证书链不完整, 不受信任. 用安卓微信内嵌浏览器打开直接白板(提示都没有) . 用其他浏览器打开还会提示证书问题.
公司最近有个我负责的项目需要从http切换到https. 给到我的证书是pfx后缀格式的, 根据网上的教程生成 crt和key后缀的文件 . 具体的教程可以参考 https://www.iamle.com/archives/1808.html . Nginx配置好了后, 用PC端浏览器打开没有问题. 用iphone的浏览器打开也没问题, 就是安卓的不行. 经过网上的查找, 发现是证书链不完整的问题. 参照 https://www.187299.com/archives/2247 他的方法查看证书链果然只有一个. 而我们公司的另外一个网站的证书链就没有问题(有两个).
怎么补全证书呢? 我的办法简单粗暴..
先使用下面的命令 查看公司正常的网站的证书
openssl s_client -showcerts -connect test.test.com.cn:443 -servername test.test.com.cn
结果如下:
...
...
...
Certificate chain
0 s:/C=CN/ST=Zhejiang/L=Hangzhou/O=ZHEJIANG TEST Investment Management Co,. Ltd/OU=IT Department/CN=*.test.com.cn
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
-----BEGIN CERTIFICATE-----
MIIHIzCCBgugAwIBAgIQK+ofoZKQLfDt8+pkR3pUuzANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
......
......
......
......
......
......
......
......
......
8mSyQfceQxLR7t/L056LNeKiP03KJcdfSsh2JdEKHNS79c8XGX9c806FISlqUHqZ
L9mqCMuOmJ1f2qR7wnKOalq5WsgQp1xMwcGGN5Wt7XXdFT4WT/RgqqiS6eHjmBrr
2Df1cmj00A==
-----END CERTIFICATE-----
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIIETzCCAzegAwIBAgIDAjpvMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
......
......
......
......
......
3Kkbwbf7w0lZXLV3B0TUl/xJAIlvBk4BcBmsLxHA4uYPL4ZLjXvDuacu9PGsFj45
SVGeF0tPEDpbpaiSb/361gsDTUdWVxnzy2v189bPsPX1oxHSIFMTNDcFLENaY9+N
QNaFHlHpURceA1bJ8TCt55sRornQMYGbaLHZ6PPmlH7HrhMvh+3QJbBo+d4IWvMp
zNSS
-----END CERTIFICATE-----
...
...
...
可以看到证书链有两个.而查看我负责网站的证书结果如下
...
...
...
Certificate chain
0 s:/C=CN/ST=Zhejiang/L=Hangzhou/O=ZHEJIANG TEST Investment Management Co,. Ltd/OU=IT Department/CN=*.test.com.cn
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
-----BEGIN CERTIFICATE-----
MIIHIzCCBgugAwIBAgIQK+ofoZKQLfDt8+pkR3pUuzANBgkqhkiG9w0BAQsFADBE
MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEdMBsGA1UEAxMU
R2VvVHJ1c3QgU1NMIENBIC0gRzMwHhcNMTcwMzI4MDAwMDAwWhcNMjAwMzI3MjM1
OTU5WjCBpjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFpoZWppYW5nMREwDwYDVQQH
...
...
...
...
...
...
L9mqCMuOmJ1f2qR7wnKOalq5WsgQp1xMwcGGN5Wt7XXdFT4WT/RgqqiS6eHjmBrr
2Df1cmj00A==
-----END CERTIFICATE-----
...
...
...
只有一个. 我就用vim命令打开我自己服务器上的crt文件, 将缺失的部分补上去, 注意 crt文件的结构和上面命令查看的结构不一样
0 s:/C=CN/ST=Zhejiang/L=Hangzhou/O=ZHEJIANG TEST Investment Management Co,. Ltd/OU=IT Department/CN=*.test.com.cn
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
上面部分要修改成crt中的结构