我希望获得一系列我正在撰写的网络API。在订阅到期之前,必须向订阅者授予对这些API的访问权限; API由远程Web服务使用。所以我认为Mutual SSL是最好的 这样做的方法。
我正在尝试设置自己的CA以向客户发放x509证书。
这是我第一次这样做;所以,当然,没有任何作用。
这是我想得到的最终结果:我使用Nginx作为反向代理部署我的API;如果客户端向Nginx发送有效证书,则反向代理接受连接并转发请求;否则连接关闭。每当新客户签署订阅时,我都会生成一个新证书并将其发送给他/她。
所以我遵循了this指南,在我看来比我读过的其他人更完整,我在ca.crt中添加了一个自签名的/etc/ssl/ca/cert来签署{{1}从客户端收到的,我将nginx设置为
CSR但是当我使用<{p}} api(它总是以server {
listen *:443 ssl;
server_name api.example.com;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_certificate /etc/ssl/certs/server.pem; #certificate from an actual CA
ssl_certificate_key /etc/ssl/private/server.key; #PK of server.pem
ssl_client_certificate /etc/ssl/ca/certs/ca.crt;
ssl_crl /etc/ssl/ca/crl/ca.crl;
ssl_verify_client on;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on; #ensure your cert is capable
ssl_stapling_verify on; #ensure your cert is capable
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
#Redirects all traffic
location / {
proxy_pass http://mysecuredserver/api$request_uri;
limit_req zone=one burst=10;
}
}
回复)时使用
Test我总是收到以下错误:
200 OK有人可以向我解释什么是错的吗?
第二个问题:在curl -k -v --key key.pem --cert cert.pem https://api.example.com/Test
中我将从有效CA中购买的证书:是正确的还是我应该使用< HTTP/1.1 400 Bad Request
* Server nginx is not blacklisted
< Server: nginx
< Date: Fri, 29 Sep 2017 18:00:16 GMT
< Content-Type: text/html
< Content-Length: 224
< Connection: close
<
<html>
<head><title>400 The SSL certificate error</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx</center>
</body>
</html>
* Closing connection 0
* SSLv3, TLS alert, Client hello (1):
生成证书?
答案 0 :(得分:1)
如前所述,当您在Nginx中获取大量日志时,您应该添加
debug_connection <IP>;
它会生成更多日志。其中显示
2017/09/29 20:27:55 [info] 28783#0: *72 client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers
如果您没有为ssl_client_certificate链中的每个证书提供CRL,就会发生此错误。
以下是显示相同问题的类似线程
https://serverfault.com/questions/501912/nginx-proxy-ssl-clr-400-bad-request-error
Nginx unable to get certificate CRL
您需要指定指令ssl_crl并为其指定CRL文件
ssl_crl /etc/ssl/certs/crl/ca.crl;
此外,您应该验证ssl_certificate是否指的是您的CA为您的服务器创建的证书:
ssl_certificate /etc/ssl/ca/certs/server.pem; #signed by your CA
ssl_certificate_key /etc/ssl/ca/private/server.key; #PK used to generate
#server.pem
ssl_client_certificate /etc/ssl/ca/certs/ca.crt;
ssl_crl /etc/ssl/ca/crl/ca.crl; #CRL of the
#ssl_client_certificate and
#its chain