TLS - 证书主机名未验证

时间:2014-07-28 15:56:33

标签: email ssl ubuntu-10.04 plesk

在运行plesk和ubuntu的虚拟服务器上更改SSL证书后,我突然遇到电子邮件问题。

证书主机名未验证(mail.koemanmotoren.nl != www.koemanmotoren.nlhttp://www.checktls.com/perl/TestReceiver.pl

邮件:例如kleding@koemanmotoren.nl

确实这个网站似乎验证主机名是mail.koemanmotoren.nl https://www.ssllabs.com/ssltest/analyze.html?d=koemanmotoren.nl

但是我已经更改了我能找到的每个主机名,而在plesk或SSH中更改它时,无论如何都会自动更改它,但某处必须注明另一个主机名?

购买并验证了koemanmotoren.nlwww.koemanmotoren.nl

的证书

1 个答案:

答案 0 :(得分:2)

您似乎在mail.koemanmotoren.nlwww.koemanmotoren.nl上使用相同的证书(见下文)。主题标识符均为26:61:81:B0...4A:F8:4F:5B

看起来您的DNS不正确。您对mail.koemanmotoren.nlwww.koemanmotoren.nl使用相同的IP地址。

$ dig mail.koemanmotoren.nl a

;; QUESTION SECTION:
;mail.koemanmotoren.nl.     IN  A

;; ANSWER SECTION:
mail.koemanmotoren.nl.  21164   IN  A   176.28.10.250


$ dig www.koemanmotoren.nl a
...

;; QUESTION SECTION:
;www.koemanmotoren.nl.      IN  A

;; ANSWER SECTION:
www.koemanmotoren.nl.   21223   IN  A   176.28.10.250

如果这是正确的,那么证书缺少mail.koemanmotoren.nl的主题备用名称(SAN)。

根据DNS,您的邮件服务器是mail.koemanmotoren.nl

$ dig koemanmotoren.nl mx
...

;; ANSWER SECTION:
koemanmotoren.nl.   21219   IN  MX  10 mail.koemanmotoren.nl.

;; ADDITIONAL SECTION:
mail.koemanmotoren.nl.  13180   IN  A   176.28.10.250

但是,您的邮件服务器似乎正在使用您的Web服务器证书。

$ openssl s_client -connect mail.koemanmotoren.nl:993 2>&1 | openssl x509 -text -noout

        Subject: OU=Domain Control Validated, CN=www.koemanmotoren.nl
        ...
            X509v3 Subject Alternative Name: 
                DNS:www.koemanmotoren.nl, DNS:koemanmotoren.nl
                ...

看来你在465上没有任何东西:

$ openssl s_client -connect mail.koemanmotoren.nl:465
CONNECTED(00000003)
140735144829404:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
...

$ openssl s_client -connect mail.koemanmotoren.nl:443 2>&1 | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            11:21:13:40:67:18:79:8f:1d:3f:c5:48:48:f4:2c:f1:24:b6
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=BE, O=GlobalSign nv-sa, CN=GlobalSign Domain Validation CA - SHA256 - G2
        Validity
            Not Before: Jun 10 11:20:11 2014 GMT
            Not After : Jul 15 10:12:25 2015 GMT
        Subject: OU=Domain Control Validated, CN=www.koemanmotoren.nl
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:eb:cf:e0:55:34:52:79:43:8b:49:1b:65:1c:b1:
                    ed:ad:93:52:12:b9:3a:55:d7:c2:10:10:cc:3f:2c:
                    e0:11:9a:4b:5b:ba:eb:3b:5f:f7:ad:74:e2:15:ba:
                    04:14:bc:52:84:ce:4b:a3:e7:a5:48:45:0f:09:cc:
                    b9:98:2d:1c:0a:00:75:0d:d0:ac:d6:88:52:5b:50:
                    fb:bb:10:8b:8d:17:ce:1b:ba:61:23:46:7e:77:70:
                    0e:d4:89:17:bb:2a:76:62:17:d9:12:ae:7a:1d:8e:
                    f1:b6:ff:f3:53:76:cd:74:fb:c9:c4:99:27:c8:4c:
                    5d:9d:07:53:53:d5:16:42:f5:0f:cd:75:01:82:20:
                    05:07:d6:19:a7:9d:77:85:84:97:cb:61:5a:f9:10:
                    d1:88:e4:7c:09:97:8c:9a:c1:4f:b9:a6:bf:57:87:
                    ab:87:59:01:fa:48:3f:86:5e:fe:15:49:8c:32:de:
                    6b:01:23:ea:6c:d3:fc:77:f8:c5:3f:41:89:18:74:
                    1b:44:87:b8:76:e4:cd:b8:be:33:0b:71:7d:4e:7f:
                    83:0a:46:7e:ef:63:ce:0a:20:7e:7c:aa:2a:d4:82:
                    af:95:a9:29:3d:13:e6:52:51:f2:74:ef:93:70:d9:
                    71:9b:1f:19:a5:d0:f7:9e:cc:c8:3d:63:6a:a6:35:
                    7c:75
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                  CPS: https://www.globalsign.com/repository/

            X509v3 Subject Alternative Name: 
                DNS:www.koemanmotoren.nl, DNS:koemanmotoren.nl
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.globalsign.com/gs/gsdomainvalsha2g2.crl

            Authority Information Access: 
                CA Issuers - URI:http://secure.globalsign.com/cacert/gsdomainvalsha2g2r1.crt
                OCSP - URI:http://ocsp2.globalsign.com/gsdomainvalsha2g2

            X509v3 Subject Key Identifier: 
                26:61:81:B0:89:19:AF:DC:BE:01:DC:59:C1:28:F0:D4:4A:F8:4F:5B
            X509v3 Authority Key Identifier: 
                keyid:EA:4E:7C:D4:80:2D:E5:15:81:86:26:8C:82:6D:C0:98:A4:CF:97:0F

    Signature Algorithm: sha256WithRSAEncryption
         7a:84:d6:2e:31:44:25:95:aa:d0:30:b6:2e:8c:1b:a9:a3:f3:
         2e:f3:9c:0d:cf:a9:51:29:5f:39:ac:f2:1d:4b:f7:e0:50:05:
         bf:b6:51:f1:0b:a9:43:42:32:9e:40:45:f3:e9:a7:7a:97:7e:
         aa:80:c6:0f:f3:89:5c:87:d4:51:c3:44:a1:55:0a:16:3f:66:
         8e:1e:af:74:95:18:98:ef:be:08:e5:20:f0:b2:20:4c:88:8e:
         8b:00:c3:5d:0b:aa:cc:b6:80:23:83:3a:24:83:8d:fa:13:14:
         bf:76:be:60:d0:c8:ce:6e:8d:22:01:90:0f:f4:5e:fa:d6:80:
         25:e9:ff:d6:07:1d:95:41:4b:74:c2:a7:a3:e3:02:c4:d3:77:
         3e:c9:e2:71:49:ba:4b:71:f8:92:0d:92:24:72:3c:ac:47:ef:
         5e:54:2b:c4:ed:5c:78:9d:75:17:f5:7f:23:bd:af:ee:35:4a:
         54:0e:72:00:45:45:0a:be:8f:ba:d5:3b:18:f9:8b:e0:0a:25:
         74:76:21:01:67:50:6a:0b:7a:3c:fb:c4:b5:ab:f5:01:56:97:
         8f:28:d0:28:54:0c:38:5d:7d:36:8d:89:6b:27:62:dd:93:e2:
         ea:7f:88:e8:cb:df:0b:4c:74:19:1f:7e:be:54:08:6b:85:e0:
         28:52:c9:d7
相关问题
最新问题