该证书并非来自可信的授权中心–解决办法

  2015-07-19  科技网络  5 分钟

自从把博客空间搬到MediaTemple(往后简称MT主机),全站SSL加密后安卓手机访问本博客时总时显示“该证书并非来自可信的授权中心”和Firefox浏览器总是显示“sec_error_unknown_issuer”警告,然而在IE/Chrome/Safari上都显示非常正常,到底那里出了问题呢?

20150719151524

曾经MT主机客服发过邮件,得到的回复是:

Thank you for contacting (mt) Media Temple!
I have checked the status of the SSL installation and I can confirm it has been installed and working correctly.
That being said, as this SSL was not provided by us we are unable to provide troubleshooting for any issues that arise from 3rd party SSLs. You should contact the SSL provider in regarding to this issue. As a courtesy I have done a bit of research and found that the problem may be because no Issuer Chain was provided or you did not install it. Please bring this information to your SSL provider for help on what should be done.

后来又重新几次布署SSL,问题依旧。今天终于忍不住向Comodo发现支持请求,得到的回复是:

You may get this error message due to the CA Certificates (Intermediates) were not properly imported on the server.
It shows as follows
--------------------------------------------------------------------
Trusted by Microsoft? Yes
Trusted by Mozilla? No (unable to get local issuer certificate) UNTRUSTED
--------------------------------------------------------------------
This can be fixed by importing a proper CA Certificate bundle on your host. Please find the CA-Bundle file from the attachment and upload it on your host to fix this issued.
Please let us know if you need any further assistance.

附件附上“ca-bundle”证书。按以往的经验在MT主机后台中导入相应证书,但是发现还是不行。问题依旧,问题到底出现在那里呢?后来在Comodo支持文档中找到“Certificate Installation: Apache & mod_ssl”这篇文章。里内有一段内容如下:

In the VirtualHost section of the file please add these directives if they do not exist. It is best to comment out what is already there and add the below entries.
SSLEngine on
SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
SSLCertificateChainFile /etc/ssl/ssl.crt/yourDomainName.ca-bundle ***

这个时候突然想到在MT主机上是有一个etc目录,但里面只有一个php.ini文件,根本没有SSL和SSL.CRT目录,根据以往使用国外主机的经验,马上在etc目录中建立ssl目录,再在ssl目录中建立好ssl.crt目的,然后根据上面内容所提示,把yourDomainName.crt和yourDomainName.ca-bundle放进其中。

20150719151030

然后再工具测试:Trusted by Mozilla:Yes。然后借台安卓手机访问,嘿,也没有在显示“该证书并非来自可信的授权中心”,原来SSL证书不可信问题就是出现在此。记录本文,希望给大家一些思路,在MT主机CP中设置SSL除了导入证书外,还需要以上这一步。

后补:
再经测试,你在MT后台导入证书时,把yourDomainName.ca-bundle所以内容放进“CA/Chain Certificate”选项中,也相当于上面的这样操作。我建议选择把yourDomainName.ca-bundle所以内容放进“CA/Chain Certificate”选项中。也就是把当初提供给我们的证书AddTrustExternalCARoot.crt、COMODORSAAddTrustCA.crt、COMODORSADomainValidationSecureServerCA.crt证书所有内容汇总后全放进“CA/Chain Certificate”选项中。

— 转载本站文章请注明作者和出处佐仔志 ,请勿用于任何商业用途

— 于 2015年07月19日 ,共写了 2259 字;

— 本文共有 3 个标签:标签:, ,

佐仔志--关注互联网、IT科技、智能手机、电子商务、网络营销等内容的个人博客!

18条回应:“该证书并非来自可信的授权中心–解决办法”

  1. 路杨说道:

    特意切换成安卓手机访问。一切OK。 恭喜。

  2. 土木坛子说道:

    好,总算解决了问题。

  3. 河石子说道:

    现在已经正常了。

  4. 老杨说道:

    SSL 也是挺折腾的东西。

  5. 安心说道:

    你现在也是折腾 WordPress 高手了。

  6. 林木木说道:

    干货,存档~

  7. 安心说道:

    很多网站都有这个问题,现在还是你解决了,厉害!

  8. 刘庆振说道:

    我怎么不懂

发表评论

电子邮件地址不会被公开。 必填项已用*标注