当我尝试使用自签名证书在我的网页上发出请求时出现错误。
这是我创建自签名证书的方式:
#!/usr/bin/env bash -x
#
day=300
server="domain.tld"
path_build="domain"
openssl_conf="openssl.cnf"
cd $path_build
# Create CA self-signed certificate
openssl req -config $openssl_conf -new -x509 -subj "/C=COUNTRY/L=Town/O=domain CA/CN=$server" -days $day -key private/rootCA.key -out certs/rootCA.crt
# Server Side
# Create private key for the domain server
openssl genrsa -des3 -passout pass:qwerty -out private/${server}.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/${server}.key -out private/${server}.key
# Create CSR for the domain server
openssl req -config $openssl_conf -new -subj "/C=COUNTRY/L=Town/O=domain/CN=$server" -key private/${server}.key -out csr/${server}.csr
# Create certificate for the domain server
openssl ca -batch -config $openssl_conf -days $day -in csr/${server}.csr -out certs/${server}.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
然后我创建我的客户端证书:
#!/usr/bin/env bash -x
path_build="domain"
day=300
CN="client"
openssl_conf="openssl.cnf"
cd $path_build
# Create private key for a client
openssl genrsa -des3 -passout pass:qwerty -out private/${CN}.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/${CN}.key -out private/${CN}.key
# Create CSR for the client.
openssl req -config $openssl_conf -new -subj "/C=COUNTRY/L=Town/O=domain/CN=$CN" -key private/${CN}.key -out csr/${CN}.csr
# Create client certificate.
openssl ca -batch -config $openssl_conf -days $day -in csr/${CN}.csr -out certs/${CN}.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
# Export the client certificate to pkcs12 for import in the browser
openssl pkcs12 -export -passout pass:toto -in certs/${CN}.crt -inkey private/${CN}.key -certfile certs/rootCA.crt -out certs/${CN}cert.p12
所以我最终用
ls domain/certs domain/private domain/csr
domain/certs/:
domain.crt client.crt clientcert.p12 rootCA.crt
domain/csr:
domain.csr client.csr
domain/private/:
domain.key client.key rootCA.key
然后我复制了服务员和客户的证书:
Serveur Side: cat /etc/apache2/sites-enabled/default.conf
<VirtualHost *:443>
ServerAlias domain.tld
ServerName domain.tld
WSGIDaemonProcess daemon user=user group=group threads=5
WSGIScriptAlias / /home/user/current/apache/preprod.wsgi
WSGIPassAuthorization On
SSLEngine On
SSLCertificateFile /home/user/current/apache/certs/domain.crt
SSLCertificateKeyFile /home/user/current/apache/certs/domain.key
<Directory /home/user/current/apache>
Require all granted
WSGIProcessGroup procsGroup
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
然后在客户端:
#!/usr/bin/env python
import requests
import urllib3.contrib.pyopenssl
urllib3.contrib.pyopenssl.inject_into_urllib3()
_certfile = "certs/rootCA.crt"
_private_key = "certs/client.key"
_client_cert = "certs/client.crt"
username="user"
password="pass"
url='https://domain.tld/api/1.0/bob/create'
r = requests.post(url, auth=(username, password), params={}, verify=_client_cert, cert=(_certfile, _private_key))
我得到了答案:
Traceback (most recent call last):
File "codes_generation.py", line 167, in <module>
print(request(""))
File "codes_generation.py", line 74, in request
r = requests.post(url, auth=(username, password), params=order, verify=_client_cert, cert=(_certfile, _private_key))
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/api.py", line 107, in post
return request('post', url, data=data, json=json, **kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/api.py", line 53, in request
return session.request(method=method, url=url, **kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/adapters.py", line 376, in send
timeout=timeout
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 559, in urlopen
body=body, headers=headers)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 345, in _make_request
self._validate_conn(conn)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 784, in _validate_conn
conn.connect()
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 252, in connect
ssl_version=resolved_ssl_version)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 277, in ssl_wrap_socket
ctx.use_privatekey_file(keyfile)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/OpenSSL/SSL.py", line 665, in use_privatekey_file
self._raise_passphrase_exception()
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/OpenSSL/SSL.py", line 640, in _raise_passphrase_exception
_raise_current_error()
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('x509 certificate routines', 'X509_check_private_key', 'key values mismatch')]
当我尝试在我的浏览器中访问时,我收到了自签名证书的警报(这很正常),但是当我尝试在python中使用请求库时,它不起作用。 (使用python 2.7)
我对证书并不擅长,我认为我可能只是把错误的文件放在错误的地方,因为我真的没有得到什么文件用于什么。
所以我试图了解自签名证书的工作原理以及我的问题在哪里。如果您有任何资源,那么每个链接我一直在浏览自签名证书很少很清楚。
答案 0 :(得分:0)
所以我发现哪里出错了,我使用了错误的文件:
_certfile = "certs/domain.crt"
_private_key = "certs/domain.key"
_client_cert = "certs/rootCA.crt"
这项工作
_certfile = "certs/client.crt"
_private_key = "certs/client.key"
_client_cert = "certs/rootCA.crt"
但是我仍然不理解证书,我知道它是由对使用的,但为什么域文件和客户端文件对客户端有效?
所以如果你有足够的文件我会很高兴的!
谢谢大家