无法使用自签名证书。在本地主机上

tag-icon tag-icon ubuntu arch-linux ssl certificates https
无法使用自签名证书。在本地主机上

我为本地主机创建了一个自签名证书用于测试,如下所示:

openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out certificate.csr
openssl x509 -req -in certificate.csr -signkey key.pem -out certificate.pem

我在 FQDN 中指定了“localhost”。就这样,我没有做任何其他事情,也没有将它们复制到任何地方,所有 3 个文件都在我的应用程序的目录中。

当我在本地主机上运行不是 apache 或 nginx 的 Web 服务器时,出现以下错误:

$ curl -v https://localhost:3345
* Rebuilt URL to: https://localhost:3345/
*   Trying ::1...
* connect to ::1 port 3345 failed: Connection refused
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 3345 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

如果这很重要,这是我的代码:

startApp = do
  let port = 3345
  print $ "Listening the port " ++ (show port) ++ " ..."
  let tls = tlsSettings "certificate.pem" "key.pem"
  runTLS tls (setPort port defaultSettings) app

所以你看我使用的是“pem”和“pem”,而不是“csr”和端口 3345。

我使用的是 Arch,但我也需要 Ubuntu 的解决方案。

我该如何修复该错误?

请注意,在浏览器中我也遇到错误。特别是在 FF 中:

The owner of localhost has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

答案1

默认情况下,Curl 使用系统的信任存储来确定证书链的信任。此信任存储包含受信任的 CA 证书列表。由于您已经进行了自签名并且没有使用通向信任存储中的 CA 证书的链,因此curl 会失败您的请求,因为它不信任您的链。

任何一个:

  1. 让您的 CSR 由受信任的证书颁发机构签名,而不是自签名 (让我们加密由于它链接到的根证书,它是免费的并且受到几乎每个信任存储的信任),或者
  2. 将您的证书添加到系统信任存储中,或者
  3. 用于--cacert <your cert>仅信任此证书,或者
  4. 使用curl -k(不推荐,因为没有进行验证)

相关内容