当我启动 LSBInitScript 作为服务时,我收到 SSL 错误,因为我的脚本使用 SSL 证书进行操作。该证书与脚本本身位于同一目录中。为什么我在作为服务启动时收到错误,但在控制台中调用时却没有收到错误?
启动服务时出现 SSL 错误:
ubuntu@ip-0-0-0-0:/heartbeat/deviceAPI$ sudo service deviceAPIClient.service start
* DeviceAPIClient process is not running
* Starting the process DeviceAPIClient Traceback (most recent call last):
File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 120, in <module>
main()
File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 90, in main
res = register(instanceName)
File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 40, in register
verify = 'cloud-server-ca-chain.pem'
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in post
return request('post', url, data=data, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in send
raise SSLError(e)
requests.exceptions.SSLError: [Errno 185090050] _ssl.c:344: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
当我在控制台中启动 python 脚本时没有错误:
ubuntu@ip-0-0-0-0:/heartbeat/deviceAPI$ /heartbeat/deviceAPI/DeviceAPIClient.py
Successful registering at cloud with 02-57-49-9c-d4
Using API endpoint https://mydomain
Update API endpoint (not used in Demo) https://mydomain.com/device-api
Sending Data to Cloud...
更新
按照@mrc02_kr的建议,我已将证书放入cloud-server-ca-chain.pem
文件夹中/etc/ssl/certs
。错误改为私钥问题``SSL_CTX_use_PrivateKey_file`:
ubuntu@ip-0-0-0-0:/heartbeat/deviceAPI$ sudo service deviceAPIClient.service start
* DeviceAPIClient process is not running
* Starting the process DeviceAPIClient Traceback (most recent call last):
File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 120, in <module>
main()
File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 90, in main
res = register(instanceName)
File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 40, in register
verify = '/etc/ssl/certs/cloud-server-ca-chain.pem'
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in post
return request('post', url, data=data, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in send
raise SSLError(e)
requests.exceptions.SSLError: [Errno 336265218] _ssl.c:355: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
您需要知道,该脚本使用私钥来标识自身,并使用云服务器的证书来标识服务器。
我是否还需要将私钥存储在特殊文件夹中?
更新2
我可以安装私钥/etc/ssl/private
并相应地调整脚本。
答案1
服务启动期间可能出现错误,因为您提供了证书的相对路径。证书文件应该有绝对路径。当系统启动服务时,它不会将 $PWD 更改为脚本位置。
您可以将证书复制到/etc/ssl/certs
(根据这个答案)并改变:
verify = 'cloud-server-ca-chain.pem'
到:
verify = '/etc/ssl/certs/cloud-server-ca-chain.pem'
在您的代码中(文件“/heartbeat/deviceAPI/DeviceAPIClient.py”,第 40 行)
您还可以修改初始化脚本以将目录更改为证书位置,然后启动 Python 程序。