操作系统:CentOS 7
西南:NginX
现有的东西
- dhparam.pem
- 我的域名.com.crt
- 我的域名.com.csr
- 我的域名.com.key
问题:
我正在尝试通过创建客户端证书来创建客户端验证,然后使用 NginX 将一个服务器的请求验证到我的目标服务器。但是我不断收到400 Bad Request - No required SSL certificate was sent
错误消息。我做错了什么?以下是我所做的:
openssl genrsa -out 客户端.key 4096
openssl req -new -key 客户端.key -out 客户端.csr
openssl x509 -req -days 365 -sha256 -in 客户端.csr -CA mydomain.com.crt -CAkey 客户端.key -set_serial 2 -out 客户端.crt
每个命令都成功运行,但是错误仍然存在。同样在我的 NginX 中,在目标服务器上,我有:
ssl_certificate /etc/nginx/ssl/mydomain.com.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain.com.key;
ssl_client_certificate /etc/nginx/ssl/mydomain.com.crt;
NGINX 配置:
server {
listen 80;
listen 443 ssl;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
ssl_certificate /etc/nginx/ssl/mydomain.com.crt;
ssl_certificate_key /etc/nginx/ssl/mydomain.com.key;
ssl_client_certificate /etc/nginx/ssl/client.crt;
ssl_verify_client optional;
server_name uploads.mydomain.com;
root /var/www/html/com.mydomain.uploads/public;
error_log /var/log/nginx/mydomain.com/error.log;
access_log /var/log/nginx/mydomain.com/access.log main;
index index.php;
rewrite ^/index\.php?(.*)$ /$1 permanent;
location / {
try_files $uri @rewrite;
}
location @rewrite {
rewrite ^(.*)$ /index.php/$1 last;
}
location ~ ^/index.php(/|$) {
fastcgi_pass unix:/var/run/php-fpm/uploads.sock;
fastcgi_split_path_info ^(.+\.php)(/.*)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;
}
}
答案1
这是一个非常愚蠢的错误,现在我对自己感到羞愧。
我认为网站证书与 CA 证书相同。所以现在我创建了新的 ca.key 和 ca.crt 文件,并用它们签署了客户端证书,就这样。:(
ssl_certificate /etc/nginx/ssl/mydomain.com.crt; ssl_certificate_key /etc/nginx/ssl/mydomain.com.key; ssl_client_certificate /etc/nginx/ssl/ca.crt;
因此所有命令的顺序如下:
创建 CA 密钥和证书:
- openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-selfsigned.key -out nginx-selfsigned.crt
创建客户端密钥和 CSR
- openssl genrsa -out 客户端.key 2048
- openssl req -new -key 客户端.key -out 客户端.csr
使用 CA 文件签署客户 CSR
- openssl x509 -req -days 3652 -sha256 -in 客户端.csr -CA nginx-selfsigned.crt -CAkey nginx-selfsigned.key -set_serial 2 -out 客户端.crt
可选:将 client.crt 转换为包含私钥的 base64 编码 pem
- openssl pkcs12 -export -clcerts -in 客户端.crt -inkey 客户端.key -out 客户端.p12
- openssl pkcs12 -输入客户端.p12 -输出客户端.pem -节点
巨大的纸条! CA 文件和客户端文件的组织名称不能相同!否则将中断并无法进行身份验证。
我希望我能够帮助那些和我一样愚蠢的人。