记一次修复微信支付吊起非常慢的问
879 2023-04-03 01:13:49
尝试的步骤:
>按照http://wiki.gandi.net/en/ssl/intermediate(SHA2标准证书)的指示从Gandi获得Gandi中级证书
>将Gandi中间证书添加到服务器(MMC>证书>中级证书颁发机构>证书)
> USERTRust在https://ssl-tools.net/certificates/1y0ovx5-usertrust-rsa-certification-authority从SSL-Tools获得的RSA证书颁发机构证书
>将USERTrust RSA证书颁发机构证书添加到服务器(MMC>证书>受信任的根证书颁发机构>证书)
>每次安装后重新启动IIS.
>每次安装后清除本地浏览器缓存.
Firefox错误:
Technical Detailswww.somedomain.org uses an invalid security certificate.The certificate is not trusted because the issuer certificate is unknown.(Error code: sec_error_unknown_issuer)
Firefox 34证书Heirarchy:
Gandi Standard SSL CA 2 > somedomain.org
Chrome 40和Internet Explorer 11认证路径:
USERTRust > USERTrust RSA Certification Authority > Gandi Standard SSL CA 2 > somedomain.org
SSL实验室测试结果(https://www.ssllabs.com/ssltest/analyze.html):
Additional Certificates (if supplied)Certificates provided 2 (2851 bytes)Chain issues Incomplete#2Subject Gandi Standard SSL CA 2 Fingerprint: 247106a405b288a46e70a0262717162d0903e734Valid until Wed Sep 11 16:59:59 PDT 2024 (expires in 9 years and 8 months)Key RSA 2048 bits (e 65537)Issuer USERTrust RSA Certification AuthoritySignature algorithm SHA384withRSACertification Paths1 Sent by server somedomain.org Fingerprint: 0123456789012345678901234567890123456789 RSA 2048 bits (e 65537) / SHA256withRSA2 Sent by server Gandi Standard SSL CA 2 Fingerprint: 247106a405b288a46e70a0262717162d0903e734 RSA 2048 bits (e 65537) / SHA384withRSA3 Extra download USERTrust RSA Certification Authority Fingerprint: eab040689a0d805b5d6fd654fc168cff00b78be3 RSA 4096 bits (e 65537) / SHA384withRSA4 In trust store AddTrust External CA Root Self-signed Fingerprint: 02faf3e291435468607857694df5e45b68851868 RSA 2048 bits (e 65537) / SHA1withRSA Weak or insecure signature, but no impact on root certificate
SSL-Tools测试结果(https://ssl-tools.net/webservers/):
Certificate chainsomedomain.org 1054 days remaining 2048 bit sha256WithRSAEncryption- Gandi Standard SSL CA 2- 3537 days remaining 2048 bit sha384WithRSAEncryption- Root certificate unknown-- USERTrust RSA Certification Authority
服务器:
> Windows Server 2008 R2
> IIS 7.5
您可以在http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt检索此证书
您的证书的正确安装(大多数接受)是:
>根店
> AddTrust外部CA根
>中级商店
> USERTrust RSA认证机构(由AddTrust签署)
> Gandi标准SSL CA 2
>个人商店
> [您的服务器证书]
Windows Server 2008 R2管理自动受信任的证书,因此您的服务器可以进行下一个配置:
>根店
> AddTrust外部CA根
> USERTrust RSA认证机构(自签名)
>中级商店
> USERTrust RSA认证机构(由AddTrust签署)
> Gandi标准SSL CA 2
>个人商店
> [您的服务器证书]
当服务器发送证书时,它会选择到root的最短路径:
> [服务器]<甘地< USERTrust(自签名)
对于大多数平台而言,这是一个不完整的链.
如果这是您的问题,最好的解决方案是在根存储上找到“USERTrust RSACertification Authority”并将其属性编辑为“禁用此证书的所有用途”.
重新启动服务器后,Windows将始终生成所需的链:
> [服务器]<甘地< USERTrust< AddTrust