2

我们在其中一个预生产环境中使用的服务的所有者最近更改了他们的证书设置(没有通知我们)。

由于此证书更改了任何尝试调用我们的服务(位于 weblogic 盒子上)的结果:

<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Header/>
   <env:Body>
      <env:Fault xmlns:ns0="http://schemas.xmlsoap.org/soap/envelope/">
         <faultcode>ns0:Server</faultcode>
         <faultstring xml:lang="en">javax.xml.ws.WebServiceException: javax.net.ssl.SSLKeyException: [Security:090569]The certificate chain received from xxxxxxx - xx.xxx.xx.xxx contained a V3 CA certificate which key usage constraints indicate its key cannot be used to sign certificates.</faultstring>
      </env:Fault>
   </env:Body>
</env:Envelope>

我以前从未遇到过这个错误(就谷歌而言,没有其他人遇到过),但我推断链中的一个证书是 CA,它没有密钥签名的约束(明显地)。但是,我看不到证书链有问题,并且当我在浏览器中访问 URL 时没有任何标记。

这是链条的样子:

DigiCert
->DigiCert High Assurance CA-3
-->*.co.uk

DigiCert
Version - V3
Key Usage - Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
Basic Constraints - Subject Type=CA, Path Length Constraint=None

DigiCert High Assurance CA-3
Version - V3
Key Usage - Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
Basic Constraints - Subject Type=CA, Path Length Constraint=0

*.co.uk 
Version - V3
Key Usage - Digital Signature, Key Encipherment (a0)
Basic Constraints - Subject Type=End Entity, Path Length Constraint=None

所有证书都在我们的信任库中。我也尝试将 weblogic 设置为演示信任,但奇怪的是,这没有任何效果。

有任何想法吗?

更新

启用调试后

-Dssl.debug=true 
-Dweblogic.StdoutDebugEnabled=true 
-Dweblogic.security.SSL.verbose=true

我有:

<Jul 25, 2013 7:22:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 0 in the chain: Serial number: 4797710814556239092785509911582462711
Issuer:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Subject:C=GB, L=Belfast, O=xxxxx xxxxx xxxxx xxxxx, CN=*.co.uk
Not Valid Before:Mon Jan 14 00:00:00 GMT 2013
Not Valid After:Tue Jan 21 12:00:00 GMT 2014
Signature Algorithm:SHA1withRSA
>
<Jul 25, 2013 7:22:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <Certificate chain is invalid because the issuer DN does not match the next certificate subject: C=GB, L=Belfast, O=xxxxx xxxxx xxxxx xxxxx, CN=*.co.uk>
<Jul 25, 2013 7:22:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <Signature verification failed>
<Jul 25, 2013 7:22:42 PM IST> <Debug> <SecuritySSL> <BEA-000000> <Validating certificate 1 in the chain: Serial number: 7868785665241589417982590706715607915
Issuer:C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3
Subject:C=GB, L=Belfast, O=xxxxx xxxxx xxxxx xxxxx, CN=*.co.uk
Not Valid Before:Mon Jan 14 00:00:00 GMT 2013
Not Valid After:Tue Jan 21 12:00:00 GMT 2014
Signature Algorithm:SHA1withRSA

对我来说,这看起来 weblogic 正在错误地读取证书链,似乎认为链底部的证书正在签名自己?

4

1 回答 1

0

正如错误所说,问题原来是证书本身!我的错误是假设问题出在我们的系统上。

证书在浏览器中显示为正确,但 weblogic 的身份验证库似乎更严格。

此后,服务所有者颁发了正确签名的证书。

于 2013-09-20T12:22:20.693 回答