“证书链中的自签名证书”,服务器还是客户端?

tag-icon tag-icon ssl postgresql openssl
“证书链中的自签名证书”,服务器还是客户端?

我正在 pg DB 服务器和节点客户端之间创建 SSL 通信。在遵循一些文档并使用 openssl 实施后,节点抱怨“证书链中的自签名证书”。将证书添加到 Windows 的证书存储区无济于事。

基于 openssl 的 DB 服务器pg 文档

openssl req -new -x509 -days 3650 -nodes -text -out serverdb.crt -keyout serverdb.key -subj "/CN=localhost"
Generating a RSA private key
writing new private key to 'serverdb.key'

openssl req -new -nodes -text -out rootdb.csr -keyout rootdb.key -subj "/CN=localhost"
Generating a RSA private key
writing new private key to 'rootdb.key'

openssl x509 -req -in rootdb.csr -text -days 3650 -extfile cnf\openssl.cnf -extensions v3_ca -signkey rootdb.key -out rootdb.crt
Signature ok
subject=CN = localhost
Getting Private key

openssl req -new -nodes -text -out serverdb.csr -keyout serverdb.key -subj "/CN=localhot"
Generating a RSA private key
writing new private key to 'serverdb.key'

openssl x509 -req -in serverdb.csr -text -days 3650 -CA rootdb.crt -CAkey rootdb.key -CAcreateserial -out serverdb.crt
Signature ok
subject=CN = localhot
Getting CA Private Key

节点客户端的 openssl:

openssl genrsa -des3 -out clientToDB.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
//rem removing passphrase
openssl rsa -in clientToDB.key -out clientToDB.key
writing RSA key

//rem 2.8 Create the certificate postgresql.crt.
openssl req -new -key clientToDB.key -out clientToDB.csr
...
Common Name (e.g. server FQDN or YOUR name) []:localhost
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

//rem 2.9 Sign it using the trusted root certificate:
openssl x509 -req -in clientToDB.csr -CA rootdb.crt -CAkey rootdb.key -out clientToDB.crt -CAcreateserial
Signature ok
Getting CA Private Key

PostgreSQL 配置文件

ssl = on 
ssl_cert_file = 'serverdb.crt'
ssl_key_file = 'serverdb.key'
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' 
ssl_prefer_server_ciphers = on
ssl_ca_file = 'rootdb.crt' 
ssl_crl_file = ''

节点 ssl 设置:

ssl: 
{
    rejectUnauthorized: true,      // false works
        ca: fs.readFileSync("serverdb.crt").toString(),  
        key: fs.readFileSync("clientToDB.key").toString(), 
        cert: fs.readFileSync("clientToDB.crt").toString() 
}

环境是

Windows 10, pg and node both local, localhost
openssl v1.1.1k
node v14
no company firewall

相关内容