读取X.509密钥或证书文件时出错:解析时出错

时间:2017-07-06 09:40:01

标签: ssl ssl-certificate apache-nifi

我正在为我的nifi服务器设置证书身份验证。

我使用nifi-tools/tls-toolkit中的nifi project来生成密钥库,信任库,客户端证书等。

我已将tls-toolkit生成的p12格式的客户端证书添加到浏览器并配置了我的nifi服务器属性。一切正常。

现在我想在ruby脚本中使用客户端证书。

为此,我已将证书从p12格式转换为pem格式,如...

openssl pkcs12 -in CN=admin_DC=nifi_DC=com.p12 -passin pass:26V+Hs1qupglToDlVqO+oKW0yWR2jG3uXjuFTUus76o -out a.pem MAC verified OK Enter PEM pass phrase:

PEM密码短语空白。

为了测试我试过

curl --insecure --cert-type pem --cert "a.pem" "https://127.0.0.1:9443/nifi" curl: (35) error reading X.509 key or certificate file: Error in parsing.

解析时出错?我还没有找到任何关于它的信息。

我们来验证......

openssl verify a.pem a.pem: DC = com, DC = nifi, CN = admin error 20 at 0 depth lookup:unable to get local issuer certificate

使用CA文件验证...

openssl verify -verbose -x509_strict -issuer_checks -CAfile nifi-cert.pem a.pem a.pem: OK

我的ruby脚本也失败了(显然)

require 'rest_client'

a = RestClient::Resource.new(
  'https://127.0.0.1:9443/nifi',
  :ssl_client_cert  => OpenSSL::X509::Certificate.new(File.read("a.pem")),
  :verify_ssl       =>  OpenSSL::SSL::VERIFY_NONE
).get

pp a

`

我明白了......

/usr/lib/ruby/2.3.0/net/http.rb:933:in `connect_nonblock': SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert bad certificate (OpenSSL::SSL::SSLError)
from /usr/lib/ruby/2.3.0/net/http.rb:933:in `connect'
from /usr/lib/ruby/2.3.0/net/http.rb:863:in `do_start'
from /usr/lib/ruby/2.3.0/net/http.rb:852:in `start'
from /var/lib/gems/2.3.0/gems/rest-client-2.0.2/lib/restclient/request.rb:715:in `transmit'
from /var/lib/gems/2.3.0/gems/rest-client-2.0.2/lib/restclient/request.rb:145:in `execute'
from /var/lib/gems/2.3.0/gems/rest-client-2.0.2/lib/restclient/request.rb:52:in `execute'
from /var/lib/gems/2.3.0/gems/rest-client-2.0.2/lib/restclient/resource.rb:51:in `get'
from test.rb:8:in `<main>'

怎么了?

感谢。

1 个答案:

答案 0 :(得分:0)

我的预感是发布者证书(签署客户端证书的Apache NiFi CA公共证书)未捆绑在导出的PEM文件中。此外,NiFi CA在系统上生成,并导入NiFi信任库,但不会自动导入OpenSSL信任库,JRE cacerts或任何浏览器信任库,因此这些工具将报告它是未经验证的CA.

您可以验证导出的PEM是否为预期格式?一个简单的morexxd命令将以原始形式输出它,您可以检查文件结构。它应该是这样的:

hw12203:/Users/alopresto/Workspace/nifi (master) alopresto
 1s @ 09:32:18 $ more ..//scratch/secure_nifi/client.pem
Bag Attributes
    friendlyName: nifi-key
    localKeyID: 4D A3 BA 01 40 32 60 6F 84 0B 1B B7 7F 1E 50 81 C7 DF 45 96
Key Attributes: <No Attributes>
Removed private key
Bag Attributes
    friendlyName: nifi-key
    localKeyID: 4D A3 BA 01 40 32 60 6F 84 0B 1B B7 7F 1E 50 81 C7 DF 45 96
subject=/OU=Apache NiFi/CN=alopresto
issuer=/OU=NIFI/CN=localhost
-----BEGIN CERTIFICATE-----
MIIDTTCCAjWgAwIBAgIKAVpj404fAAAAADANBgkqhkiG9w0BAQsFADAjMQ0wCwYD
... lines removed ...
WLvUHa29207v8ZQ6eFuTwM4OTISQIBRahxFqaluCvdQ8
-----END CERTIFICATE-----
Bag Attributes: <Empty Attributes>
subject=/OU=NIFI/CN=localhost
issuer=/OU=NIFI/CN=localhost
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIKAVpj40jcAAAAADANBgkqhkiG9w0BAQsFADAjMQ0wCwYD
... lines removed ...
T7q7PHuhxvvdG4ckFMNpntxdTGIUoioZYzeijY4=
-----END CERTIFICATE-----

您可以看到其中包含两个证书 - 第一个是我的客户端证书,第二个是签署它的CA的证书。

此外,您可能需要使用-nodes标志将私钥从PKCS12导出到PEM。该标志不是指“节点”,而是表示“无DES加密”,即“无需密码”。您可以在this StackOverflow answer中看到有关使用该标志的更多信息。