *.api.soundtrackyourbrand.com
由于SSL包含许多主题备选名称,因此无法访问自定义域列表。基于此错误,Google App似乎在抱怨证书包含Google App不知道的子域 您提到:*.staging.soundtrackyourbrand.com包含在内。确保谷歌应用程序知道这个子域/区域(以及soundtrackyourbrand.com),因为这就是为什么它会把你击退 您需要的区域包括:
- soundtrackyourbrand.com
- staging.soundtrackyourbrand.com
- api.soundtrackyourbrand.com
服务器的证书缺少验证所需的中间证书。这是PKI中一个众所周知的问题,它被称为“哪个目录”问题。在这个问题中,客户机不知道从何处获取用于签署最终实体证书的缺少的中间证书 根据CA签署的pastie(): 链中缺少“StartCom Class 2主中间服务器CA”中间服务器 您可以从Startcom的中获取缺少的中间体。你要找的是。快速转储验证
sub.class2.server.ca.pem
的主题是否是服务器证书的颁发者:
$ openssl x509 -in sub.class2.server.ca.pem -inform PEM -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 26 (0x1a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
Validity
Not Before: Oct 24 20:57:09 2007 GMT
Not After : Oct 24 20:57:09 2017 GMT
Subject: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 2 Primary Intermediate Server CA
...
CA证书有什么问题导致此错误
您应该在PEM编码的服务器证书之后,将以下内容粘贴到服务器的证书文件中。本质上,服务器的证书文件将包含两个证书
-----BEGIN CERTIFICATE-----
MIIGNDCCBBygAwIBAgIBGjANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
MBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwg
Q2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2VydGlmaWNh
dGlvbiBBdXRob3JpdHkwHhcNMDcxMDI0MjA1NzA5WhcNMTcxMDI0MjA1NzA5WjCB
jDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsT
IlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0
YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4k85L6GMmoWtCA4IPlfyiAEh
G5SpbOK426oZGEY6UqH1D/RujOqWjJaHeRNAUS8i8gyLhw9l33F0NENVsTUJm9m8
H/rrQtCXQHK3Q5Y9upadXVACHJuRjZzArNe7LxfXyz6CnXPrB0KSss1ks3RVG7RL
hiEs93iHMuAW5Nq9TJXqpAp+tgoNLorPVavD5d1Bik7mb2VsskDPF125w2oLJxGE
d2H2wnztwI14FBiZgZl1Y7foU9O6YekO+qIw80aiuckfbIBaQKwn7UhHM7BUxkYa
8zVhwQIpkFR+ZE3EMFICgtffziFuGJHXuKuMJxe18KMBL47SLoc6PbQpZ4rEAwID
AQABo4IBrTCCAakwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYD
VR0OBBYEFBHbI0X9VMxqcW+EigPXvvcBLyaGMB8GA1UdIwQYMBaAFE4L7xqkQFul
F2mHMMo0aEPQQa7yMGYGCCsGAQUFBwEBBFowWDAnBggrBgEFBQcwAYYbaHR0cDov
L29jc3Auc3RhcnRzc2wuY29tL2NhMC0GCCsGAQUFBzAChiFodHRwOi8vd3d3LnN0
YXJ0c3NsLmNvbS9zZnNjYS5jcnQwWwYDVR0fBFQwUjAnoCWgI4YhaHR0cDovL3d3
dy5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMCegJaAjhiFodHRwOi8vY3JsLnN0YXJ0
c3NsLmNvbS9zZnNjYS5jcmwwgYAGA1UdIAR5MHcwdQYLKwYBBAGBtTcBAgEwZjAu
BggrBgEFBQcCARYiaHR0cDovL3d3dy5zdGFydHNzbC5jb20vcG9saWN5LnBkZjA0
BggrBgEFBQcCARYoaHR0cDovL3d3dy5zdGFydHNzbC5jb20vaW50ZXJtZWRpYXRl
LnBkZjANBgkqhkiG9w0BAQUFAAOCAgEAnQfh7pB2MWcWRXCMy4SLS1doRKWJwfJ+
yyiL9edwd9W29AshYKWhdHMkIoDW2LqNomJdCTVCKfs5Y0ULpLA4Gmj0lRPM4EOU
7Os5GuxXKdmZbfWEzY5zrsncavqenRZkkwjHHMKJVJ53gJD2uSl26xNnSFn4Ljox
uMnTiOVfTtIZPUOO15L/zzi24VuKUx3OrLR2L9j3QGPV7mnzRX2gYsFhw3XtsntN
rCEnME5ZRmqTF8rIOS0Bc2Vb6UGbERecyMhK76F2YC2uk/8M1TMTn08Tzt2G8fz4
NVQVqFvnhX76Nwn/i7gxSZ4Nbt600hItuO3Iw/G2QqBMl3nf/sOjn6H0bSyEd6Si
BeEX/zHdmvO4esNSwhERt1Axin/M51qJzPeGmmGSTy+UtpjHeOBiS0N9PN7WmrQQ
oUCcSyrcuNDUnv3xhHgbDlePaVRCaHvqoO91DweijHOZq1X1BwnSrzgDapADDC+P
4uhDwjHpb62H5Y29TiyJS1HmnExUdsASgVOb7KD8LJzaGJVuHjgmQid4YAjff20y
6NjAbx/rJnWfk/x7G/41kNxTowemP4NVCitOYoIlzmYwXSzg+RkbdbmdmFamgyd6
0Y+NWZP8P3PXLrQsldiL98l+x/ydrHIEH9LMF/TtNGCbnkqXBP7dcg5XVFEGcE3v
qhykguAzx/Q=
-----END CERTIFICATE-----
然后要求客户端“信任”Startcom的根证书(CN=Startcom证书颁发机构
)。如果他们信任Startcom的根证书,则您的服务器证书将验证:
# Download Startcom's roots
$ wget https://www.startssl.com/certs/ca-bundle.pem
--2014-02-07 05:08:52-- https://www.startssl.com/certs/ca-bundle.pem
...
# Verify the server certificate using the Startcom root
$ openssl verify -CAfile ca-bundle.pem 8402243+intermediate.pem
8402243+intermediate.pem: OK
还有一件事我注意到了。某些主机正在解析OK:
$ dig staging.soundtrackyourbrand.com
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> staging.soundtrackyourbrand.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22761
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;staging.soundtrackyourbrand.com. IN A
;; ANSWER SECTION:
staging.soundtrackyourbrand.com. 3599 IN A 194.9.94.85
staging.soundtrackyourbrand.com. 3599 IN A 194.9.94.86
或者,通过提供开始授权(SOA)记录将其作为子域。但我不确定谷歌将如何在其验证例程中处理它,因此只给它一个地址资源记录可能更容易。谷歌应用程序只支持一个级别的通配符子域,*.api和*.staging.soundtrackyourbrand.com是两个级别的情况可能并非如此,由于自签名证书仅适用于*.api.soundtrackyourbrand.com,对吗?正如我对Michael Pasqualone所说的,自签名证书的区域和名称没有问题,所以我怀疑这里的情况是否如此?
$ dig staging.soundtrackyourbrand.com
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> staging.soundtrackyourbrand.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22761
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;staging.soundtrackyourbrand.com. IN A
;; ANSWER SECTION:
staging.soundtrackyourbrand.com. 3599 IN A 194.9.94.85
staging.soundtrackyourbrand.com. 3599 IN A 194.9.94.86
$ dig api.soundtrackyourbrand.com
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> api.soundtrackyourbrand.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33966
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;api.soundtrackyourbrand.com. IN A
;; AUTHORITY SECTION:
soundtrackyourbrand.com. 1755 IN SOA ns1.loopia.se. registry.loopia.se. 1391644800 10800 3600 604800 86400
;; Query time: 0 msec
;; SERVER: 172.16.1.10#53(172.16.1.10)
;; WHEN: Fri Feb 7 05:30:05 2014
;; MSG SIZE rcvd: 103
api.soundtrackyourbrand.com. IN A 194.9.94.85