我读了很多帖子,提到本地发行人证书的问题,但是我找不到我的案子的答案。
我已经设置了一个nginx代理,该代理接受客户端证书进行授权。通过导入证书的浏览器,一切正常。
我现在尝试使用-k选项通过curl 无连接到我的服务器,这是我绝对希望避免的。所有涉及的证书都是自签名的。
如果我跑步
curl --key user.key --cert user.cert https://10.11.2.7:5043/v2/
我得到以下信息:
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
因此,我遵循GUI toolkit中列出的说明,然后运行:
openssl s_client -connect 10.11.2.7:5043 |tee logfile
#Which gives the following:
depth=0 C = AT, ST = Vienna3, L = Vienna3, O = myCompany3, OU = IT, CN = 10.11.2.7:5043, emailAddress = a@b.c
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = AT, ST = Vienna3, L = Vienna3, O = myCompany3, OU = IT, CN = 10.11.2.7:5043, emailAddress = a@b.c
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
0 s:/C=AT/ST=Vienna3/L=Vienna3/O=myCompany3/OU=IT/CN=10.11.2.7:5043/emailAddress=a@b.c
i:/C=AT/ST=Vienna3/L=Vienna3/O=myCompany3/OU=IT/CN=10.11.2.7:5043/emailAddress=a@b.c
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDtDCCApygAwIBAgIJANlY3T3cLe2EMA0GCSqGSIb3DQEBCwUAMIGCMQswCQYD
VQQGEwJBVDEQMA4GA1UECAwHVmllbm5hMzEQMA4GA1UEBwwHVmllbm5hMzETMBEG
A1UECgwKemVub3RyYWNrMzELMAkGA1UECwwCSVQxFzAVBgNVBAMMDjEwLjExLjIu
Nzo1MDQzMRQwEgYJKoZIhvcNAQkBFgVhQGIuYzAeFw0xODA4MjAxMTEzMzFaFw0x
OTA4MjAxMTEzMzFaMIGCMQswCQYDVQQGEwJBVDEQMA4GA1UECAwHVmllbm5hMzEQ
MA4GA1UEBwwHVmllbm5hMzETMBEGA1UECgwKemVub3RyYWNrMzELMAkGA1UECwwC
SVQxFzAVBgNVBAMMDjEwLjExLjIuNzo1MDQzMRQwEgYJKoZIhvcNAQkBFgVhQGIu
YzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOYMlaIIU5vGpoxpS37+
KKff8gix2AuDcWWYE5Q2rQGwN3tH0ccS6ZyY8bOsDd81xUMrEAY53pwCJNchwi5Y
/2mOKeMDHDNO+f5t1YW7uEF6L4Nb3qQZ1CxHamT/xd6koxTdfhMljZ19VmZpL2T5
WNWH4ehEc8z7PvqpJeRNc3MpSRnVhj7NdoXE59qQwkhqfdPa3YrTZZuN6oYWHgMP
KyvwfvtpBqHJFovsXmOiD40MsSrF14AL5J5H6DV8mXwS+5TK0XFrkbPateGW89o7
YAWRssIQa9N0UxGvp4fc6YZv2q+H1GnYU7qhMPtgDHS/qoIVwJCGPDDcJBSPURtL
p8sCAwEAAaMrMCkwDwYDVR0RBAgwBocECgsCBzAJBgNVHRMEAjAAMAsGA1UdDwQE
AwIF4DANBgkqhkiG9w0BAQsFAAOCAQEAr/bXIJBdy5iVVzih1BMrJfTfxhqhZb0e
YPmyuamc/7ek5IRqgfoBLLtXMmFaWVA5apRnWD+m6+3uCHD6vaJCz9uPQZPjOZm+
66wsBz6QAHUXWEUXrIp/F2gwSrWPHMGiLXpZ5/AhhfE/UpdsJQR3VxEoEDW2PDMN
Zc2A5ISiWHXiolQEWwBHJOxAvnVuxqvq94vC8e47a7L7CfhuZ9eq2tOD2pCw+hZa
JDmPU/fIH1P5DmU9ffSEyKwyXkkOtYJpJso2eYsZLsFte2qtUUx9IGykQHgP7SOK
0BKw9iMoY6/9sXnZ7o+vlcUnMhmdnInD9N4TYf089KvZm77FusHhow==
-----END CERTIFICATE-----
subject=/C=AT/ST=Vienna3/L=Vienna3/O=myCompany3/OU=IT/CN=10.11.2.7:5043/emailAddress=a@b.c
issuer=/C=AT/ST=Vienna3/L=Vienna3/O=myCompany3/OU=IT/CN=10.11.2.7:5043/emailAddress=a@b.c
---
Acceptable client certificate CA names
/C=AT/ST=Vienna1/L=Vienna1/O=myCompany/OU=IT/CN=10.11.2.7:5043
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1751 bytes and written 281 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: AA3F09732742D0ACD0F582362AB7CEA2DAFA628A2FD0BAFAF6B6514EA7D8812F
Session-ID-ctx:
Master-Key: 649F2319073FAF982C71279593067DFA95E31E68C3E6BE267BBBCAD048A8E5B290464C83E82E09C60EFA5235C1CA7B36
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 3b d0 96 e2 c6 85 4e 93-37 c0 0e aa e2 a0 e5 7b ;.....N.7......{
0010 - ba 85 0d 1a 55 da 25 f4-2d 1a d5 1d f9 4a 43 c6 ....U.%.-....JC.
0020 - 7d 22 79 17 03 3c b4 19-a8 17 e9 65 4d 85 f1 85 }"y..<.....eM...
0030 - e7 a5 1b 68 0a c1 8a 28-d7 95 7d ae e7 39 be 1a ...h...(..}..9..
0040 - 10 cc 0d ad 81 1c c5 7e-7b e6 41 96 5a dc 2a 8c .......~{.A.Z.*.
0050 - 91 ee 86 38 52 29 ab 02-3a 08 62 bd e6 2a 24 49 ...8R)..:.b..*$I
0060 - d9 b1 19 4f 09 3f 3d 98-cd 25 49 e3 77 43 87 f9 ...O.?=..%I.wC..
0070 - 31 f1 ec 56 84 e1 cf 3e-35 2b 23 23 9b 3e 99 18 1..V...>5+##.>..
0080 - 10 b6 ba 57 76 09 ba a7-eb 35 31 85 61 a6 f5 6e ...Wv....51.a..n
0090 - ff c1 c3 6d 01 8f 28 8d-15 a3 67 75 fe 6d 47 ff ...m..(...gu.mG.
00a0 - 36 eb 71 8e 12 a9 73 1d-18 72 25 02 6d 4f 62 10 6.q...s..r%.mOb.
Start Time: 1534764737
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: yes
---
作为上述建议的链接,我复制了证书(包括BEGIN CERTIFICATE和END CERTIFICATE行),并将它们保存到一个文件中,该文件命名为Trusted_certs.crt,并尝试使用以下命令运行curl:
curl -vs --key user.key --cert user.cert --cacert /path/to/trusted_certs.crt https://10.11.2.7:5043/v2/
不幸的是,它仍然不起作用,并说:
Trying 10.11.2.7...
* TCP_NODELAY set
* Connected to 10.11.2.7 (10.11.2.7) port 5043 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /path/to/trusted_certs.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
我显然做错了事,但是我没有找到答案。欢迎任何帮助!
答案 0 :(得分:0)
来自OpenSSL Verify return code: 20 (unable to get local issuer certificate):
如果您使用的自签名证书的keyUsage缺少值keyCertSign,也会发生此错误。
对我来说有帮助。