仕事ã§Webサービスé‹ç”¨ã—ã¦ã„ã‚‹ã®ã§SSL証明書ã®æ›´æ–°ã¨ã‹ã‚‚æ¥å‹™ã®ä¸ã«ã‚る。
今回ã®æ›´æ–°ä½œæ¥ä¸ã«Firefoxã§SSL証明証ã®ã‚¨ãƒ©ãƒ¼ã‚’出ã—ã¦ã—ã¾ã£ãŸã€‚ 具体的ã«ã„ã†ã¨Firefox㧠sec_error_unknown_issuer ã®è¦å‘ŠãŒFirefoxã ã‘ã§å‡ºã¦ã„ãŸã€‚ Google Chromeã¨IEã§ã¯å¤§ä¸ˆå¤«ã ã£ãŸã€‚
TECH Matari » Archive » Firefox3+SSLã§ã€sec_error_unknown_issuerã®å ´åˆ
Firefoxã§RapidSSL証明書ã®è¦å‘Š sec_error_unknown_issuer ã®ç›´ã—æ–¹
ãã®æ™‚ã«èª¿ã¹ãŸã“ã¨ã‚’メモ。
IE, Chromeã¯å•é¡Œãªãèªè˜ã•ã‚Œã‚‹ã‘ã©ã€Firefoxã§ãƒ€ãƒ¡ãªã®ã¯ã“ã®ã¸ã‚“ãŒåŽŸå› ã£ã½ã„。
å†ç™ºé˜²æ¢ã¨ã—ã¦ã©ã†ã„ã£ãŸç–ãŒè€ƒãˆã‚‰ã‚Œã‚‹ã‹ã‚‚調ã¹ã¦ã¿ãŸã€‚
Webサーãƒã«SSLã®è¨¼æ˜Žæ›¸ãŒæ£ã—ãインストールã•ã‚Œã¦ã„ã‚‹ã‹ç¢ºèªã™ã‚‹ ï¼ ï¼ IT ãƒã‚§ãƒƒã‚¯ãƒ„ールã¯ã‚ã‚‹ã‘ã©VIP組んã§é‹ç”¨ã—ã¦ã„ã‚‹ã¨å¤šåˆ†ãƒ€ãƒ¡ãªé›°å›²æ°—ã ã£ãŸã®ã§ã‚ãらã‚。
ブラウザã‹ã‚‰ã¡ã‚ƒã‚“目視ã§ã‚„ã‚‹ã—ã‹ãªã„ã®ã‹ï¼Ÿã¨æ€ã„ã¤ã¤ã‚³ãƒžãƒ³ãƒ‰ãƒ©ã‚¤ãƒ³ä¸Šã§ç¢ºèªã—ãŸã„ã¨èª¿ã¹ã¦ã„ãŸã‚‰ openssl コマンドã‹ã‚‰ç¢ºèªã™ã‚‹æ–¹æ³•ã‚’見ã¤ã‘ãŸã€‚
opensslコマンドã§SSL証明書ã®æ£å½“性を確èªã™ã‚‹ | TechRacho
opensslコマンドã§è¨¼æ˜Žæ›¸æƒ…å ±ã‚’ç¢ºèªã™ã‚‹ - Glide Note - グライドノート
次ã®ã‚ˆã†ãªã‚³ãƒžãƒ³ãƒ‰ã‚’SSL証明証を入れãŸã‚µãƒ¼ãƒãƒ¼ã§å®Ÿè¡Œã€ Verify return code ㌠0 (ok) ã§è¿”ã£ã¦ãã‚Œã°æ£å¸¸ã€‚ãれ以外ã¯ä½•ã‹ã—らã®ã‚¨ãƒ©ãƒ¼ã€‚
自分ã®VPS㧠twitter.com ã«å¯¾ã—ã¦ã‚³ãƒžãƒ³ãƒ‰ã‚’実行ã—ã¦ã‚„ã‚‹ã¨ã“ã‚“ãªæ„Ÿã˜ã«ãªã‚‹ã€‚
% openssl s_client -connect twitter.com:443 << EOF
heredoc> HEAD / HTTP/1.0
heredoc> EOF
CONNECTED(00000003)
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL CA
verify return:1
depth=0 1.3.6.1.4.1.311.60.2.1.3 = US, 1.3.6.1.4.1.311.60.2.1.2 = Delaware, businessCategory = Private Organization, serialNumber = 4337446, C = US, postalCode = 94107, ST = California, L = San Francisco, street = "795 Folsom St, Suite 600", O = "Twitter, Inc.", OU = Twitter Security, CN = twitter.com
verify return:1
---
Certificate chain
0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94107/ST=California/L=San Francisco/street=795 Folsom St, Suite 600/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGfDCCBWSgAwIBAgIQHiLHN6ORXj+rZcS1pByuRjANBgkqhkiG9w0BAQUFADCB
ujELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNjE0MDIGA1UEAxMr
VmVyaVNpZ24gQ2xhc3MgMyBFeHRlbmRlZCBWYWxpZGF0aW9uIFNTTCBDQTAeFw0x
MjA0MTAwMDAwMDBaFw0xNDA1MTAyMzU5NTlaMIIBFzETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECEwhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzQzMzc0NDYxCzAJBgNVBAYTAlVTMQ4w
DAYDVQQRFAU5NDEwNzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxQNU2Fu
IEZyYW5jaXNjbzEhMB8GA1UECRQYNzk1IEZvbHNvbSBTdCwgU3VpdGUgNjAwMRYw
FAYDVQQKFA1Ud2l0dGVyLCBJbmMuMRkwFwYDVQQLFBBUd2l0dGVyIFNlY3VyaXR5
MRQwEgYDVQQDFAt0d2l0dGVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAL7pd7TChZF0U21aCfxUIzdUHm4siWxcQ678xRerDI2hXmThiUyVKnHS
CeSB+gDBXG4qoRHSEcwq7J1YhFscsKz6o4ktsWLqVowGSWNbW92ZbtjOGkTD3xdp
O8Fqfgcs5Lq1yK517nrbtEp6OXEWcoWv15voP4wV7Z9HjCP6v5N1MmrPN187wDMH
W1meJqxQ/7LiULgVQMVV/U6qLOhUeNpl/06CqxScU1bfnbep5SohUG+z6d8CUaPX
55EhGtAPzXNJAHDSkiNgSKkPr1USJ9YiXusqmjcPChRfkT77kROjWnxgV+oucF+T
ja+Ist8acKy2sgCidhUyuXCWG44bIf8CAwEAAaOCAhwwggIYMCcGA1UdEQQgMB6C
D3d3dy50d2l0dGVyLmNvbYILdHdpdHRlci5jb20wCQYDVR0TBAIwADAdBgNVHQ4E
FgQUtXiQRnmvbuddQEjER8bw4CjBMYQwCwYDVR0PBAQDAgWgMEIGA1UdHwQ7MDkw
N6A1oDOGMWh0dHA6Ly9FVlNlY3VyZS1jcmwudmVyaXNpZ24uY29tL0VWU2VjdXJl
MjAwNi5jcmwwRAYDVR0gBD0wOzA5BgtghkgBhvhFAQcXBjAqMCgGCCsGAQUFBwIB
FhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMB0GA1UdJQQWMBQGCCsGAQUF
BwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT8ilC6nrklWntVhU+VAGOP6VhrQzB8
BggrBgEFBQcBAQRwMG4wLQYIKwYBBQUHMAGGIWh0dHA6Ly9FVlNlY3VyZS1vY3Nw
LnZlcmlzaWduLmNvbTA9BggrBgEFBQcwAoYxaHR0cDovL0VWU2VjdXJlLWFpYS52
ZXJpc2lnbi5jb20vRVZTZWN1cmUyMDA2LmNlcjBuBggrBgEFBQcBDARiMGChXqBc
MFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIaBBRLa7kolgYMu9BSOJsprEsH
iyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvMS5naWYwDQYJ
KoZIhvcNAQEFBQADggEBAAqg81oADEdE+/Clm4Q43avFTkpuHkpYbu0bDvSVhoMS
n12b0CAtIgY7Sg+kI0/T0PaaDDxy6lEm8YAu/NLNvgXhIEYKxZQ7sUrKrfY+avdM
PumYGkWeQ0xEf0ZLbGCfp9DA+cwxGgZaxT0HdhLhSZOvlw3F3vWezUuriUYacRL6
AW1EzC3uU2zj6T0z2v75Xa8u6AwY6YqAoMJCyR12bc7sGkRoD0ak27DdvP56qh5N
0tjHHMI1d6IJs0TAO26/SVI7YlQXEstKHk9iJzappwZ/0HZJsepX7jIxvlxyKKGb
8MQGjSCwx8bY2PbYaLe0rkk2IjH0aMUlHW77DpNAK40=
-----END CERTIFICATE-----
subject=/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/businessCategory=Private Organization/serialNumber=4337446/C=US/postalCode=94107/ST=California/L=San Francisco/street=795 Folsom St, Suite 600/O=Twitter, Inc./OU=Twitter Security/CN=twitter.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)06/CN=VeriSign Class 3 Extended Validation SSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3483 bytes and written 427 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID: 9C7E3AD1AE37C80686E1C838ED75E6905143CACC51D0913355129B02378006C3
Session-ID-ctx:
Master-Key: 8FE0C17521A270B4852926BF37D53B466E59205F323D881BD78F55EA0CF8AE95E2705C8DFF4447EDAFF9D468B741EA8C
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 14400 (seconds)
TLS session ticket:
0000 - 8c 59 26 0b 6a 51 53 81-2f 71 4c 41 4d c0 e2 2a .Y&.jQS./qLAM..*
0010 - d7 08 94 ca 1a 0f c8 87-da 11 b5 9b b5 52 af c5 .............R..
0020 - a0 38 57 41 60 9f ae ce-45 06 75 83 54 c1 53 37 .8WA`...E.u.T.S7
0030 - 8b b3 08 3f 62 3d aa 55-3c 2b f7 87 32 ab a2 ad ...?b=.U<+..2...
0040 - 78 89 0c 0b d7 55 21 45-4a c2 85 55 e5 c4 b8 72 x....U!EJ..U...r
0050 - 4b e3 0a 18 08 0e 4c ed-88 f3 98 bb 74 03 cc fb K.....L.....t...
0060 - 62 61 ea b0 ad 62 d8 b4-b7 0b fa 33 0b 62 fd 5c ba...b.....3.b.\
0070 - e8 9b 5c a6 27 c6 4a 7d-11 d1 13 c9 94 25 55 70 ..\.'.J}.....%Up
0080 - b4 b0 35 e0 14 bb 55 09-ce df 24 dc 06 71 1f 20 ..5...U...$..q.
0090 - 91 03 27 9d af 55 43 0c-f3 ac 2a 27 d5 4a 80 0a ..'..UC...*'.J..
Start Time: 1376489269
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
Verify return codeã¯ã¡ã‚ƒã‚“ã¨0ãŒè¿”ã£ã¦ããŸã€‚ ãã—ã¦ã€FirefoxãŒã‚¨ãƒ©ãƒ¼ã‚’出ã—ãŸã¨ãã®è¨¼æ˜Žæ›¸ãŒå…¥ã£ãŸã‚µãƒ¼ãƒãƒ¼ã§opensslコマンドをãŸãŸãã¨
Verify return code: 21 (unable to verify the first certificate)
ãŒå‡ºã¦ã„ãŸã€‚
ã“ã‚Œã§ã©ã“ã‚’ãƒã‚§ãƒƒã‚¯ã™ã‚Œã°ã„ã„ã‹ã‚ã‹ã£ãŸã®ã§ä»Šåº¦ã®ãƒªãƒªãƒ¼ã‚¹ã‹ã‚‰opensslã®çµæžœã‚’ãƒã‚§ãƒƒã‚¯ã—ã¦ã‹ã‚‰ãƒªãƒªãƒ¼ã‚¹ã—ã¾ã—ょã†ã€‚
