如何通过curl使用自签名证书

如何通过curl使用自签名证书

我使用以下命令生成了 SSL 证书:

C=PL
ST=Mazovia
L=Warsaw
O="PHP-HTTP"
CN="192.168.56.10"

openssl req -out ca.pem -new -x509 -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=socket-server" -passout pass:password

openssl genrsa -out server.key
openssl req -key server.key -new -out server.req -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=$CN" -passout pass:password
openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -passin pass:password

openssl genrsa -out client.key
openssl req -key client.key -new -out client.req -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=socket-adapter-client" -passout pass:password
openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem -passin pass:password

我将它们应用到 dockerd 守护进程:

sudo cp ca.pem /root/.docker/
sudo cp server.key /root/.docker/key.pem
sudo cp server.pem /root/.docker/cert.pem

--tlsverify通过添加( Alpine linux )来启用它们

并从 PHP 脚本成功连接到 /version 端点:

$client = (new CurlHttpClient([
//            'bindto' => '/var/run/docker.sock'
            'cafile' => __DIR__ . '/../../../ssl-test/ca.pem',
            'local_cert' => __DIR__ . '/../../../ssl-test/client.pem',
            'local_pk' => __DIR__ . '/../../../ssl-test/client.key',
//            'verify_host' => false,
        ]));
        $response = $client->request(
            'GET',
            'https://192.168.56.10:2376/version'
        );

我想使用普通curl命令建立该连接,但无论我使用什么组合--cacert--cert选项,它都会给我一个错误。我应该如何捆绑输出文件以建立工作连接?

编辑>系统:WSL2 Ubuntu 22.04.3 LTS

答案1

curl -vv帮了很多忙。我怀疑curl只是期望特定格式的证书,结果发现它需要在一个文件中同时包含私钥client.key( pkey )和( cert )。client.pem

[~] cat client.pem >> cert-and-key.pem
[~] cat client.key >> cert-and-key.pem
[~] curl -vv --cacert ca.pem --cert cert-and-key.pem https://192.168.56.10:2376/version

注:也可以用or--cacert ca.pem代替(不推荐)-k--insecure

输出:

*   Trying 192.168.56.10:2376...
* Connected to 192.168.56.10 (192.168.56.10) port 2376 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: ca.pem
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=PL; ST=Mazovia; L=Warsaw; O=PHP-HTTP; CN=192.168.56.10
*  start date: Dec  2 23:15:27 2023 GMT
*  expire date: Jan  1 23:15:27 2024 GMT
*  common name: 192.168.56.10 (matched)
*  issuer: C=PL; ST=Mazovia; L=Warsaw; O=PHP-HTTP; CN=socket-server
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /version HTTP/1.1
> Host: 192.168.56.10:2376
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Api-Version: 1.42
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/23.0.6 (linux)
< Date: Sun, 03 Dec 2023 15:23:48 GMT
< Content-Length: 873
<
{"Platform":{"Name":""},"Components":[{"Name":"Engine","Version":"23.0.6","Details":{"ApiVersion":"1.42","Arch":"amd64","BuildTime":"2023-10-12T14:14:03.000000000+00:00","Experimental":"false","GitCommit":"9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff","GoVersion":"go1.20.10","KernelVersion":"6.1.60-0-virt","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"v1.7.2","Details":{"GitCommit":"0cae528dd6cb557f7201036e9f43420650207b58"}},{"Name":"runc","Version":"1.1.7","Details":{"GitCommit":"860f061b76bb4fc671f0f9e900f7d80ff93d4eb7"}},{"Name":"docker-init","Version":"0.19.0","Details":{"GitCommit":""}}],"Version":"23.0.6","ApiVersion":"1.42","MinAPIVersion":"1.12","GitCommit":"9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff","GoVersion":"go1.20.10","Os":"linux","Arch":"amd64","KernelVersion":"6.1.60-0-virt","BuildTime":"2023-10-12T14:14:03.000000000+00:00"}
* Connection #0 to host 192.168.56.10 left intact

相关内容