证书链不完整, 不受信任. 用安卓微信内嵌浏览器打开直接白板(提示都没有) . 用其他浏览器打开还会提示证书问题.
公司最近有个我负责的项目需要从http切换到https. 给到我的证书是pfx后缀格式的, 根据网上的教程生成 crt和key后缀的文件 . 具体的教程可以参考 https://www.iamle.com/archives/1808.html . Nginx配置好了后, 用PC端浏览器打开没有问题. 用iphone的浏览器打开也没问题, 就是安卓的不行. 经过网上的查找, 发现是证书链不完整的问题. 参照 https://www.187299.com/archives/2247 他的方法查看证书链果然只有一个. 而我们公司的另外一个网站的证书链就没有问题(有两个).
怎么补全证书呢? 我的办法简单粗暴..
先使用下面的命令 查看公司正常的网站的证书
openssl s_client -showcerts -connect test.test.com.cn:443 -servername test.test.com.cn
结果如下:
... ... ... Certificate chain 0 s:/C=CN/ST=Zhejiang/L=Hangzhou/O=ZHEJIANG TEST Investment Management Co,. Ltd/OU=IT Department/CN=*.test.com.cn i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 -----BEGIN CERTIFICATE----- MIIHIzCCBgugAwIBAgIQK+ofoZKQLfDt8+pkR3pUuzANBgkqhkiG9w0BAQsFADBE MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU ...... ...... ...... ...... ...... ...... ...... ...... ...... 8mSyQfceQxLR7t/L056LNeKiP03KJcdfSsh2JdEKHNS79c8XGX9c806FISlqUHqZ L9mqCMuOmJ1f2qR7wnKOalq5WsgQp1xMwcGGN5Wt7XXdFT4WT/RgqqiS6eHjmBrr 2Df1cmj00A== -----END CERTIFICATE----- 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA -----BEGIN CERTIFICATE----- MIIETzCCAzegAwIBAgIDAjpvMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i ...... ...... ...... ...... ...... 3Kkbwbf7w0lZXLV3B0TUl/xJAIlvBk4BcBmsLxHA4uYPL4ZLjXvDuacu9PGsFj45 SVGeF0tPEDpbpaiSb/361gsDTUdWVxnzy2v189bPsPX1oxHSIFMTNDcFLENaY9+N QNaFHlHpURceA1bJ8TCt55sRornQMYGbaLHZ6PPmlH7HrhMvh+3QJbBo+d4IWvMp zNSS -----END CERTIFICATE----- ... ... ...
可以看到证书链有两个.
而查看我负责网站的证书结果如下
只有一个. 我就用vim命令打开我自己服务器上的crt文件, 将缺失的部分补上去, 注意 crt文件的结构和上面命令查看的结构不一样... ... ... Certificate chain 0 s:/C=CN/ST=Zhejiang/L=Hangzhou/O=ZHEJIANG TEST Investment Management Co,. Ltd/OU=IT Department/CN=*.test.com.cn i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3 -----BEGIN CERTIFICATE----- MIIHIzCCBgugAwIBAgIQK+ofoZKQLfDt8+pkR3pUuzANBgkqhkiG9w0BAQsFADBE MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTcwMzI4MDAwMDAwWhcNMjAwMzI3MjM1 OTU5WjCBpjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQH ... ... ... ... ... ... L9mqCMuOmJ1f2qR7wnKOalq5WsgQp1xMwcGGN5Wt7XXdFT4WT/RgqqiS6eHjmBrr 2Df1cmj00A== -----END CERTIFICATE----- ... ... ...
上面部分要修改成crt中的结构0 s:/C=CN/ST=Zhejiang/L=Hangzhou/O=ZHEJIANG TEST Investment Management Co,. Ltd/OU=IT Department/CN=*.test.com.cn i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3