尝试连接 API 时如何修复“证书验证失败的自签名证书”?

问题描述 投票:0回答:5

在我的开发环境中,我正在构建将与仅接受 TLS 1.2(Authorize.net Ruby SDK)的 API 连接的代码。

#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (self signed certificate in certificate chain)>

我的同事可以在他的本地环境中运行代码而不会出现此错误。它依赖于ssl吗?我正在使用 openssl 1.1.1h 他正在使用 libressl。

更新:

输出:

─$ openssl s_client -showcerts -connect apitest.authorize.net:443

是:

CONNECTED(00000005) depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K verify return:1 depth=0 C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net verify return:1
--- Certificate chain  0 s:C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net    i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority
- L1K
-----BEGIN CERTIFICATE----- MIIGxzCCBa+gAwIBAgIQfjbSKF+9lNAAAAAAUP5NeTANBgkqhkiG9w0BAQsFADCB ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y MDAyMDUyMDQ0MDhaFw0yMTAzMTUyMTE0MDhaMGoxCzAJBgNVBAYTAlVTMRMwEQYD VQQIEwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtGb3N0ZXIgQ2l0eTEWMBQGA1UEChMN QXV0aG9yaXplLk5ldDEYMBYGA1UEAwwPKi5hdXRob3JpemUubmV0MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnBMtpwsQcEI3Pd7MKBPs/bhVye/yYNnL Pp3zrJloBy217QtpZpbXj9c1Sjt7xMXv9RotOt9aSbOsAc7CGkKPuwUIcdVbQg/8 gOlWxuT2zF+gek3NzmQSUSbrnVLe5XuT5OQBxjLH922Rm5OTJ3k6rcrQz6Q3nN37 hBClYcHBlTdnFTfCFsSDMAm2w9njNgLSkF1JaPnWfTPnda8xBmqLwJBDgTEy/a1P kPnbsosyp1/R9cE5Dn7VuFfzEgN/D9/YNbg8KxK63O5GVswc/mSzHT19wb4lgXlF zptvoYHKIyl1KwCw4/tt5fAuI59KRUAYzQKQFTcRZbNcYAEccmKilwIDAQABo4ID FjCCAxIwKQYDVR0RBCIwIIIPKi5hdXRob3JpemUubmV0gg1hdXRob3JpemUubmV0 MIIBfQYKKwYBBAHWeQIEAgSCAW0EggFpAWcAdQBVgdTCFpA2AUrqC5tXPFPwwOQ4 eHAlCBcvo6odBxPTDAAAAXAXNAX7AAAEAwBGMEQCIAOcM5IXfx51+2Ne2ApYlwkw /sHPMPZUSbXYwF6m4P4uAiBZOnqTkH63rvErM3JZ3nLc0om+qqRLriHI5KZxYN4O JQB2AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+UmFXWidDdAAABcBc0BggAAAQD AEcwRQIhAJrKOTbyOlcTpELU1FDB844Svqz0BQFO5a8beVuPQoulAiAZwnatMff6 6VGE80UJ8BqHDwPFZOjj5jt4dHtYKonU/AB2AKS5CZC0GFgUh7sTosxncAo8NZgE
+RvfuON3zQ7IDdwQAAABcBc0BgQAAAQDAEcwRQIgbC4cCT2jB38DWbzWobGL4NG1 9BdOTPaWd3acm2v+7yACIQDE2H8U5+65+IMrn5UXRFP/DdSCHNQI/xr7OKEQGDJp 4zAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwx ay5jcmwwSwYDVR0gBEQwQjA2BgpghkgBhvpsCgEFMCgwJgYIKwYBBQUHAgEWGmh0 dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBhMAgGBmeBDAECAjBoBggrBgEFBQcBAQRc MFowIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGCCsGAQUF BzAChidodHRwOi8vYWlhLmVudHJ1c3QubmV0L2wxay1jaGFpbjI1Ni5jZXIwHwYD VR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHQYDVR0OBBYEFK069bMPyloE nNXcyli5AieCD9MiMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAB2wqZ17 AAmYCO4EnmXWDTp1D9iBbNQxYSnj6oR9w0kMVahQ4Q43rdERaw2BsNWByG2peXP0 GRoOTUr5dpAKu5qa1A4V93Y/pc8RuDM0mxI/EmgzO7D4eSPRvC6735sa6XVDc5mk G9hccypCAR6u+tYeXGTmcYG10zunnHPQIf67zM1INdm+pfMfBc/IzvZ7tVWkfOEQ Wl2C/+i5hcdrIONTWD7QWqmr34kZckq+NLcF0z2M70ZdwvdeWxf1xFjgGfdoakuH PsuQI8XDA9DMc3r4GbTid70rTB+z0DNajMz/jGOm7r/Sp2C8wK+ukrzd9vVpZyf/ Q+GfoA0hiovUxiI=
-----END CERTIFICATE-----  1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K    i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE----- MIIFDjCCA/agAwIBAgIMDulMwwAAAABR03eFMA0GCSqGSIb3DQEBCwUAMIG+MQsw CQYDVQQGEwJVUzEWMBQGA1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2Vl IHd3dy5lbnRydXN0Lm5ldC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMDkg RW50cnVzdCwgSW5jLiAtIGZvciBhdXRob3JpemVkIHVzZSBvbmx5MTIwMAYDVQQD EylFbnRydXN0IFJvb3QgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjAeFw0x NTEwMDUxOTEzNTZaFw0zMDEyMDUxOTQzNTZaMIG6MQswCQYDVQQGEwJVUzEWMBQG A1UEChMNRW50cnVzdCwgSW5jLjEoMCYGA1UECxMfU2VlIHd3dy5lbnRydXN0Lm5l dC9sZWdhbC10ZXJtczE5MDcGA1UECxMwKGMpIDIwMTIgRW50cnVzdCwgSW5jLiAt IGZvciBhdXRob3JpemVkIHVzZSBvbmx5MS4wLAYDVQQDEyVFbnRydXN0IENlcnRp ZmljYXRpb24gQXV0aG9yaXR5IC0gTDFLMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA2j+W0E25L0Tn2zlem1DuXKVh2kFnUwmqAJqOV38pa9vH4SEkqjrQ jUcj0u1yFvCRIdJdt7hLqIOPt5EyaM/OJZMssn2XyP7BtBe6CZ4DkJN7fEmDImiK m95HwzGYei59QAvS7z7Tsoyqj0ip/wDoKVgG97aTWpRzJiatWA7lQrjV6nN5ZGhT JbiEz5R6rgZFDKNrTdDGvuoYpDbwkrK6HIiPOlJ/915tgxyd8B/lw9bdpXiSPbBt LOrJz5RBGXFEaLpHPATpXbo+8DX3Fbae8i4VHj9HyMg4p3NFXU2wO7GOFyk36t0F ASK7lDYqjVs1/lMZLwhGwSqzGmIdTivZGwIDAQABo4IBDDCCAQgwDgYDVR0PAQH/ BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwMwYIKwYBBQUHAQEEJzAlMCMGCCsG AQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBgNVHR8EKTAnMCWgI6Ah hh9odHRwOi8vY3JsLmVudHJ1c3QubmV0L2cyY2EuY3JsMDsGA1UdIAQ0MDIwMAYE VR0gADAoMCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAd BgNVHQ4EFgQUgqJwdN28Uz/Pe9T3zX+nYMYKTL8wHwYDVR0jBBgwFoAUanImetAe 733nO2lR1GyNn5ASZqswDQYJKoZIhvcNAQELBQADggEBADnVjpiDYcgsY9NwHRkw y/YJrMxp1cncN0HyMg/vdMNY9ngnCTQIlZIv19+4o/0OgemknNM/TWgrFTEKFcxS BJPok1DD2bHi4Wi3Ogl08TRYCj93mEC45mj/XeTIRsXsgdfJghhcg85x2Ly/rJkC k9uUmITSnKa1/ly78EqvIazCP0kkZ9Yujs+szGQVGHLlbHfTUqi53Y2sAEo1GdRv c6N172tkw+CNgxKhiucOhk3YtCAbvmqljEtoZuMrx1gL+1YQ1JH7HdMxWBCMRON1 exCdtTix9qrKgWRs6PLigVWXUX/hwidQosk8WwBD9lu51aX8/wdQQGcHsFXwt35u Lcw=
-----END CERTIFICATE-----  2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE----- MIIEPjCCAyagAwIBAgIESlOMKDANBgkqhkiG9w0BAQsFADCBvjELMAkGA1UEBhMC VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50 cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3Qs IEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVz dCBSb290IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gRzIwHhcNMDkwNzA3MTcy NTU0WhcNMzAxMjA3MTc1NTU0WjCBvjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVu dHJ1c3QsIEluYy4xKDAmBgNVBAsTH1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwt dGVybXMxOTA3BgNVBAsTMChjKSAyMDA5IEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0 aG9yaXplZCB1c2Ugb25seTEyMDAGA1UEAxMpRW50cnVzdCBSb290IENlcnRpZmlj YXRpb24gQXV0aG9yaXR5IC0gRzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC6hLZy254Ma+KZ6TABp3bqMriVQRrJ2mFOWHLP/vaCeb9zYQYKpSfYs1/T RU4cctZOMvJyig/3gxnQaoCAAEUesMfnmr8SVycco2gvCoe9amsOXmXzHHfV1IWN cCG0szLni6LVhjkCsbjSR87kyUnEO6fe+1R9V77w6G7CebI6C1XiUJgWMhNcL3hW wcKUs/Ja5CeanyTXxuzQmyWC48zCxEXFjJd6BmsqEZ+pCm5IO2/b1BEZQvePB7/1 U1+cPvQXLOZprE4yTGJ36rfo5bs0vBmLrpxR57d+tVOxMyLlbc9wPBr64ptntoP0 jaWvYkxN4FisZDQSA/i2jZRjJKRxAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAP BgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRqciZ60B7vfec7aVHUbI2fkBJmqzAN BgkqhkiG9w0BAQsFAAOCAQEAeZ8dlsa2eT8ijYfThwMEYGprmi5ZiXMRrEPR9RP/ jTkrwPK9T3CMqS/qF8QLVJ7UG5aYMzyorWKiAHarWWluBh1+xLlEjZivEtRh2woZ Rkfz6/djwUAFQKXSt/S1mja/qYh2iARVBCuch38aNzx+LaUa2NSJXsq9rD1s2G2v 1fN2D807iDginWyTmsQ9v4IbZT+mD12q/OWyFcq1rca8PdCE6OoGcrBNOTJ4vz4R nAuknZoh8/CbCzB428Hch0P+vGOaysXCHMnHjf87ElgI5rY97HosTvuDls4MPGmH VHOkc8KT/1EQrBVUAdj8BbGJoX90g5pJ19xOe4pIb4tF9g==
-----END CERTIFICATE-----
--- Server certificate subject=C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net

issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K

--- No client certificate CA names sent
--- SSL handshake has read 4298 bytes and written 641 bytes Verification: OK
--- New, TLSv1.2, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: A2982432F7DD99178A611C2F5D25409F91236B173AF83B08C0E479142EB590AF
    Session-ID-ctx:
    Master-Key: ECBB0DEAE245D006AA30D090D9D00B8C937DBECB2F8D1A19EC8B720A5B3A1A946B55FC00C20778E0FD89E6EF98A730E1
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1608845194
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes

我在那里没有看到自签名证书?还是我走错路了...

代码很简单,如果你愿意的话可以在家尝试一下。

include AuthorizeNet::API
trx = AuthorizeNet::API::Transaction.new('8Gxa...', '6LKh9...', gateway: :sandbox)
request = CreateCustomerProfileRequest.new
request.profile = CustomerProfileType.new
request.profile.merchantCustomerId = 'abc'
request.profile.description = 'name'
response = trx.create_customer_profile(request)

所以我需要两件事:

  • 了解这是否是我的设置/环境的问题,以及如何修复它。
  • 或者,了解这是否是 API(Authorize.net)方面的问题以及如何弥补它或告诉他们实际发生了什么
api ssl openssl tls1.2
5个回答
2
投票

您是否与开发人员仔细检查了 libressl 在其设置中加载了哪些 CA 证书?

链中自签名错误意味着验证操作能够构建信任链,但无法在该链中找到证书颁发机构。

由于证书链检查和验证在其他地方确实有效,所以我首先验证他的设置。

更准确地说,如果我们看一下链条:

$ openssl s_client -showcerts -connect apitest.authorize.net:443

CONNECTED(00000003)
depth=2 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
verify return:1
depth=1 C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
verify return:1
depth=0 C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = California, L = Foster City, O = Authorize.Net, CN = *.authorize.net

issuer=C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for authorized use only", CN = Entrust Certification Authority - L1K

---
No client certificate CA names sent
---
SSL handshake has read 4298 bytes and written 641 bytes
Verification: OK
---

这告诉我们该链使用 Entrust G2 根证书和 L1k 证书。

此 CA 证书可以从 https://www.entrust.com/resources/certificate-solutions/tools/root-certificate-downloads 下载(以仔细检查)。

我建议与开发人员验证该证书在他的设置中是否正确受信任。


0
投票

apitest.authorize.net
有通配符证书。

来自文件

x509v3.h
openssl-1.1.1h

/* Disable wildcard matching for dnsName fields and common name. */
# define X509_CHECK_FLAG_NO_WILDCARDS    0x2

这表明默认情况下禁用通配符匹配。

v3_utl.c

if (flags & X509_CHECK_FLAG_NO_WILDCARDS)
        equal = equal_nocase;
    else
        equal = equal_wildcard;

这意味着 Openssl 将使用不区分大小写的比较,在这种情况下

apitest.authorize.net
将不匹配
*.authorize.net


0
投票

事实证明,这实际上是authorize.net 沙箱所期望的。我需要传递一个

verify_ssl
标志并将其设置为 false。


0
投票

我猜你的服务器不必发送 Entrust 的根证书,它必然是自签名证书。

 2 s:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2
   i:C = US, O = "Entrust, Inc.", OU = See www.entrust.net/legal-terms, OU = "(c) 2009 Entrust, Inc. - for authorized use only", CN = Entrust Root Certification Authority - G2

0
投票

这意味着证书链以自签名证书结尾,该证书不在您的代码正在使用的证书存储中,尽管它可以存在于您计算机上的其他证书存储中。

我认为要点可能是:

  1. 是否有代理拦截流量?
  2. 您的 ruby 代码、openssl 和其他应用程序使用哪些证书存储或文件。几乎可以肯定他们使用的是不同的。
  3. 将根证书添加到正确的证书存储中。 (这里是错误消息中的“自签名证书”。)
© www.soinside.com 2019 - 2024. All rights reserved.