72 lines
2.0 KiB
Markdown
72 lines
2.0 KiB
Markdown
|
# 【K18现场】TSG21.09 执行Intercept策略客户端提示证书无效
|
|||
|
|
|
|||
|
|
| ID | Creation Date | Assignee | Status |
|
|||
|
|
|----|----------------|----------|--------|
|
|||
|
|
| OMPUB-1113 | 2024-01-15T19:50:46.000+0800 | 冯伟浩 | 待办 |
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
STS的测试环境中部署TSG21.09版本系统,客户想测试解密流量转发的功能;当成功配置安全策略之后,使用windows客户端访问页面(google.com)提示证书无效(此前出过相同提示,当时由于证书过期,现在已经替换了新的证书)**luwenpeng** commented on *2024-01-16T10:50:30.284+0800*:
|
|||
|
|
|
|||
|
|
根据现场提供的截图可知,签发证书的CA是 CN = Tango Secure Gateway CA, O = Maserati Solution
|
|||
|
|
|
|||
|
|
!证书详情.png|thumbnail!
|
|||
|
|
|
|||
|
|
此CA证书与certstore-2.1.8.20210604.8077136 RPM安装包中内置CA[^tango-ca-v3-trust-ca.pem]证书的Subject: CN = Tango Secure Gateway CA, O = Maserati Solution一致。
|
|||
|
|
|
|||
|
|
当certstore无法获取到keyring策略或者certstore出现异常时会使用内置的CA证书进行签发。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
建议排查拦截策略配置的keyring证书是否同步到对应的certstore,并检查对应的certstore是否有错误日志,请[~fengweihao]补充具体的排查步骤。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**fengweihao** commented on *2024-01-17T15:06:01.083+0800*:
|
|||
|
|
|
|||
|
|
错误日志查看:
|
|||
|
|
* 进入运行目录: cd /opt/tsg/certstore
|
|||
|
|
* 查看日志: tail -fn 100 logs/certstore.log.2024-xx-xx
|
|||
|
|
|
|||
|
|
是否存在错误日志:"Warning: Use local keypair, sign cert!!!"
|
|||
|
|
|
|||
|
|
排错步骤:
|
|||
|
|
* Keyring策略表PXY_PROFILE_KEYRING是否同步到功能端
|
|||
|
|
* Keyring策略表是否存在拦截策略中指定的keyring_id
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**jiaojianzhi** commented on *2024-01-18T19:05:28.985+0800*:
|
|||
|
|
|
|||
|
|
由于客户最近需要去STS机房工作,无法连接到这个测试环境处理问题,估计要到1月19或者1月22可以尝试解决。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
## Attachments
|
|||
|
|
|
|||
|
|
**50431/chrome提示.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**50451/tango-ca-v3-trust-ca.pem**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**50429/安装证书位置.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|
|||
|
|
**50430/证书详情.png**
|
|||
|
|
|
|||
|
|
---
|
|||
|
|
|