NGINX 和 Let's encrypt 的 mTLS - 400 SSL 证书错误

NGINX 和 Let's encrypt 的 mTLS - 400 SSL 证书错误

我使用 nginx 和 let's encrypt。服务器正在 上运行server.io

我需要设置 mTLS,因此我也需要客户端证书。

我为创建了另一个 Let's encrypt 证书client.io(我使用了certbot:我创建了 NS 所有内容等并获得了私钥/公钥client.io

我希望那client.io是唯一一个可以连接的人server.io

server {
    listen 443 ssl;
    server_name server.io;

    ssl_certificate /etc/letsencrypt/live/server.io/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/server.io/privkey.pem; # managed by Certbot

    ssl_verify_client on;
    ssl_client_certificate /etc/ssl/shared_keys/client.io/fullchain.pem;

    ssl_protocols TLSv1.2 TLSv1.3;

    location / {
      add_header Content-Type text/plain;
      return 200 'Hello world $ssl_client_s_dn';
    }
}

当我尝试通过以下方式连接时:

curl -v --cert client.io/cert.pem --key client.io/privkey.pem  https://secure-qa.topkey.io

我在回复中看到了这一点”

*   Trying 164.92.108.70:443...
* Connected to server.io (164.92.108.70) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Unknown (8):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Request CERT (13):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, CERT verify (15):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Finished (20):
* [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, CERT verify (15):
* [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
*  subject: CN=server.io
*  start date: Oct  3 06:54:33 2023 GMT
*  expire date: Jan  1 06:54:32 2024 GMT
*  subjectAltName: host "server.io" matched cert's "server.io"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: server.io
> User-Agent: curl/7.87.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Server: nginx/1.22.0 (Ubuntu)
< Date: Tue, 03 Oct 2023 11:58:38 GMT
< Content-Type: text/html
< Content-Length: 224
< Connection: close
<
<html>
<head><title>400 The SSL certificate error</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The SSL certificate error</center>
<hr><center>nginx/1.22.0 (Ubuntu)</center>
</body>
</html>
* Closing connection 0

根据响应,它实际上看起来像 mTLS 正在工作,但我不确定为什么我在响应中收到错误?

cat /var/log/nginx/error.log返回:

2023/10/04 08:09:29 [crit] 21844#21844: *1250 SSL_do_handshake() failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, client: 162.142.125.221, server: 0.0.0.0:443

nginx 设置使用手动创建的 CA 证书,因此我猜想使用 Let's encrypt 证书的想法一定有问题,尽管我读到这应该可行 (ChatGPT)。如果我无法继续使用 Let's encrypt,那么我应该使用/购买哪个证书才能轻松解决这个问题?

相关内容