实现Letencrypt服务器证书的结果混合

时间:2019-02-19 18:43:33

标签: curl python-requests ssl-certificate tornado lets-encrypt

摘要:

为什么macOS curl可以获取我的letencrypt服务,但其他工具/ OS无法验证证书?

我在龙卷风中使用在Ubuntu 18.04机器上运行的letencrypt证书实现了一个微小的REST服务。我将服务器设置为:

sslContext = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
certFile = '/etc/letsencrypt/live/my.server.com/cert.pem'
keyFile = '/etc/letsencrypt/live/my.server.com/privkey.pem'
sslContext.load_cert_chain(certFile, keyFile)
server = tornado.httpserver.HTTPServer(app, ssl_options=sslContext)

当我在MacBookPro上使用curl -v时,情况看起来不错:

curl -v https://my.server.com:8899/rest
*   Trying aa.bb.cc.dd...
* TCP_NODELAY set
* Connected to my.server.com (aa.bb.cc.dd) port 8899 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=my.server.com
*  start date: Jan 26 15:27:27 2019 GMT
*  expire date: Apr 26 15:27:27 2019 GMT
*  subjectAltName: host "my.server.com" matched cert's "my.server.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.

但是当我在不同的Ubuntu盒(实际上是2个,以及两个Debian破坏者/测试盒)上尝试相同操作时,会出现错误:

curl -v https://my.server.com:8899/rest
*   Trying aa.bb.cc.dd...
* TCP_NODELAY set
* Connected to my.server.com (aa.bb.cc.dd) port 8899 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

我的目标是使用python requests模块来查询此API,但是我无法在包括macOS盒在内的任何地方使它正常工作。即使从认证来源复制了最新的cacert.pem。

1 个答案:

答案 0 :(得分:0)

要注意的是README文件中的以下注释:

  

fullchain.pem:大多数服务器软件中使用的证书文件。

  

cert.pem:将破坏许多服务器配置,并且不应   无需阅读更多文档即可使用(请参阅下面的链接)。

底线。使用fullchain.pem

相关问题
最新问题