我正在尝试配置 Janus Gateway,但我的自签名证书出现问题,请参阅下面的日志
Jan 25 09:50:46 localhost platform: [2018/01/25 09:50:46 EST] [EROR] /api/v4/webrtc/token:WebRTC.Token code=500 rid=7mgqedeejpnt3gginnpj5ikape uid=k7m4t6r663frfqaoo5enspfuqh ip=192.168.20.3 We encountered an error while connecting to the server [details: Post https://192.168.20.140:7889/admin: x509: cannot validate certificate for 192.168.20.140 because it doesn't contain any IP SANs]
我的主机名是 webrtc,IP 地址是 192.168.20.140,本地 DNS 是 192.168.20.1
我的理解是,我的证书中可能没有 SAN 信息,因此我按照在线教程修改了生成证书请求的命令。请参阅下面的配置文件。
[ req ]
default_bits = 2048 # RSA key size
encrypt_key = yes # Protect private key
default_md = sha256 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = yes # Prompt for DN
distinguished_name = san_dn # DN template
x509_extensions = v3_ca
req_extensions = san_reqext # Desired extensions
x509_extensions = usr_cert
[ san_dn ]
countryName = "1. Country Name (2 letters) (eg, US) "
countryName_max = 2
stateOrProvinceName = "2. State or Province Name (eg, region) "
localityName = "3. Locality Name (eg, city) "
organizationName = "4. Organization Name (eg, company) "
organizationalUnitName = "5. Organizational Unit Name (eg, section) "
commonName = "6. Common Name (eg, full name)"
commonName_max = 64
[ san_reqext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = critical,digitalSignature
extendedKeyUsage = critical,codeSigning, msCodeInd, msCodeCom
nsCertType = client,server,email,objsign
subjectAltName = @alt_names
[ usr_cert ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = critical,digitalSignature
extendedKeyUsage = critical,codeSigning, msCodeInd, msCodeCom
nsCertType = client,server,email,objsign
authorityKeyIdentifier = keyid,issuer
[ alt_names ]
DNS.0 = localhost
DNS.1 = webrtc
DNS.2 = 192.168.20.140
DNS.3 = 192.168.20.1
以下是我用来生成证书请求的命令
openssl req -new -key ./webrtc_secret.key -config ./san_request.cfg -out ./webrtc.csr
下面是我使用自签名 CA 和生成的证书请求生成证书的命令
openssl x509 -req -in ./webrtc.csr -CA ./rootCA.pem -CAkey ./rootCA.key -CAcreateserial \
-out ./webrtc.pem -days 365 -sha256
您能发现我的证书请求有什么错误吗?
更新 1:
看起来我生成的证书请求有正确的信息。
Requested Extensions:
X509v3 Subject Key Identifier:
F0:CA:B8:FE:FA:CE:29:CE:0E:CB:01:93:B6:97:96:30:8E:B3:16:DB
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
Code Signing, Microsoft Individual Code Signing, Microsoft Commercial Code Signing
Netscape Cert Type:
SSL Client, SSL Server, S/MIME, Object Signing
X509v3 Subject Alternative Name:
DNS:localhost, DNS:webrtc, DNS:192.168.20.140, DNS:192.168.20.1
更新 2 因此,您会认为 openssl 会在生成证书时使用证书请求中的所有信息。错了!在使用证书请求生成自签名证书时,我必须手动指定扩展名。请参阅下面的示例...这可能是答案。我现在要尝试一下
openssl x509 -req -in ./webrtc.csr -CA ./rootCA.pem -CAkey ./rootCA.key -CAcreateserial -out ./webrtc.pem -days 365 -sha256 -extfile ./san_ext.cfg -extensions san_reqext
[ req ]
req_extensions = san_reqext # Desired extensions
[ san_reqext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = localhost
DNS.1 = mattermost
IP.0 = 192.168.20.140
IP.1 = 192.168.20.1
不确定信息丢失在哪里。
答案1
主题备用名称部分中的 IP 地址需要标识为IP
,而不是DNS
。因此,请将alt_names
OpenSSL 配置文件的部分更改为如下所示:
[ alt_names ]
DNS.0 = localhost
DNS.1 = webrtc
IP.0 = 192.168.20.140
IP.1 = 192.168.20.1
然后重新生成请求和证书。
答案2
请阅读我的整个问题,然后阅读我的更新 2。更新 2 中有详细的答案。
因此,您可能会认为 openssl 在生成证书时会使用证书请求中的所有信息。错了!使用证书请求生成自签名证书时,我必须手动指定扩展名。
这是一个例子...
openssl x509 -req -in ./webrtc.csr -CA ./rootCA.pem -CAkey ./rootCA.key -CAcreateserial -out ./webrtc.pem -days 365 -sha256 -extfile ./san_ext.cfg -extensions san_reqext
[ req ]
req_extensions = san_reqext # Desired extensions
[ san_reqext ]
subjectAltName = @alt_names
[ alt_names ]
DNS.0 = localhost
DNS.1 = mattermost
IP.0 = 192.168.20.140
IP.1 = 192.168.20.1