通过https安装SSL证书并运行氮气webframe在牛仔服务器上工作

时间:2014-02-22 09:33:45

标签: ssl https openssl cowboy nitrogen

我正在使用氮气网络框架在牛仔网络服务器上开发一个应用程序。当我通过http运行服务器时,效果非常好。现在在生产中,应用程序必须在https上运行。

我修改了氮气的etc目录中的 cowboy.config 文件,默认

% vim: ts=4 sw=4 et ft=erlang
[
{cowboy,[
    {bind_address,"127.0.0.1"},
    {port,80},
    {server_name,nitrogen},       
    {document_root,"./site/static"},
    %% some comments.........
    {static_paths, ["/js/","/images/","/css/","/nitrogen/","/favicon.ico"]}
]}
].

到这个

% vim: ts=4 sw=4 et ft=erlang
[
{cowboy,[
    {bind_address,"127.0.0.1"},
    {port,443},
    {server_name,nitrogen},
    {cacertfile, "Path/cacert.pem"},
    {certfile, "Path/webservercert.pem"},
    {keyfile, "Path/webserverkey.pem"},
    {password, "webserverkeypassphrase"}
    {document_root,"./site/static"},
    %% some comments.........
    {static_paths, ["/js/","/images/","/css/","/nitrogen/","/favicon.ico"]}
]}
].

路径是我使用 openSSL 自行生成并签名的SSL证书的绝对路径。我将我的站点名称作为domainname.com但我首先在openSSl文档之后创建一个CA

我还修改了 nitrogen / site / scr nitrogen_sup.erl 文件中 Supervisor回调的默认值

%% ===================================================================
%% Supervisor callbacks
%% ===================================================================

init([]) ->
%% Start the Process Registry...
application:start(crypto),
application:start(nprocreg),
application:start(ranch),

%% Start Cowboy...
application:start(cowboy),
{ok, BindAddress} = application:get_env(cowboy, bind_address),
{ok, Port} = application:get_env(cowboy, port),
{ok, ServerName} = application:get_env(cowboy, server_name),
{ok, DocRoot} = application:get_env(cowboy, document_root),
{ok, StaticPaths} = application:get_env(cowboy, static_paths),  

io:format("Starting Cowboy Server (~s) on ~s:~p, root: '~s'~n",
          [ServerName, BindAddress, Port, DocRoot]),

Dispatch = init_dispatch(DocRoot, StaticPaths),

{ok, _} = cowboy:start_http(http, 100,     
        [
            {port, Port}               
        ], [
    {env, [{dispatch, Dispatch}]},
    {max_keepalive, 50}
]),

{ok, { {one_for_one, 5, 10}, []} }.

到下面这个

%% ===================================================================
%% Supervisor callbacks
%% ===================================================================

init([]) ->
   %% Start the Process Registry...

   application:start(crypto),    
   application:start(nprocreg),
   application:start(ranch),   

   %% Start Cowboy...
   application:start(cowboy),
   {ok, BindAddress} = application:get_env(cowboy, bind_address),
   {ok, Port} = application:get_env(cowboy, port),
   {ok, ServerName} = application:get_env(cowboy, server_name),
   {ok, DocRoot} = application:get_env(cowboy, document_root),
   {ok, StaticPaths} = application:get_env(cowboy, static_paths),
   {ok, CAcertfile} = application:get_env(cowboy, cacertfile),
   {ok, Certfile} = application:get_env(cowboy, certfile),
   {ok, Keyfile} = application:get_env(cowboy, keyfile),
   {ok, Password} = application:get_env(cowboy, password),

   io:format("Starting Cowboy Server (~s) on ~s:~p, root: '~s'~n",
          [ServerName, BindAddress, Port, DocRoot]),

   Dispatch = init_dispatch(DocRoot, StaticPaths),
   {ok, _} = cowboy:start_https(https, 100,
     [
        {port, Port},
        {cacertfile, CAcertfile}, 
        {certfile, Certfile},
        {keyfile,  Keyfile},
        {password, Password}            
    ], [         
    {env, [{dispatch, Dispatch}]},
    {max_keepalive, 50}
]),

{ok, { {one_for_one, 5, 10}, []} }.

使用sync:go()文件编译并重新加载。然而,我关闭氮气并重新开始。

在shell中我使用curl实用程序来测试服务器是否在监听

$ curl --cacert Absolute_path/cacert.pem -i https://domainname.com

响应是假定的,因为索引页面上的内容显示在shell

然而,当我进入Firefox浏览器时,它会抛出一个安全警告我承认了一个,除了我知道它的原因我永久添加到例外。当我再次尝试获取页面时,浏览器会抛出此错误。

Secure Connection Failed

The key does not support the requested operation.

(Error code: sec_error_invalid_key)

.The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
.Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.

当我在氮气控制台检查时发现此错误报告

(nitrogen@127.0.0.1)4> user@user:~/nitrogen/rel/nitrogen$ 
user@user:~/nitrogen/rel/nitrogen$ sudo ./bin/nitrogen console
Exec: /home/user/nitrogen/rel/nitrogen/erts-5.10.4/bin/erlexec  -boot       /home/user/nitrogen/rel/nitrogen/releases/2.2.2/nitrogen -mode interactive  -config /home/user/nitrogen/rel/nitrogen/etc/app.config -config /home/user/nitrogen/rel/nitrogen/etc/cowboy.config -config /home/user/nitrogen/rel/nitrogen/etc/sync.config -args_file /home/dotshule/nitrogen/rel/nitrogen/etc/vm.args -- console
Root: /home/dotshule/nitrogen/rel/nitrogen
Erlang R16B03 (erts-5.10.4) [source] [smp:2:2] [async-threads:5] [hipe] [kernel-poll:true]

Eshell V5.10.4  (abort with ^G)
(nitrogen@127.0.0.1)1> Starting Cowboy Server (nitrogen) on 127.0.0.1:443, root: './site/static'

=ERROR REPORT==== 20-Feb-2014::14:51:12 ===
SSL: certify: tls_connection.erl:375:Fatal error: unknown ca

现在我不明白的是服务器是拒绝我的证书还是我跳过了一步,或者一两步出错了或问题出在我自己创建的CA上(根证书 cacert .pem )或问题出在openSSL上!

我现在开始怀疑,如果我生成 CSR 并将其发送到可信CA ,例如symantec,digcert,thawte,geotrust,.. iec 。生成的证书也可能无法正常工作。

我需要你的帮助,请点击这个关于牛仔网络服务器问题的这个https的氮气。到目前为止,你会得到所有帮助....

2 个答案:

答案 0 :(得分:1)

我不确定为什么牛仔会抛出那个特定错误(tls_connection.erl实际上是Erlang的一部分,而不是牛仔或氮气。)

也就是说,当使用氮气运行SSL时,我通常只建议用户在氮气前使用nginx作为反向代理,并且在http://nitrogenproject.com/doc/config.html的氮站点上有nginx配置示例(向下滚动到仅SSL示例。)

我意识到这并不完全理想,所以或者,我会看到nginx或apache是​​否能够成功提供具有相同密钥/证书组合的样本页面。显然,“未知的ca”错误是说Erlang不喜欢它是一个自签名证书的事实。因此,您可以尝试使用其他可能存在的签名证书/密钥,或者在StartSSL.com上免费生成一个真实的证书/密钥,并查看错误是否继续呈现。

同样,这些都不是可靠的答案,但它们应该帮助您指出一些方向来帮助您解决问题。

就个人而言,我在nginx后面运行所有的氮实例,让nginx处理SSL和负载均衡。

答案 1 :(得分:0)

我的方法确实有效,我已经使用SYMANTEC和VERISIGN SSL证书成功测试了它,它可能是在Cowboy Web服务器上安装SSL证书的正式方式。

相关问题
最新问题