ssl标签存档

问题:

我无法设置SSL。 我已经用Google搜索了,发现了一些解决方案,但是没有一个对我有用。 我需要一些帮助…

这是我尝试重新启动Nginx时遇到的错误:

[email protected]:~# service nginx restart
Restarting nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/conf.d/ssl/ssl.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

我的证书来自StartSSL,有效期为1年。

这是我测试的内容:

  • 证书和私钥没有尾随空格。
  • 我没有使用默认的server.key文件。
  • 我检查了nginx.conf,并且指令指向正确的私钥和证书。

我还检查了模数,并且密钥和证书的模数也不同。

谢谢您的帮助。 🙂

I’m not able to setup SSL.I’ve Googled and I found a few solutions but none of them worked for me.I need some help please…Here’s the error I get when I attempt to restart nginx:My certificate is from StartSSL and is valid for 1 year.Here’s what I tested:The certificate and private key has no trailing spaces.I’m not using the default server.key file.I checked the nginx.conf and the directives are pointing to the correct private key and certificate.I also checked the modulus, and I get a different modulus for both key and certificate.Thank you for your help.:)

问题:

我有一个Java Web服务客户端,它通过HTTPS使用Web服务。

import javax.xml.ws.Service;

@WebServiceClient(name = "ISomeService", targetNamespace = "http://tempuri.org/", wsdlLocation = "...")
public class ISomeService
    extends Service
{

    public ISomeService() {
        super(__getWsdlLocation(), ISOMESERVICE_QNAME);
    }

当我连接到服务URL( https://AAA.BBB.CCC.DDD:9443/ISomeService )时,我得到异常java.security.cert.CertificateException: No subject alternative names present

为了解决这个问题,我首先运行openssl s_client -showcerts -connect AAA.BBB.CCC.DDD:9443 > certs.txt并在文件certs.txt获得以下内容:

CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=someSubdomain.someorganisation.com
   i:/CN=someSubdomain.someorganisation.com
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=someSubdomain.someorganisation.com
issuer=/CN=someSubdomain.someorganisation.com
---
No client certificate CA names sent
---
SSL handshake has read 489 bytes and written 236 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 512 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5            
    Session-ID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Session-ID-ctx:                 
    Master-Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Key-Arg   : None
    Start Time: 1382521838
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

AFAIK,现在我需要

  1. -----BEGIN CERTIFICATE----------END CERTIFICATE-----之间提取certs.txt的部分,
  2. 修改它,使证书名称等于AAA.BBB.CCC.DDD
  3. 然后使用keytool -importcert -file fileWithModifiedCertificate导入结果(其中fileWithModifiedCertificate是操作1和2的结果)。

它是否正确?

如果是这样,我如何才能使步骤1中的证书与基于IP的地址( AAA.BBB.CCC.DDD )一起使用?

更新1( 2013年10月23日15:37 MSK):在回答类似问题时 ,我读了以下内容:

如果您无法控制该服务器,请使用其主机名(前提是在现有证书中至少存在与该主机名匹配的CN)。

“使用”究竟是什么意思?

I have a Java web service client, which consumes a web service via HTTPS.When I connect to the service URL ( https://AAA.BBB.CCC.DDD:9443/ISomeService ), I get the exception java.security.cert.CertificateException: No subject alternative names present .To fix it, I first ran openssl s_client -showcerts -connect AAA.BBB.CCC.DDD:9443 > certs.txt and got following content in file certs.txt :AFAIK, now I need toextract the part of certs.txt between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- ,modify it so that the certificate name is equal to AAA.BBB.CCC.DDD andthen import the result using keytool -importcert -file fileWithModifiedCertificate (where fileWithModifiedCertificate is the result of operations 1 and 2).Is this correct?If so, how exactly can I make the certificate from step 1 work with IP-based adddress ( AAA.BBB.CCC.DDD ) ?Update 1 (23.10.2013 15:37 MSK): In an answer to a similar question , I read the following:If you’re not in control of that server, use its host name (provided that there is at least a CN matching that host name in the existing cert).What exactly does “use” mean?

问题:

我在Ubuntu上有Apache2 (在443上监听)和在Tomcat7上运行的Web应用程序(在8443上监听)。

我将apache2设置为反向代理,以便通过端口443而不是8443访问Web应用程序。此外,我需要在浏览器和apache2之间以及apache2和tomcat7之间进行SSL通信,因此我在apache2和tomcat7上都设置了SSL 。 如果我尝试通过直接联系tomcat7来访问Web应用程序,一切都很好。 问题是当我尝试通过apache2(反向代理)访问tomcat的web应用程序时,在浏览器上出现错误:

Proxy Error
The proxy server could not handle the request GET /web_app.
Reason: Error during SSL Handshake with remote server

I have Apache2 (listening on 443) and a web app running on Tomcat7 (listening on 8443) on Ubuntu .I set apache2 as reverse proxy so that I access the web app through port 443 instead of 8443. Besides, I need to have SSL communication not only between browser and apache2 but also between apache2 and tomcat7, thus I set SSL on both apache2 and tomcat7.If I try to access the web app by directly contacting tomcat7, everything is fine.The problem is that when I try to access the tomcat’s web app through apache2 (reverse proxy), on the browser appears the error:

问题:

问题:我的日志中出现此异常“基础连接已关闭:发生意外的错误”,并且随机中断[1小时-4小时],这破坏了我们与电子邮件营销系统的OEM集成。

我的网站托管在带有IIS 7.5.7600的Windows Server 2008 R2上。 该网站具有大量的OEM组件和全面的仪表板。 一切与网站的所有其他元素都可以正常使用,但电子邮件营销组件之一除外,我们将其用作仪表板中的iframe解决方案。 它的工作方式是,我发送带有所有凭据的httpWebRequestobject,并得到一个返回的URL,该URL放入iframe中并且可以正常工作。 但它只能工作一段时间[1小时-4小时],然后我得到以下异常“基本连接已关闭:发送时发生意外错误”,即使系统尝试从httpWebRequest获取URL,也是如此由于相同的异常而失败。 使它再次起作用的唯一方法是回收应用程序池或在web.config中编辑任何内容。 我真的筋疲力尽了所有我能想到的选择。

选项尝试

明确添加, keep-alive = false

keep-alive = true

增加了超时时间: <httpRuntime maxRequestLength="2097151" executionTimeout="9999999" enable="true" requestValidationMode="2.0" />

我已将此页面上载到非SSL网站,以检查生产服务器上的SSL证书是否正在建立连接以删除某些方式。

朝着分辨率的任何方向都将受到赞赏。

代码:

Public Function CreateHttpRequestJson(ByVal url) As String
    Try
        Dim result As String = String.Empty
        Dim httpWebRequest = DirectCast(WebRequest.Create("https://api.xxxxxxxxxxx.com/api/v3/externalsession.json"), HttpWebRequest)
        httpWebRequest.ContentType = "text/json"
        httpWebRequest.Method = "PUT"
        httpWebRequest.ContentType = "application/x-www-form-urlencoded"
        httpWebRequest.KeepAlive = False
        'ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3

        'TODO change the integratorID to the serviceproviders account Id, useremail 
        Using streamWriter = New StreamWriter(httpWebRequest.GetRequestStream())
            Dim json As String = New JavaScriptSerializer().Serialize(New With { _
            Key .Email = useremail, _
            Key .Chrome = "None", _
            Key .Url = url, _
            Key .IntegratorID = userIntegratorID, _
            Key .ClientID = clientIdGlobal _
            })

            'TODO move it to the web.config, Following API Key is holonis accounts API Key
            SetBasicAuthHeader(httpWebRequest, holonisApiKey, "")
            streamWriter.Write(json)
            streamWriter.Flush()
            streamWriter.Close()

            Dim httpResponse = DirectCast(httpWebRequest.GetResponse(), HttpWebResponse)
            Using streamReader = New StreamReader(httpResponse.GetResponseStream())
                result = streamReader.ReadToEnd()
                result = result.Split(New [Char]() {":"})(2)
                result = "https:" & result.Substring(0, result.Length - 2)
            End Using
        End Using
        Me.midFrame.Attributes("src") = result
    Catch ex As Exception
        objLog.WriteLog("Error:" & ex.Message)
        If (ex.Message.ToString().Contains("Invalid Email")) Then
            'TODO Show message on UI
        ElseIf (ex.Message.ToString().Contains("Email Taken")) Then
            'TODO Show message on UI
        ElseIf (ex.Message.ToString().Contains("Invalid Access Level")) Then
            'TODO Show message on UI
        ElseIf (ex.Message.ToString().Contains("Unsafe Password")) Then
            'TODO Show message on UI
        ElseIf (ex.Message.ToString().Contains("Invalid Password")) Then
            'TODO Show message on UI
        ElseIf (ex.Message.ToString().Contains("Empty Person Name")) Then
            'TODO Show message on UI
        End If
    End Try
End Function


Public Sub SetBasicAuthHeader(ByVal request As WebRequest, ByVal userName As [String], ByVal userPassword As [String])
    Dim authInfo As String = Convert.ToString(userName) & ":" & Convert.ToString(userPassword)
    authInfo = Convert.ToBase64String(Encoding.[Default].GetBytes(authInfo))
    request.Headers("Authorization") = "Basic " & authInfo
End Sub`

Issue : I get this exception “THE UNDERLYING CONNECTION WAS CLOSED: AN UNEXPECTED ERROR OCCURRED ON A SEND” in my logs and it is breaking our OEM integration with our email marketing system at random times varying from [1hour – 4 hours]My website is hosted on a windows server 2008 R2 with IIS 7.5.7600.This website has a large number of OEM components and comprehensive dashboard.Everything works fine with all the other elements of the website except with one of our email marketing component which we are using as an iframe solution within our dashboard.The way it works is, I send a httpWebRequestobject with all the credentials and i get a url back which i put in an iframe and it works.But it only works for some time [1 hour – 4 hours ]and then i get the below exception “THE UNDERLYING CONNECTION WAS CLOSED: AN UNEXPECTED ERROR OCCURRED ON A SEND” and even if the system tries to get the URL from the httpWebRequest it fails with the same exception.The only way to make it work again is to recycle the application pool or anything is edited in web.config.I am really exhausted all the option that i could think of.Option triedExplicitly added, keep-alive = falseIncreased the time out : <httpRuntime maxRequestLength="2097151" executionTimeout="9999999" enable="true" requestValidationMode="2.0" />I have uploaded this page to a non SSL website to check if the SSL certificate on our production server is making the connection to drop some how.Any direction toward resolution is greatly appreciated.Code :

问题:

我正在尝试通过HTTPS连接Java Web API; 但是,抛出异常:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException

我遵循了从在线keytool和SSL证书教程中学到的这些步骤:

  1. 我将HTTPS URL复制到浏览器中,使用Internet Explorer下载SSL证书并将其安装在浏览器中。

  2. 将证书导出到计算机上的路径,证书保存为.cer

  3. 使用了keytool的导入选项。 执行下面的命令没有任何错误。

     keytool -import -alias downloadedCertAlias -keystore C:\\path\\to\\my\\keystore\\cacerts.file -file C:\\path\\of\\exportedCert.cer

  4. 我在命令提示符下提示输入密码,然后我输入了密码。

  5. cmd窗口打印了一些证书数据和签名,我被提示问题:

    相信这个证书?

    我回答是的。

  6. 显示cmd提示符

    证书已添加到密钥库

    但是在该消息之后,显示了另一个异常:

     keytool error: java.io.FileNotFoundException: C:\\Program files\\...\\cacerts <Access Denied>

最后,当我检查密钥库时,没有添加SSL证书,我的应用程序提供了我在尝试连接时得到的相同异常:

(javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException)

I’m trying to connect a Java Web API via HTTPS;however, an exception is thrown:I followed these steps which I learned from online keytool & SSL cert tutorials:I copied the HTTPS URL into the browser, downloaded the SSL certificates & Installed them in the browser using Internet Explorer.Exported the certificates to a path on my computer, the certificates were saved as .cerUsed the keytool’s import option.The command below executed without any errors.I was prompted for a password at the command prompt, which I entered then I was authenticated.The cmd window printed some certificate data & signatures and I was prompted with the question:Trust this certificate?I answered yes.The cmd prompt displayedCertificate was added to keystoreHowever after that message, another exception was displayed:Finally when I checked the keystore , the SSL certificate was not added and my application gives the same exception I was getting earlier when trying to connect: