文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >httpd和curl:配置https连接prom (一个p12文件形式的客户端验证)

httpd和curl:配置https连接prom (一个p12文件形式的客户端验证)
EN

Server Fault用户
提问于 2019-09-17 11:24:12
回答 1查看 7.5K关注 0票数 1

我正在部署一个httpd。我需要配置ssl,以便根据客户端证书验证客户端。

为了做到这一点,我有一个包含私钥、客户端证书和连锁ca证书的p12文件:

CA链证书

代码语言:javascript
复制
➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$...
-----END CERTIFICATE-----
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$...
-----END CERTIFICATE-----

Client证书

代码语言:javascript
复制
➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$...
-----END CERTIFICATE-----

Client私钥

代码语言:javascript
复制
➜ ~ openssl pkcs12 -in fitxers.p12 -nocerts
Bag Attributes
    ...
-----BEGIN PRIVATE KEY-----
$$$$...
-----END PRIVATE KEY-----

为了将此p12文件拆分为分隔的证书和密钥文件:

代码语言:javascript
复制
➜ ~ openssl pkcs12 -in container.p12 -nocerts -out client.key.pem
➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys -out client.crt
➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys -out cacerts.crt

因此,从现在开始,我将httpd配置为:

代码语言:javascript
复制
SSLEngine On
SSLCACertificateFile /usr/local/apache2/conf/cacerts.crt
...

我试着用curl连接:

代码语言:javascript
复制
curl --cert client.crt --key client.key.pem https://localhost:8080/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

进入我正在获得的httpd服务器日志:

代码语言:javascript
复制
[Tue Sep 17 11:17:28.144219 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH01964: Connection to child 68 established (server 10.0.2.47:443)
[Tue Sep 17 11:17:28.148318 2019] [ssl:debug] [pid 8:tid 139871525332736] ssl_engine_kernel.c(2375): [client 10.0.2.4:52926] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Tue Sep 17 11:17:28.155178 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
[Tue Sep 17 11:17:28.155569 2019] [ssl:info] [pid 8:tid 139871525332736] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Tue Sep 17 11:17:28.155609 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH01998: Connection closed to child 68 with abortive shutdown (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.114529 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH01964: Connection to child 69 established (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.114667 2019] [ssl:debug] [pid 8:tid 139871448463104] ssl_engine_kernel.c(2354): [client 10.255.0.2:48060] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Sep 17 11:19:01.114674 2019] [ssl:debug] [pid 8:tid 139871448463104] ssl_engine_kernel.c(2354): [client 10.255.0.2:48060] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Sep 17 11:19:01.114679 2019] [core:debug] [pid 8:tid 139871448463104] protocol.c(2314): [client 10.255.0.2:48060] AH03155: select protocol from , choices=h2,http/1.1 for server 10.0.2.47
[Tue Sep 17 11:19:01.117705 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.117827 2019] [ssl:info] [pid 8:tid 139871448463104] SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)
[Tue Sep 17 11:19:01.117858 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH01998: Connection closed to child 69 with abortive shutdown (server 10.0.2.47:443)

我还尝试过将cacerts.pemcurl --cacert ./cacerts.pem --cert client.crt --key client.key.pem https://localhost:8080/token -v结合使用

有什么想法吗?

ssl-certificate
openssl
httpd
EN

回答 1

Server Fault用户

发布于 2021-12-08 10:49:29

代码语言:javascript
复制
$ openssl pkcs12 -in certificate.p12 -out file.key.pem -nocerts -nodes
$ openssl pkcs12 -in certificate.p12 -out file.crt.pem -clcerts -nokeys

$ curl -k --cert ./file.crt.pem --cert-type PEM --key ./file.key.pem --key-type PEM --pass password  "https://:443/actuator/health"
票数 0
EN
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://serverfault.com/questions/984536

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档