浏览器,s_client 没有 SNI 和过期的证书
Browser, s_client without SNI and expired certificate
当我访问我的子域之一时:在浏览器中说 https://foo.example.com 并检查证书,证书看起来很棒。当我从远程计算机使用 openssl 时,它显示证书已过期。怎么会这样?
我试图重现在此 question 中找到的内容,但我的情况有所不同。当我运行
echo | openssl s_client -showcerts -connect foo.example.com:443 2>&1 | grep Verify
我明白了:
Verify return code: 10 (certificate has expired)
当我运行:
echo | openssl s_client -showcerts -connect foo.example.com:443 2>&1 | openssl x509 -noout -dates
我得到:
notBefore=Sep 27 15:10:20 2014 GMT
notAfter=Sep 27 15:10:20 2015 GMT
它看起来已过期,但浏览器并未显示它已过期。这是在浏览器中:
查看@jww 的第一条评论。他指出我需要将 -tls1 -servername foo.example.com 添加到我的 openssl 命令中。他的评论:
Try adding -tls1 -servername foo.example.com. I'm guessing you have a front-end server that's providing a default domain for requests without SNI, and the default domain is routed to an internal server with the old certificate. When the browsers connect, they use SNI and get the server for which you have updated the certificate. Or, there could be an intermediate with an expired certificate in the chain that's being served. If you provide real information, its easier for us to help you with problems like this.
当我访问我的子域之一时:在浏览器中说 https://foo.example.com 并检查证书,证书看起来很棒。当我从远程计算机使用 openssl 时,它显示证书已过期。怎么会这样?
我试图重现在此 question 中找到的内容,但我的情况有所不同。当我运行
echo | openssl s_client -showcerts -connect foo.example.com:443 2>&1 | grep Verify
我明白了:
Verify return code: 10 (certificate has expired)
当我运行:
echo | openssl s_client -showcerts -connect foo.example.com:443 2>&1 | openssl x509 -noout -dates
我得到:
notBefore=Sep 27 15:10:20 2014 GMT
notAfter=Sep 27 15:10:20 2015 GMT
它看起来已过期,但浏览器并未显示它已过期。这是在浏览器中:
查看@jww 的第一条评论。他指出我需要将 -tls1 -servername foo.example.com 添加到我的 openssl 命令中。他的评论:
Try adding -tls1 -servername foo.example.com. I'm guessing you have a front-end server that's providing a default domain for requests without SNI, and the default domain is routed to an internal server with the old certificate. When the browsers connect, they use SNI and get the server for which you have updated the certificate. Or, there could be an intermediate with an expired certificate in the chain that's being served. If you provide real information, its easier for us to help you with problems like this.