尽管验证了 PEM 文件并在正确的位置安装了自签名证书,但我无法向 HaProxy 提供有效的 PEM 文件

尽管验证了 PEM 文件并在正确的位置安装了自签名证书,但我无法向 HaProxy 提供有效的 PEM 文件

我将完整发布我的私钥,因为它是一个用于开发和调试目的的示例。

这是我创建 PEM 文件的过程:

https://serversforhackers.com/c/using-ssl-certificates-with-haproxy

sudo openssl genrsa -out example.dev.key 1024
sudo openssl req -new -key example.dev.key -out example.dev.csr
sudo openssl x509 -req -days 365 -in example.dev.csr -signkey example.dev.key -out example.dev.crt
sudo cat example.dev.crt example.dev.key | sudo tee example.dev.pem

这是一个自签名证书。PEM 文件如下所示:

-----BEGIN CERTIFICATE-----
MIICcjCCAdsCFAFD5rYw03KeoC3z95/Ahl2O1x38MA0GCSqGSIb3DQEBCwUAMHgx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRAwDgYDVQQHDAdGcmVt
b250MR4wHAYDVQQKDBVFdmVyZXggQ29tbXVuaWNhdGlvbnMxDDAKBgNVBAsMA2Rl
djEUMBIGA1UEAwwLZGV2ZWxvcG1lbnQwHhcNMjAxMjA5MTkwNTAyWhcNMjExMjA5
MTkwNTAyWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEQMA4G
A1UEBwwHRnJlbW9udDEeMBwGA1UECgwVRXZlcmV4IENvbW11bmljYXRpb25zMQww
CgYDVQQLDANkZXYxFDASBgNVBAMMC2RldmVsb3BtZW50MIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQC8VVayel+HPW7xzmiy4SM/+JlkdUrcy9x8dR4ChxJ4ic+6
FgmsfDu+IE31GfzGBOnPsT+eVGI+0oX4mJpM0axnwdI7U25CrVSOe7pvTaNPlmWc
ptVb/DZQU+JjSna1fUuGU+f+Ile5U6YAuBjWDzfvizF9viGc95pIcpjftQYxTwID
AQABMA0GCSqGSIb3DQEBCwUAA4GBAKp3won6y2Y712spVbxjklzSgYRQCi8aBFZd
Nv3B5YvPg+MXIKCvj9fDdAwqQU1eBj5arF9bL2NixAdT3P+77db3FSPeje5CRd57
tHhRzFb0GSjiW304VI+v/ptfb95jA5CwvAF9uMvNHrTVT8Aln3pldpitvtP5LtpM
qa0iD2xG
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQC8VVayel+HPW7xzmiy4SM/+JlkdUrcy9x8dR4ChxJ4ic+6Fgms
fDu+IE31GfzGBOnPsT+eVGI+0oX4mJpM0axnwdI7U25CrVSOe7pvTaNPlmWcptVb
/DZQU+JjSna1fUuGU+f+Ile5U6YAuBjWDzfvizF9viGc95pIcpjftQYxTwIDAQAB
AoGAVJQes1ixvhKg2IdSDcN+CSSj/rGORUpoYpxWNdxjNy7s0y1CeuvwCJqJaCGb
m3JpbpSzdW+AD6aL8/DUmtsvCUQEg4g49K8j/z942HqatZS3Zuucf7SHzWlvze+N
JDrQabnq53+zAvfqf8+8fhbuRxoanl120kdVcIutPgN38cECQQDsnBpKNRGc6jA8
+lh4KciqQ+32gY7Z+dsSW4i1vufLnTkbS1rO2DL0ruuZzjnOT4FuE7SU4T1N4Qni
3PRNG4PjAkEAy8RuuGWuzULJ7mE/F9SKnYcaugoVNsSMNTwObTytIQtvb66l4M06
Jp/BvLJy5Atys/WzhQ6xXuxR9zmS44QQpQJBAOooirQJ1QZvlZGjR86Tu20VkPi1
uwPpi26de6wx4//T9uIWLyYpPDR+r9clCnwsnrCre7kjN6JNJZWIiZWNt3UCQQCo
fYoMIdBz2+k7mt/f5Zik/2VjNhkqi0Vgc4N+YjDKZTlFAQYap7iQ3YMGdAw6cxjq
o51Ixch2tDRmmA3U4YwdAkBY19AJj4ZwcyfjDs9z7gy4MQcJp+YVNcuTLEd6z5HK
5ECCSy5S0UPwwxleUPUIv/nNrAchTUt5UtlgQuO7arPX
-----END RSA PRIVATE KEY-----

好的,现在我有了这个,我验证了它如下。所有密钥对所有用户都有读/写权限:

https://www.ssl247.com/kb/ssl-certificates/troubleshooting/certificate-matches-private-key

openssl x509 –noout –modulus –in example.dev.crt | openssl md5

openssl rsa –noout –modulus –in example.dev.key | openssl md5

openssl req -noout -modulus -in example.dev.csr | openssl md5

我在 Ubuntu 20.04 上,我在 /etc/ssl 和 /etc/haproxy 中安装了密钥:

http://gagravarr.org/writing/openssl-certs/others.shtml#selfsigned-openssl

$ cd /etc/ssl
$ ln -s example.dev.crt `openssl x509 -hash -noout -in example.dev.crt`.0

ajorona@ajorona-box/etc/haproxy$ ls -l
total 12
drwxr-xr-x 2 root root 4096 Dec  8 17:55 errors
-rw-r--r-- 1 root root 1795 Dec  9 12:28 example.dev.pem

现在我的 haproxy.cfg 文件有以下几行:

bind *:443 ssl crt /etc/haproxy/example.dev.pem
redirect scheme https if !{ ssl_fc }

我验证了我的 haproxy.cfg:

ajorona@ajorona-box:~/server $ haproxy -c -f haproxy.cfg 
[ALERT] 343/123930 (114320) : parsing [haproxy.cfg:29] : 'bind *:443' : unable to load SSL certificate from PEM file '/etc/haproxy/example.dev.pem'.
[ALERT] 343/123930 (114320) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 343/123930 (114320) : Fatal errors found in configuration.
ajorona@ajorona-box:~/server $ sudo haproxy -c -f haproxy.cfg 
[ALERT] 343/123933 (114444) : parsing [haproxy.cfg:29] : 'bind *:443' : unable to load SSL certificate from PEM file '/etc/haproxy/example.dev.pem'.
[ALERT] 343/123933 (114444) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 343/123933 (114444) : Fatal errors found in configuration.

我花了整整一天的时间来解决此问题,我真的不知道为什么会发生这种情况......

答案1

您是否解决了证书问题。我得到了相同的结果,我的证书存在,并且对它们的访问也是开放的(haproxy 使用 ssl cets 读取目录没有任何限制)。所有证书均为 PEM 格式,并包含密钥 crt。任何帮助都非常感谢。

相关内容