该证书并非来自可信的授权中心–解决办法

自从把博客空间搬到MediaTemple(往后简称MT主机),全站SSL加密后安卓手机访问本博客时总时显示“该证书并非来自可信的授权中心”和Firefox浏览器总是显示“sec_error_unknown_issuer”警告,然而在IE/Chrome/Safari上都显示非常正常,到底那里出了问题呢?

20150719151524

曾经MT主机客服发过邮件,得到的回复是:

Thank you for contacting (mt) Media Temple!
I have checked the status of the SSL installation and I can confirm it has been installed and working correctly.
That being said, as this SSL was not provided by us we are unable to provide troubleshooting for any issues that arise from 3rd party SSLs. You should contact the SSL provider in regarding to this issue. As a courtesy I have done a bit of research and found that the problem may be because no Issuer Chain was provided or you did not install it. Please bring this information to your SSL provider for help on what should be done.

后来又重新几次布署SSL,问题依旧。今天终于忍不住向Comodo发现支持请求,得到的回复是:

You may get this error message due to the CA Certificates (Intermediates) were not properly imported on the server.
It shows as follows
——————————————————————–
Trusted by Microsoft? Yes
Trusted by Mozilla? No (unable to get local issuer certificate) UNTRUSTED
——————————————————————–
This can be fixed by importing a proper CA Certificate bundle on your host. Please find the CA-Bundle file from the attachment and upload it on your host to fix this issued.
Please let us know if you need any further assistance.

附件附上“ca-bundle”证书。按以往的经验在MT主机后台中导入相应证书,但是发现还是不行。问题依旧,问题到底出现在那里呢?后来在Comodo支持文档中找到“Certificate Installation: Apache & mod_ssl”这篇文章。里内有一段内容如下:

In the VirtualHost section of the file please add these directives if they do not exist. It is best to comment out what is already there and add the below entries.
SSLEngine on
SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
SSLCertificateChainFile /etc/ssl/ssl.crt/yourDomainName.ca-bundle ***

这个时候突然想到在MT主机上是有一个etc目录,但里面只有一个php.ini文件,根本没有SSL和SSL.CRT目录,根据以往使用国外主机的经验,马上在etc目录中建立ssl目录,再在ssl目录中建立好ssl.crt目的,然后根据上面内容所提示,把yourDomainName.crt和yourDomainName.ca-bundle放进其中。

20150719151030

然后再工具测试:Trusted by Mozilla:Yes。然后借台安卓手机访问,嘿,也没有在显示“该证书并非来自可信的授权中心”,原来SSL证书不可信问题就是出现在此。记录本文,希望给大家一些思路,在MT主机CP中设置SSL除了导入证书外,还需要以上这一步。

后补:
再经测试,你在MT后台导入证书时,把yourDomainName.ca-bundle所以内容放进“CA/Chain Certificate”选项中,也相当于上面的这样操作。我建议选择把yourDomainName.ca-bundle所以内容放进“CA/Chain Certificate”选项中。也就是把当初提供给我们的证书AddTrustExternalCARoot.crt、COMODORSAAddTrustCA.crt、COMODORSADomainValidationSecureServerCA.crt证书所有内容汇总后全放进“CA/Chain Certificate”选项中。

20 thoughts on “该证书并非来自可信的授权中心–解决办法

    1. 佐仔

      SSL不用太折腾啦,只是前期自已不是太懂而已,现在懂了,任何时间都可以再次布署而不用担心技术问题,这就是折腾的好处。

      回复

发表评论

电子邮件地址不会被公开。 必填项已用*标注