这是一个创建于 4080 天前的主题,其中的信息可能已经有所发展或是发生改变。
我从 http://www.v2ex.com/t/37139 这个帖子获悉ssl证书的购买和评分方式。
不过我这边遇到一些奇怪的问题,我购买的是:
http://www.namecheap.com/ssl-certificates/geotrust-ssl-certificates/rapidssl-certificate.aspx 证书,用在 https://www.gitshell.com/,评分也没有问题 https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fwww.gitshell.com%2F
我发现的问题是,在我自己小米手机上,提示gitshell ssl证书不被认证,而godaddy的一些证书反而没有问题,还有,通过 curl 工具,发现也有小小不一样,比如:
> cloudzhou@cloudzhou:~$ curl https://www.paomi.com/|head
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
10<html xmlns="http://www.w3.org/1999/xhtml">
0<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf8" />
1 <title> 泡米网 - 好域名,赢未来 </title>
2 <meta content="no" http-equiv="imagetoolbar" />
... 立刻能显示内容
而访问 gitshell
> cloudzhou@cloudzhou:~$ curl https://www.gitshell.com/|head
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
nginx相关配置:
server {
listen 443;
server_name www.gitshell.com;
ssl on;
ssl_certificate ...gitshell.crt;
ssl_certificate_key ...gitshell.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 15m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
电脑版本的浏览器 firefox chrome 没有问题。
我在想是不是有什么地方我还没有做好?
能给我一些建议吗?
不过我这边遇到一些奇怪的问题,我购买的是:
http://www.namecheap.com/ssl-certificates/geotrust-ssl-certificates/rapidssl-certificate.aspx 证书,用在 https://www.gitshell.com/,评分也没有问题 https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fwww.gitshell.com%2F
我发现的问题是,在我自己小米手机上,提示gitshell ssl证书不被认证,而godaddy的一些证书反而没有问题,还有,通过 curl 工具,发现也有小小不一样,比如:
> cloudzhou@cloudzhou:~$ curl https://www.paomi.com/|head
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
10<html xmlns="http://www.w3.org/1999/xhtml">
0<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf8" />
1 <title> 泡米网 - 好域名,赢未来 </title>
2 <meta content="no" http-equiv="imagetoolbar" />
... 立刻能显示内容
而访问 gitshell
> cloudzhou@cloudzhou:~$ curl https://www.gitshell.com/|head
curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
nginx相关配置:
server {
listen 443;
server_name www.gitshell.com;
ssl on;
ssl_certificate ...gitshell.crt;
ssl_certificate_key ...gitshell.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 15m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers RC4:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
电脑版本的浏览器 firefox chrome 没有问题。
我在想是不是有什么地方我还没有做好?
能给我一些建议吗?
目前尚无回复
Select Language