Linux AppEngine SSL从命令行失败
我将RapidSL/GeoTrust证书加载到AppEngine应用程序中。该网站加载到浏览器与SSL完美 但是,当我从命令行(Ubuntu 13.04)验证证书时,它失败了。这是一个一般的SSL失败,因此我的所有Python请求也会失败(“urllib3”失败,这会导致“请求”失败): 我在另一台运行NGINX的服务器上使用其一个ASs的证书,并且在验证以下内容时没有任何问题:Linux AppEngine SSL从命令行失败,linux,google-app-engine,ubuntu,ssl,openssl,Linux,Google App Engine,Ubuntu,Ssl,Openssl,我将RapidSL/GeoTrust证书加载到AppEngine应用程序中。该网站加载到浏览器与SSL完美 但是,当我从命令行(Ubuntu 13.04)验证证书时,它失败了。这是一个一般的SSL失败,因此我的所有Python请求也会失败(“urllib3”失败,这会导致“请求”失败): 我在另一台运行NGINX的服务器上使用其一个ASs的证书,并且在验证以下内容时没有任何问题: $ openssl s_client -connect XYZ.com:443 CONNECTED(0000000
$ openssl s_client -connect XYZ.com:443
CONNECTED(00000003)
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=gQpQo/GwZhs9/JqYi8P8DsQNFmVC5VQB/OU=GT09052054/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=www.XYZ.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFRjCCBC6gAwIBAgIDDOW3MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
<truncated>
S6YumLnJrUVoCA==
-----END CERTIFICATE-----
subject=/serialNumber=gQpQo/GwZhs9/JqYi8P8DsQNFmVC5VQB/OU=GT09052054/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=www.XYZ.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3023 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: A69E838824AF4F74228A82105A74D708A63CB5FDE042A04072A937A9A25DC1C7
Session-ID-ctx:
Master-Key: 35EACC6FCFA5F901AA355C0379289EE33FEB77334A95EC45A4A9D7CD22E4C944C76F998C2D9AAAF635FD88D02CDB7B08
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5f 78 c7 0c da f1 7b ee-52 7a 4d 36 c0 28 b0 d7 _x....{.RzM6.(..
<truncated>
0090 - 5e fc 2c 37 d4 6f 20 0b-a6 aa 62 f4 df 90 1e 18 ^.,7.o ...b.....
Start Time: 1374291906
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
$openssl s_客户端-connect XYZ.com:443
已连接(00000003)
深度=1 C=美国,O=“GeoTrust,Inc.”,CN=RapidSSL CA
验证错误:num=20:无法获取本地颁发者证书
验证返回:0
---
证书链
0 s:/serialNumber=gQpQo/GwZhs9/JqYi8P8DsQNFmVC5VQB/OU=GT09052054/OU=见www.rapidssl.com/resources/cps(c)13/OU=域控制已验证-rapidssl(R)/CN=www.XYZ.com
i:/C=US/O=GeoTrust,Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust,Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust公司/CN=GeoTrust全球CA
---
服务器证书
-----开始证书-----
MIIFRJCBC6GAWIBAGIDDOW3MA0GCSQGSIB3DQEBBQUAMDWXCZAJBGNVBaytalVT
S6YumLnJrUVoCA==
-----结束证书-----
subject=/serialNumber=gQpQo/GwZhs9/JqYi8P8DsQNFmVC5VQB/OU=GT09052054/OU=见www.rapidssl.com/resources/cps(c)13/OU=域控制已验证-rapidssl(R)/CN=www.XYZ.com
发卡机构=/C=US/O=GeoTrust,Inc./CN=RapidSSL CA
---
未发送客户端证书CA名称
---
SSL握手读取了3023字节,写入了375字节
---
新的TLSv1/SSLv3密码是ECDHE-RSA-AES256-SHA
服务器公钥为2048位
支持安全的重新协商
压缩:无
扩展:无
SSL会话:
协议:TLSv1.1
密码:ECDHE-RSA-AES256-SHA
会话ID:A69E838824AF4F74228A82105A74D708A63CB5FDE042A04072A937A9A25DC1C7
会话ID ctx:
主密钥:35EACC6FCFA5F901AA355C0379289EE33FEB77334A95EC45A4A9D7CD22E4C944C76F998C2D9AAF635FD88D02CDB7B08
键Arg:无
PSK身份:无
PSK标识提示:无
SRP用户名:无
TLS会话票证生存期提示:300(秒)
TLS会话票证:
0000-5f 78 c7 0c da f1 7b ee-52 7a 4d 36 c0 28 b0 d7_x.{.RzM6。。
0090-5e fc 2c 37 d4 6f 20 0b-a6 aa 62 f4 df 90 1e 18^,7.o…b。。。。。
开始时间:1374291906
超时:300(秒)
验证返回代码:20(无法获取本地颁发者证书)
---
Dustin您使用的是SNI还是VIP?如果您使用的是SNI,您需要在openssl中使用-servername。哈哈哈。我爱您,伙计(SNI)。为什么我的NGINX服务器不需要这样做呢?我如何从代码(特别是Python“请求”)中做到这一点?您的NGINX服务器可能不需要使用SNI,因为它只知道一个证书,所以不需要“思考”关于提供哪个证书。SNI仅在您尝试使用同一IP地址提供多个域和多个证书时才是必需的。关于Python,Python 2.x中的标准SSL包不支持SNI。不过,有些库可能自己添加了SNI。此外,App Engine上的URLFetch服务支持SNI对此进行了详细分析,“urllib3”添加了SNI支持,但这仅在Python[据称]等于或大于3.2版(据称..请参见)的情况下才起作用。具体来说,它尝试导入ssl.SSLContext。否则,不支持将服务器名称附加到ssl上下文:context.wrap_socket(sock,server_hostname=server_hostname).一旦我把我的客户迁移到Python3上,一切都突然起了作用。
$ openssl s_client -connect XYZ.com:443
CONNECTED(00000003)
depth=1 C = US, O = "GeoTrust, Inc.", CN = RapidSSL CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/serialNumber=gQpQo/GwZhs9/JqYi8P8DsQNFmVC5VQB/OU=GT09052054/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=www.XYZ.com
i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFRjCCBC6gAwIBAgIDDOW3MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
<truncated>
S6YumLnJrUVoCA==
-----END CERTIFICATE-----
subject=/serialNumber=gQpQo/GwZhs9/JqYi8P8DsQNFmVC5VQB/OU=GT09052054/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=www.XYZ.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3023 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: A69E838824AF4F74228A82105A74D708A63CB5FDE042A04072A937A9A25DC1C7
Session-ID-ctx:
Master-Key: 35EACC6FCFA5F901AA355C0379289EE33FEB77334A95EC45A4A9D7CD22E4C944C76F998C2D9AAAF635FD88D02CDB7B08
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5f 78 c7 0c da f1 7b ee-52 7a 4d 36 c0 28 b0 d7 _x....{.RzM6.(..
<truncated>
0090 - 5e fc 2c 37 d4 6f 20 0b-a6 aa 62 f4 df 90 1e 18 ^.,7.o ...b.....
Start Time: 1374291906
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---