Názory k článku
Let's Encrypt se stal důvěryhodným
-
astray (neregistrovaný)
networ@amila:~/dl$ openssl s_client -CApath /etc/ssl/certs/ -connect helloworld.letsencrypt.org:443
CONNECTED(00000003)
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
verify return:1
depth=1 C = US, O = IdenTrust, OU = TrustID Server, CN = TrustID Server CA A52
verify return:1
depth=0 CN = letsencrypt.org, O = INTERNET SECURITY RESEARCH GROUP, L = Mountain View, ST = California, C = US
verify return:1
Certificate chain
0 s:/CN=letsencrypt.org/O=INTERNET SECURITY RESEARCH GROUP/L=Mountain View/ST=California/C=US
i:/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52
1 s:/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52
i:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
2 s:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate
-----BEGIN CERTIFICATE-----
MIIHAjCCBeqgAwIBAgIQfwAAAQAAAUmAvXTS3iWN1jANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQLEw5UcnVz
dElEIFNlcnZlcjEeMBwGA1UEAxMVVHJ1c3RJRCBTZXJ2ZXIgQ0EgQTUyMB4XDTE0
MTEwNTE2MTU0MFoXDTE3MTEwNDE1MTU0MFowfzEYMBYGA1UEAxMPbGV0c2VuY3J5
cHQub3JnMSkwJwYDVQQKEyBJTlRFUk5FVCBTRUNVUklUWSBSRVNFQVJDSCBHUk9V
UDEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzETMBEGA1UECBMKQ2FsaWZvcm5pYTEL
MAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDKyGpX
JC7lnKPJ0gj2kSBquPJj+QIsUnJ8Zq8zxUVMt2XkdoAspzkJPto0pDijpzDJ/bOx
fTV+uhOY3evOagDmNMYD6UjLAoVzlJftjmO3ZpHuoRBGqKxUICvc/VfFhniyjM7d
ekzHCvNjhHPDIt5XjiFmGXz9vnYx0POT4USMaf/twVXWNMW99cCjsCYnxl7fSAqH
E0Mso8wYx5JKLM2kM58pJDrIwDtKqZ2SD5JPbtBwwom2Q9pl2JKMy+TiabUk88N1
AGZ0WQoMPsNg0YAWu4/V4GV/9xm8GV6He8F9nbynuEqLaA0hDRq1Du35rkgiVR12
XjwcLdl1GTF0ROBVAgMBAAGjggOdMIIDmTAOBgNVHQ8BAf8EBAMCBaAwggInBgNV
HSAEggIeMIICGjCCAQsGCmCGSAGG+S8ABgMwgfwwQAYIKwYBBQUHAgEWNGh0dHBz
Oi8vc2VjdXJlLmlkZW50cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy8w
gbcGCCsGAQUFBwICMIGqGoGnVGhpcyBUcnVzdElEIFNlcnZlciBDZXJ0aWZpY2F0
ZSBoYXMgYmVlbiBpc3N1ZWQgaW4gYWNjb3JkYW5jZSB3aXRoIElkZW5UcnVzdCdz
IFRydXN0SUQgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vc2Vj
dXJlLmlkZW50cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy8wggEHBgZn
gQwBAgIwgfwwQAYIKwYBBQUHAgEWNGh0dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5j
b20vY2VydGlmaWNhdGVzL3BvbGljeS90cy8wgbcGCCsGAQUFBwICMIGqGoGnVGhp
cyBUcnVzdElEIFNlcnZlciBDZXJ0aWZpY2F0ZSBoYXMgYmVlbiBpc3N1ZWQgaW4g
YWNjb3JkYW5jZSB3aXRoIElkZW5UcnVzdCdzIFRydXN0SUQgQ2VydGlmaWNhdGUg
UG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vc2VjdXJlLmlkZW50cnVzdC5jb20vY2Vy
dGlmaWNhdGVzL3BvbGljeS90cy8wHQYDVR0OBBYEFJw3Eum8SMFAaDP3gCqgvuIj
hRbnMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly92YWxpZGF0aW9uLmlkZW50cnVz
dC5jb20vY3JsL3RydXN0aWRjYWE1Mi5jcmwwgYQGCCsGAQUFBwEBBHgwdjAwBggr
BgEFBQcwAYYkaHR0cDovL2NvbW1lcmNpYWwub2NzcC5pZGVudHJ1c3QuY29tMEIG
CCsGAQUFBzAChjZodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29tL2NlcnRz
L3RydXN0aWRjYWE1Mi5wN2MwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
MB8GA1UdIwQYMBaAFKJWJDzQ1BW56L94oxMQWEguFlThMC8GA1UdEQQoMCaCD2xl
dHNlbmNyeXB0Lm9yZ4ITd3d3LmxldHNlbmNyeXB0Lm9yZzANBgkqhkiG9w0BAQsF
AAOCAQEAipndRUuMkBFtqrvU4sUGZNtVhwhmgNkssiWVhzceiVovSQJVUe1IXfCX
ayEoYkM2M1RWgNROYupws6xH7L01wxHfLii0xabI75pqX2duiEUobaAt0wzKVZSj
QGaH5ZY+gqgV15vq+06iwPugPYxt6wl5g4OWLrPNGUli7cALHHRITwala2Wzn2b0
WFDnmY/9eYqmv2fMSjvAKC3WGta9Mh2PcrG7AvC79SJCcnMiGSQiyM3tdgVIyFnU
H0ZUvmOZAD41MnJYnTrmj4TYY0PQ+ImFLEexYe1lSpu4QX9IJk1q03LaTnCHIIFy
NFqPgg04bEypctzAG6VsRCPf+afjgg==
-----END CERTIFICATE-----
subject=/CN=letsencrypt.org/O=INTERNET SECURITY RESEARCH GROUP/L=Mountain View/ST=California/C=US
issuer=/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52
No client certificate CA names sent
SSL handshake has read 5925 bytes and written 424 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 7FE42EA4F8D8DEED783439116CD03D4EFE7EC695F92F86A80FF81CE859767267
Session-ID-ctx:
Master-Key: 705979EE38A5D7BC072F67986514D34C677BD390EC4EC444A76A99AAE706FBC66585DE910019B5982D5F866D989CF586
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - ae 25 bb 3d 76 ea d5 50-4f 19 2b 60 67 85 64 95 .%.=v..PO.+`g.d.
0010 - 89 8c 49 98 fd a7 1a f4-de 10 ce b2 c3 70 a7 4b ..I..........p.K
0020 - e3 14 04 23 47 95 02 7d-22 b9 ac 1a 75 c0 4f a2 ...#G..}"...u.O.
0030 - 40 94 28 bc 39 8f de 00-a2 29 33 40 88 5b 3b 1e @.(.9....)3@.[;.
0040 - c7 eb 9f 86 cd 5f 0a 5f-e1 cb 88 e7 a5 2a 9c 2c ....._._.....*.,
0050 - f5 4a 6d 9b e7 57 a6 3e-8e 8d 17 28 f5 38 4b f5 .Jm..W.>...(.8K.
0060 - 96 11 88 27 d2 83 37 95-0f c6 88 b6 f4 5f b8 2a ...'..7......_.*
0070 - 5b b3 dc 8e 74 62 67 16-13 6a 7f 8f 1e 60 de 76 [...tbg..j...`.v
0080 - bd 58 d1 39 e3 06 35 17-b8 88 d9 ea f4 d7 f7 d2 .X.9..5.........
0090 - 37 db 41 cf 47 b1 2f 45-58 16 ea 7a ff 17 9e 49 7.A.G./EX..z...I
00a0 - 55 7b 1d 60 1d 1d bc 54-57 e0 c8 d2 03 fc 60 48 U{.`...TW.....`HStart Time: 1445330193
Timeout : 300 (sec)
Verify return code: 0 (ok) -
Ondřej CaletkaZlatý podporovatelZapomněl jste na SNI hlavičku, takže ukazujete komerční certifikát nasazený na letsencrypt.org. Správný certifikát včetně cesty je tento:
$ openssl s_client -connect helloworld.letsencrypt.org:443 -servername helloworld.letsencrypt.org CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1 verify return:1 depth=0 CN = helloworld.letsencrypt.org verify return:1 --- Certificate chain 0 s:/CN=helloworld.letsencrypt.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 --- Server certificate -----BEGIN CERTIFICATE----- MIIFGTCCBAGgAwIBAgIQAQAAAAAAABVP+PIjrn/6vDANBgkqhkiG9w0BAQsFADBK MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3MgRW5jcnlwdDEjMCEGA1UEAxMa TGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDEwHhcNMTUwOTEyMjAyMjAwWhcNMTUx MjExMjAyMjAwWjAlMSMwIQYDVQQDExpoZWxsb3dvcmxkLmxldHNlbmNyeXB0Lm9y ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJm+77a4Aqstnnf+iIeN TbAp4SQBP0rVW4YekB0BGqkLciQo1TdGeaTXGOh2MvLgbXciWCMvnxDr4AZBZpzA aSKvyen+YGfS/8WS8hKUUjNSZujRzzkGrNP2C1WUGoXknwuuLuhIdjDp8Pdx6Jf6 v9l+w6t7qIdP7CCUl5GhYKQfMAl0W6o10unUI/dbXcAo1+xDOxSjJ1N977jdrg+O rt13YxOgi4lMpCR0Qq0p3+KGXYEiHzR2I4pnvTCmyS65hig+IkuqQvh/PSJ6c2lQ nqTXJKeX6C/n5/d+rgeEEnnJt2Q3EBLCOnsAKzm2oa37mgOuoIWXMqjXD3/SffiS XI8CAwEAAaOCAh4wggIaMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUkS4FYtwwTb8p 3ECQz9wO7pJhOewwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYI KwYBBQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDEubGV0 c2VuY3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgxLmxl dHNlbmNyeXB0Lm9yZy8wJQYDVR0RBB4wHIIaaGVsbG93b3JsZC5sZXRzZW5jcnlw dC5vcmcwggEABgNVHSAEgfgwgfUwCgYGZ4EMAQIBMAAwgeYGCysGAQQBgt8TAQEB MIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYI KwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGll ZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNl IHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xl dHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAA12a NEvYsiFjwdM8vCnrdNm3njmhTPBj6VTDSvpXltrcLlAERP61FC94XdKpx329heNm lmuWvOXEmrdO+xr6CNWFfTOHSoytX1C6kfwybD6AIsdilbCo2oFbJPWkYjbqMQg3 XmDDdmzqvHz0+Nc015ybD6Ss6Fuk3HGeCq789Heh20b1Zp2OUCx/NiCa6uR256IJ oemo5ZtSD5/CYvJNwqpiE1szQMqXiB07HCvUG4f5h+oKkFANzT25k9dB7HhCq02a srwv1mKVYntNm5wcYmcRcfcYzSDawD1Kyjw8x/Uj4zxEGVqPGsofEtV5gu/ZpLNp DGkCAvFmumsw8Fu6Ow== -----END CERTIFICATE----- subject=/CN=helloworld.letsencrypt.org issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1 --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3219 bytes and written 479 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: FF270820F13BD585F2FCBDF0E0C5401BD1BAFF5AECC0CD7D827273843BC49754 Session-ID-ctx: Master-Key: 4F72AF772674157F71D17F4CCE67EBC5517203E432897551DFCA37BA1FA8D0F24BB33DAA0BAEA2C46816DC5776D833CC Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 86400 (seconds) TLS session ticket: 0000 - ae 25 bb 3d 76 ea d5 50-4f 19 2b 60 67 85 64 95 .%.=v..PO.+`g.d. 0010 - e7 54 89 eb d5 6f 68 ca-02 9e cf 4f c1 07 ce 2f .T...oh....O.../ 0020 - 12 d7 1b 0e a8 85 22 17-80 99 e9 80 fd 6c 48 32 ......"......lH2 0030 - 4d 59 53 ba 1d fd 6a 2c-ee 3f 21 08 00 45 b6 fc MYS...j,.?!..E.. 0040 - 3b 6e 21 3f af 3a d8 08-ce 19 a8 dc e9 5f 2a 44 ;n!?.:......._*D 0050 - 4f d7 95 b8 fa 20 a1 27-ab ad 7c 8b 12 e7 27 ee O.... .'..|...'. 0060 - d3 14 fb dd 60 71 76 c0-11 ec b2 1e 8e 41 42 54 ....`qv......ABT 0070 - 71 be 99 53 db 0b 5f ce-e9 e0 41 55 36 8e fd 16 q..S.._...AU6... 0080 - fd 89 ea 59 4b 9d 74 4b-a2 20 dc d9 9a 41 8a f3 ...YK.tK. ...A.. 0090 - ea a5 5c fd 05 c5 c5 98-e4 81 3a b6 4d e9 45 6f ..\.......:.M.Eo 00a0 - da fe f5 cf eb 2d 70 49-7e ee ee 57 2a 4c 38 b1 .....-pI~..W*L8. 00b0 - 12 8a c9 a1 d9 23 2d 48-4c ad d2 c4 2d 6a 58 23 .....#-HL...-jX# 00c0 - 13 bc a7 95 75 e6 8d d4-7a 9f de 37 c1 3c 90 14 ....u...z..7.<.. Start Time: 1445331143 Timeout : 300 (sec) Verify return code: 0 (ok) --- Q DONE -
Zero (neregistrovaný)
Vyzkoušet si to můžete na helloworld.letsencrypt.org.
Vyskusane a hahaha:
Pri pripájaní k helloworld.letsencrypt.org sa vyskytla chyba. Neplatný podpisový certifikát v odozve OCSP. (Kód chyby: sec_error_ocsp_invalid_signing_cert)
Stránku nemožno zobraziť, pretože pravosť prijímaných údajov sa nedá overiť.
Obráťte sa na vlastníkov stránky a informujte ich o tomto probléme. Môžete použiť aj príkaz v ponuke Pomocník a nahlásiť chybnú webovú stránku. -
Ondřej CaletkaZlatý podporovatel
Mnohem užitečnější než hahaha by byla informace o tom, který prohlížeč/OS takovou chybu ukazuje.
-
Ondřej CaletkaZlatý podporovatel
Myslím, že problém je v tom, že OCSP server, který je v certifikátu uveden, vrací na OCSP dotazy chybový kód 400 Bad Request. Zkoušel jsem to podle tohoto návodu: OpenSSL: Manually verify a certificate against an OCSP.
Všechny browsery, co jsem ale zkoušel, s tím problém nemají, buď proto, že používají data z OCSP razítek v TLS komunikaci, která nejspíš fungují*, nebo proto, že nefunkčnost OCSP berou jako soft-fail.
*) To se dá vyzkoušet takto:
$ openssl s_client -connect helloworld.letsencrypt.org:443 -servername helloworld.letsencrypt.org:443 -tls1 -tlsextdebug -status … OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X1 Produced At: Oct 17 23:56:00 2015 GMT …
