我尽可能严格遵循本指南来操作 nginx:https://fardog.io/blog/2017/12/30/client-side-certificate-authentication-with-nginx/
(我在基础 stackoverflow 上发过帖子,同样的问题:https://stackoverflow.com/questions/67295805/client-certificates-for-nginx-upstream-not-working)结果如下
stream{
upstream broker {
server 10.110.0.4:1883 fail_timeout=10s max_fails=1;
server 10.110.0.3:1883 fail_timeout=10s max_fails=1;
server 10.110.0.6:1883 fail_timeout=10s max_fails=1;
}
server {
error_log /var/log/nginx/mqtt_error.log debug;
ssl_certificate /etc/nginx/ssl/mqtt.domain.com/server.crt;
ssl_certificate_key /etc/nginx/ssl/mqtt.domain.com/server.key;
ssl_client_certificate /root/clientca/ca.crt;
ssl_verify_client on;
ssl_protocols TLSv1.2;
listen mqtt.domain.com:8883 ssl;
proxy_pass broker;
proxy_ssl_server_name on;
proxy_connect_timeout 1s;
}
}
当我尝试连接 mqtt 客户端时,nginx 中出现错误:
2021/04/28 07:34:20 [debug] 780885#780885: accept on 188.166.22.84:8883, ready: 1
2021/04/28 07:34:20 [debug] 780885#780885: posix_memalign: 0000563822D6D490:256 @16
2021/04/28 07:34:20 [debug] 780885#780885: *5 accept: 11.65.81.90:51256 fd:3
2021/04/28 07:34:20 [debug] 780885#780885: posix_memalign: 0000563822D6D6F0:256 @16
2021/04/28 07:34:20 [info] 780885#780885: *5 client 11.65.81.90:51256 connected to 111.166.22.84:8883
2021/04/28 07:34:20 [debug] 780885#780885: *5 posix_memalign: 0000563822D6D930:256 @16
2021/04/28 07:34:20 [debug] 780885#780885: *5 generic phase: 0
2021/04/28 07:34:20 [debug] 780885#780885: *5 generic phase: 1
2021/04/28 07:34:20 [debug] 780885#780885: *5 generic phase: 2
2021/04/28 07:34:20 [debug] 780885#780885: *5 tcp_nodelay
2021/04/28 07:34:20 [debug] 780885#780885: *5 posix_memalign: 0000563822D6D820:256 @16
2021/04/28 07:34:20 [debug] 780885#780885: *5 SSL_do_handshake: -1
2021/04/28 07:34:20 [debug] 780885#780885: *5 SSL_get_error: 2
2021/04/28 07:34:20 [debug] 780885#780885: *5 epoll add event: fd:3 op:1 ev:80002001
2021/04/28 07:34:20 [debug] 780885#780885: *5 event timer add: 3: 60000:9742886896
2021/04/28 07:34:20 [debug] 780885#780885: accept() not ready (11: Resource temporarily unavailable)
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL handshake handler: 0
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_do_handshake: -1
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_get_error: 2
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL handshake handler: 0
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_do_handshake: -1
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_get_error: 1
2021/04/28 07:34:25 [info] 780885#780885: *5 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking, client: 11.65.81.90, server: 111.166.22.84:8883
2021/04/28 07:34:25 [debug] 780885#780885: *5 finalize stream session: 500
2021/04/28 07:34:25 [debug] 780885#780885: *5 stream log handler
2021/04/28 07:34:25 [debug] 780885#780885: *5 close stream connection: 3
2021/04/28 07:34:25 [debug] 780885#780885: *5 event timer del: 3: 9742886896
2021/04/28 07:34:25 [debug] 780885#780885: *5 reusable connection: 0
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D490, unused: 64
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D6F0, unused: 80
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D930, unused: 80
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D820, unused: 136
我在服务器方面经验很少
答案1
因此,我最终通过上述链接解决了这个问题。以下是问题和解决方案的列表:
- 我有 letsencrypt 域名和客户端密钥,如本链接所示。Mosquitto 正在传递 ca-chain 并首先验证 letsencrypt 的 SSL,但失败了
- 我猜想根 ca.cert.pem 没有包含所有需要的数据,所以我使用了中间 ca-chain.cert.pem
- mosquitto 需要 --insecure 标志(如果我使用付费 SSL(如下例所示),则这并不相关:https://www.ssltrust.com/help/setup-guides/client-certificate-authentication