nginx 上游的客户端证书(未知 ca:SSL 警报编号 48)

nginx 上游的客户端证书(未知 ca:SSL 警报编号 48)

我尽可能严格遵循本指南来操作 nginx:https://fardog.io/blog/2017/12/30/client-side-certificate-authentication-with-nginx/

(我在基础 stackoverflow 上发过帖子,同样的问题:https://stackoverflow.com/questions/67295805/client-certificates-for-nginx-upstream-not-working)结果如下

 stream{
        upstream broker {
            server 10.110.0.4:1883 fail_timeout=10s max_fails=1;
            server 10.110.0.3:1883 fail_timeout=10s max_fails=1;
            server 10.110.0.6:1883 fail_timeout=10s max_fails=1;
        }
    
        server {
    
            error_log /var/log/nginx/mqtt_error.log debug;
                        
        ssl_certificate /etc/nginx/ssl/mqtt.domain.com/server.crt;
        ssl_certificate_key /etc/nginx/ssl/mqtt.domain.com/server.key;
        ssl_client_certificate /root/clientca/ca.crt;
    
    ssl_verify_client on;  
    
        ssl_protocols TLSv1.2;
            listen mqtt.domain.com:8883 ssl;
    
    proxy_pass broker;
    proxy_ssl_server_name on;
            proxy_connect_timeout 1s;
        }
    
    }

当我尝试连接 mqtt 客户端时,nginx 中出现错误:

2021/04/28 07:34:20 [debug] 780885#780885: accept on 188.166.22.84:8883, ready: 1
2021/04/28 07:34:20 [debug] 780885#780885: posix_memalign: 0000563822D6D490:256 @16
2021/04/28 07:34:20 [debug] 780885#780885: *5 accept: 11.65.81.90:51256 fd:3
2021/04/28 07:34:20 [debug] 780885#780885: posix_memalign: 0000563822D6D6F0:256 @16
2021/04/28 07:34:20 [info] 780885#780885: *5 client 11.65.81.90:51256 connected to 111.166.22.84:8883
2021/04/28 07:34:20 [debug] 780885#780885: *5 posix_memalign: 0000563822D6D930:256 @16
2021/04/28 07:34:20 [debug] 780885#780885: *5 generic phase: 0
2021/04/28 07:34:20 [debug] 780885#780885: *5 generic phase: 1
2021/04/28 07:34:20 [debug] 780885#780885: *5 generic phase: 2
2021/04/28 07:34:20 [debug] 780885#780885: *5 tcp_nodelay
2021/04/28 07:34:20 [debug] 780885#780885: *5 posix_memalign: 0000563822D6D820:256 @16
2021/04/28 07:34:20 [debug] 780885#780885: *5 SSL_do_handshake: -1
2021/04/28 07:34:20 [debug] 780885#780885: *5 SSL_get_error: 2
2021/04/28 07:34:20 [debug] 780885#780885: *5 epoll add event: fd:3 op:1 ev:80002001
2021/04/28 07:34:20 [debug] 780885#780885: *5 event timer add: 3: 60000:9742886896
2021/04/28 07:34:20 [debug] 780885#780885: accept() not ready (11: Resource temporarily unavailable)
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL handshake handler: 0
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_do_handshake: -1
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_get_error: 2
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL handshake handler: 0
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_do_handshake: -1
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_get_error: 1
2021/04/28 07:34:25 [info] 780885#780885: *5 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking, client: 11.65.81.90, server: 111.166.22.84:8883
2021/04/28 07:34:25 [debug] 780885#780885: *5 finalize stream session: 500
2021/04/28 07:34:25 [debug] 780885#780885: *5 stream log handler
2021/04/28 07:34:25 [debug] 780885#780885: *5 close stream connection: 3
2021/04/28 07:34:25 [debug] 780885#780885: *5 event timer del: 3: 9742886896
2021/04/28 07:34:25 [debug] 780885#780885: *5 reusable connection: 0
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D490, unused: 64
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D6F0, unused: 80
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D930, unused: 80
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D820, unused: 136

我在服务器方面经验很少

答案1

https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html#deploy-the-certificate

因此,我最终通过上述链接解决了这个问题。以下是问题和解决方案的列表:

  1. 我有 letsencrypt 域名和客户端密钥,如本链接所示。Mosquitto 正在传递 ca-chain 并首先验证 letsencrypt 的 SSL,但失败了
  2. 我猜想根 ca.cert.pem 没有包含所有需要的数据,所以我使用了中间 ca-chain.cert.pem
  3. mosquitto 需要 --insecure 标志(如果我使用付费 SSL(如下例所示),则这并不相关:https://www.ssltrust.com/help/setup-guides/client-certificate-authentication

相关内容