httpd 和 curl:配置 https 连接 prom p12 文件以进行客户端验证

tag-icon tag-icon ssl-certificate openssl httpd
httpd 和 curl:配置 https 连接 prom p12 文件以进行客户端验证

我正在部署一个 httpd。我需要配置 ssl,以便根据客户端证书验证客户端。

为了做到这一点,我有一个p12包含私钥、客户端证书和链 CA 证书的文件:

CA 链证书

➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----

客户端证书

➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys
Bag Attributes
    ...
-----BEGIN CERTIFICATE-----
$$$$$$$...
-----END CERTIFICATE-----

客户端私钥

➜ ~ openssl pkcs12 -in fitxers.p12 -nocerts
Bag Attributes
    ...
-----BEGIN PRIVATE KEY-----
$$$$$$$...
-----END PRIVATE KEY-----

为了将此p12文件拆分为独立的证书和密钥文件:

➜ ~ openssl pkcs12 -in container.p12 -nocerts -out client.key.pem
➜ ~ openssl pkcs12 -in fitxers.p12 -clcerts -nokeys -out client.crt
➜ ~ openssl pkcs12 -in fitxers.p12 -cacerts -nokeys -out cacerts.crt

因此,从现在开始,我将我的 httpd 配置为:

SSLEngine On
SSLCACertificateFile /usr/local/apache2/conf/cacerts.crt
...

我正在尝试使用 curl 建立连接:

curl --cert client.crt --key client.key.pem https://localhost:8080/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

进入 httpd 服务器日志我得到:

[Tue Sep 17 11:17:28.144219 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH01964: Connection to child 68 established (server 10.0.2.47:443)
[Tue Sep 17 11:17:28.148318 2019] [ssl:debug] [pid 8:tid 139871525332736] ssl_engine_kernel.c(2375): [client 10.0.2.4:52926] AH02645: Server name not provided via TLS extension (using default/first virtual host)
[Tue Sep 17 11:17:28.155178 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
[Tue Sep 17 11:17:28.155569 2019] [ssl:info] [pid 8:tid 139871525332736] SSL Library Error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown (SSL alert number 46)
[Tue Sep 17 11:17:28.155609 2019] [ssl:info] [pid 8:tid 139871525332736] [client 10.0.2.4:52926] AH01998: Connection closed to child 68 with abortive shutdown (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.114529 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH01964: Connection to child 69 established (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.114667 2019] [ssl:debug] [pid 8:tid 139871448463104] ssl_engine_kernel.c(2354): [client 10.255.0.2:48060] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Sep 17 11:19:01.114674 2019] [ssl:debug] [pid 8:tid 139871448463104] ssl_engine_kernel.c(2354): [client 10.255.0.2:48060] AH02044: No matching SSL virtual host for servername localhost found (using default/first virtual host)
[Tue Sep 17 11:19:01.114679 2019] [core:debug] [pid 8:tid 139871448463104] protocol.c(2314): [client 10.255.0.2:48060] AH03155: select protocol from , choices=h2,http/1.1 for server 10.0.2.47
[Tue Sep 17 11:19:01.117705 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH02008: SSL library error 1 in handshake (server 10.0.2.47:443)
[Tue Sep 17 11:19:01.117827 2019] [ssl:info] [pid 8:tid 139871448463104] SSL Library Error: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (SSL alert number 48)
[Tue Sep 17 11:19:01.117858 2019] [ssl:info] [pid 8:tid 139871448463104] [client 10.255.0.2:48060] AH01998: Connection closed to child 69 with abortive shutdown (server 10.0.2.47:443)

我也尝试过cacerts.pem使用curl --cacert ./cacerts.pem --cert client.crt --key client.key.pem https://localhost:8080/token -v

有任何想法吗?

答案1

$ openssl pkcs12 -in certificate.p12 -out file.key.pem -nocerts -nodes
$ openssl pkcs12 -in certificate.p12 -out file.crt.pem -clcerts -nokeys

$ curl -k --cert ./file.crt.pem --cert-type PEM --key ./file.key.pem --key-type PEM --pass password  "https://<server-ip>:443/actuator/health"

相关内容