nginx,ssl,证书和校验
1. 什么是 HTTPS#
要保证 Web 浏览器到服务器的安全连接,HTTPS 几乎是唯一选择。HTTPS 其实就是 HTTP over SSL,也就是让 HTTP 连接建立在 SSL 安全连接之上。SSL 使用证书来创建安全连接,有两种验证模式:
-
仅客户端验证服务器的证书,客户端自己不提供证书;
-
客户端和服务器都互相验证对方的证书。
普通的 Web 网站只采用第一种方式,第二种方式用于网上银行等安全性要求较高的网站。
在第二种方式中,客户端采用这种方式验证证书:服务器自己的证书必须经过某“权威”证书的签名,而这个“权威”证书又可能经过更权威的证书签名,这么一级一级追溯上去,最顶层那个最权威的证书就称为根证书。根证书直接内置在浏览器中,这样,浏览器就可以利用自己自带的根证书去验证某个服务器的证书是否有效。如果要提供一个有效的证书,服务器的证书必须从VeriSign
这样的证书颁发机构签名。这样,浏览器就可以验证通过,否则,浏览器给出一个证书无效的警告。一般安全要求较高的内网环境,可以通过创建自签名 SSL 证书来加密通信。
2. 什么是数字证书#
在 HTTPS 的传输过程中,有一个非常关键的角色--数字证书
,那什么是数字证书?它有什么作用呢?
所谓数字证书,是一种用于电脑的身份识别机制。由数字证书颁发机构(CA)对使用私钥创建的签名请求文件做的签名(盖章),表示 CA 结构对证书持有者的认可。
2.1. 优点#
数字证书拥有以下几个优点:
- 使用数字证书能够提高用户的可信度;
- 数字证书中的公钥,能够与服务端的私钥配对使用,实现数据传输过程中的加密和解密;
- 在证认使用者身份期间,使用者的敏感个人数据并不会被传输至证书持有者的网络系统上。
2.2. 数字证书类型#
x509 的证书编码格式有两种:
-
PEM(Privacy-enhanced Electronic Mail)是明文格式的,以 -----BEGIN CERTIFICATE-----开头,以-----END CERTIFICATE-----结尾。中间是经过 base64 编码的内容,apache 需要的证书就是这类编码的证书.查看这类证书的信息的命令为:
openssl x509 -noout -text -in server.pem
。 -
DER 是二进制格式的证书,查看这类证书的信息的命令为:
openssl x509 -noout -text -inform der -in server.der
2.3. 扩展名#
- .crt 证书文件,可以是 DER(二进制)编码的,也可以是 PEM(ASCII (Base64))编码的),在类 unix 系统中比较常见;
- .cer 也是证书,常见于 Windows 系统。编码类型同样可以是 DER 或者 PEM 的,windows 下有工具可以转换 crt 到 cer;
- .csr 证书签名请求文件,一般是生成请求以后发送给 CA,然后 CA 会给您签名并发回证书;
- .key 一般公钥或者密钥都会用这种扩展名,可以是 DER 编码的或者是 PEM 编码的。查看 DER 编码的(公钥或者密钥)的文件的命令为:
openssl rsa -inform DER -noout -text -in xxx.key
。查看 PEM 编码的(公钥或者密钥)的文件的命令为:openssl rsa -inform PEM -noout -text -in xxx.key
; - .p12 证书文件,包含一个 X509 证书和一个被密码保护的私钥
3. 什么是自签名证书#
当由于某种原因(如:不想通过 CA 购买证书,或者仅是用于测试等情况),无法正常获取 CA 签发的证书。这时可以生成一个自签名证书。使用这个自签名证书的时候,会在客户端浏览器报一个错误,签名证书授权未知或不可信(signing certificate authority is unknown and not trusted)。
自签名证书有两种类型:
-
自签名证书
-
私有 CA 签名证书
自签名证书的
Issuer
和Subject
是相同的。
它们的区别有以下三点:
-
自签名的证书无法被吊销,私有 CA 签名的证书可以被吊销。
-
如果您的规划需要创建多个证书,那么使用私有 CA 签名的方法比较合适,因为只要给所有的客户端都安装相同的 CA 证书,那么以该 CA 证书签名过的证书,客户端都是信任的,也就只需要安装一次就够了。
-
如果您使用用自签名证书,您需要给所有的客户端安装该证书才会被信任。如果您需要第二个证书,则需要给所有客户端安装第二个 CA 证书才会被信任。
4. 如何生成自签名证书#
4.1. 一键生成 ssl 自签名证书脚本
[root@nginx ok]# cat create_self-signed-cert.sh
#!/bin/bash -e
help ()
{
echo ' ================================================================ '
echo ' --ssl-domain: 生成ssl证书需要的主域名,如不指定则默认为localhost,如果是ip访问服务,则可忽略;'
echo ' --ssl-trusted-ip: 一般ssl证书只信任域名的访问请求,有时候需要使用ip去访问server,那么需要给ssl证书添加扩展IP,多个IP用逗号隔开;'
echo ' --ssl-trusted-domain: 如果想多个域名访问,则添加扩展域名(SSL_TRUSTED_DOMAIN),多个扩展域名用逗号隔开;'
echo ' --ssl-size: ssl加密位数,默认2048;'
echo ' --ssl-date: ssl有效期,默认10年;'
echo ' --ca-date: ca有效期,默认10年;'
echo ' --ssl-cn: 国家代码(2个字母的代号),默认CN;'
echo ' 使用示例:'
echo ' ./create_self-signed-cert.sh --ssl-domain=www.test.com --ssl-trusted-domain=www.test2.com \ '
echo ' --ssl-trusted-ip=1.1.1.1,2.2.2.2,3.3.3.3 --ssl-size=2048 --ssl-date=3650'
echo ' ================================================================'
}
case "$1" in
-h|--help) help; exit;;
esac
if [[ $1 == '' ]];then
help;
exit;
fi
CMDOPTS="$*"
for OPTS in $CMDOPTS;
do
key=$(echo ${OPTS} | awk -F"=" '{print $1}' )
value=$(echo ${OPTS} | awk -F"=" '{print $2}' )
case "$key" in
--ssl-domain) SSL_DOMAIN=$value ;;
--ssl-trusted-ip) SSL_TRUSTED_IP=$value ;;
--ssl-trusted-domain) SSL_TRUSTED_DOMAIN=$value ;;
--ssl-size) SSL_SIZE=$value ;;
--ssl-date) SSL_DATE=$value ;;
--ca-date) CA_DATE=$value ;;
--ssl-cn) CN=$value ;;
esac
done
# CA相关配置
CA_DATE=${CA_DATE:-3650}
CA_KEY=${CA_KEY:-cakey.pem}
CA_CERT=${CA_CERT:-cacerts.pem}
CA_DOMAIN=localhost
# ssl相关配置
SSL_CONFIG=${SSL_CONFIG:-$PWD/openssl.cnf}
SSL_DOMAIN=${SSL_DOMAIN:-localhost}
SSL_DATE=${SSL_DATE:-3650}
SSL_SIZE=${SSL_SIZE:-2048}
## 国家代码(2个字母的代号),默认CN;
CN=${CN:-CN}
SSL_KEY=$SSL_DOMAIN.key
SSL_CSR=$SSL_DOMAIN.csr
SSL_CERT=$SSL_DOMAIN.crt
echo -e "\033[32m ---------------------------- \033[0m"
echo -e "\033[32m | 生成 SSL Cert | \033[0m"
echo -e "\033[32m ---------------------------- \033[0m"
if [[ -e ./${CA_KEY} ]]; then
echo -e "\033[32m ====> 1. 发现已存在CA私钥,备份"${CA_KEY}"为"${CA_KEY}"-bak,然后重新创建 \033[0m"
mv ${CA_KEY} "${CA_KEY}"-bak
openssl genrsa -out ${CA_KEY} ${SSL_SIZE}
else
echo -e "\033[32m ====> 1. 生成新的CA私钥 ${CA_KEY} \033[0m"
openssl genrsa -out ${CA_KEY} ${SSL_SIZE}
fi
if [[ -e ./${CA_CERT} ]]; then
echo -e "\033[32m ====> 2. 发现已存在CA证书,先备份"${CA_CERT}"为"${CA_CERT}"-bak,然后重新创建 \033[0m"
mv ${CA_CERT} "${CA_CERT}"-bak
openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_DATE} -out ${CA_CERT} -subj "/C=${CN}/CN=${CA_DOMAIN}"
else
echo -e "\033[32m ====> 2. 生成新的CA证书 ${CA_CERT} \033[0m"
openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_DATE} -out ${CA_CERT} -subj "/C=${CN}/CN=${CA_DOMAIN}"
fi
echo -e "\033[32m ====> 3. 生成Openssl配置文件 ${SSL_CONFIG} \033[0m"
cat > ${SSL_CONFIG} <<EOM
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
EOM
if [[ -n ${SSL_TRUSTED_IP} || -n ${SSL_TRUSTED_DOMAIN} ]]; then
cat >> ${SSL_CONFIG} <<EOM
subjectAltName = @alt_names
[alt_names]
EOM
IFS=","
dns=(${SSL_TRUSTED_DOMAIN})
dns+=(${SSL_DOMAIN})
for i in "${!dns[@]}"; do
echo DNS.$((i+1)) = ${dns[$i]} >> ${SSL_CONFIG}
done
if [[ -n ${SSL_TRUSTED_IP} ]]; then
ip=(${SSL_TRUSTED_IP})
for i in "${!ip[@]}"; do
echo IP.$((i+1)) = ${ip[$i]} >> ${SSL_CONFIG}
done
fi
fi
echo -e "\033[32m ====> 4. 生成服务SSL KEY ${SSL_KEY} \033[0m"
openssl genrsa -out ${SSL_KEY} ${SSL_SIZE}
echo -e "\033[32m ====> 5. 生成服务SSL CSR ${SSL_CSR} \033[0m"
openssl req -sha256 -new -key ${SSL_KEY} -out ${SSL_CSR} -subj "/C=${CN}/CN=${SSL_DOMAIN}" -config ${SSL_CONFIG}
echo -e "\033[32m ====> 6. 生成服务SSL CERT ${SSL_CERT} \033[0m"
openssl x509 -sha256 -req -in ${SSL_CSR} -CA ${CA_CERT} \
-CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \
-days ${SSL_DATE} -extensions v3_req \
-extfile ${SSL_CONFIG}
echo -e "\033[32m ====> 7. 证书制作完成 \033[0m"
echo
echo -e "\033[32m ====> 8. 以YAML格式输出结果 \033[0m"
echo "----------------------------------------------------------"
echo "ca_key: |"
cat $CA_KEY | sed 's/^/ /'
echo
echo "ca_cert: |"
cat $CA_CERT | sed 's/^/ /'
echo
echo "ssl_key: |"
cat $SSL_KEY | sed 's/^/ /'
echo
echo "ssl_csr: |"
cat $SSL_CSR | sed 's/^/ /'
echo
echo "ssl_cert: |"
cat $SSL_CERT | sed 's/^/ /'
echo
echo -e "\033[32m ====> 9. 附加CA证书到Cert文件 \033[0m"
cat ${CA_CERT} >> ${SSL_CERT}
echo "ssl_cert: |"
cat $SSL_CERT | sed 's/^/ /'
echo
echo -e "\033[32m ====> 10. 重命名服务证书 \033[0m"
echo "cp ${SSL_DOMAIN}.key tls.key"
cp ${SSL_DOMAIN}.key tls.key
echo "cp ${SSL_DOMAIN}.crt tls.crt"
cp ${SSL_DOMAIN}.crt tls.crt
4.2. 脚本说明#
- 复制以上代码另存为
create_self-signed-cert.sh
或者其他您喜欢的文件名。 - 脚本参数
--ssl-domain: 生成ssl证书需要的主域名,如不指定则默认为www.rancher.local,如果是ip访问服务,则可忽略;
--ssl-trusted-ip: 一般ssl证书只信任域名的访问请求,有时候需要使用ip去访问server,那么需要给ssl证书添加扩展IP,多个IP用逗号隔开;
--ssl-trusted-domain: 如果想多个域名访问,则添加扩展域名(TRUSTED_DOMAIN),多个TRUSTED_DOMAIN用逗号隔开;
--ssl-size: ssl加密位数,默认2048;
--ssl-cn: 国家代码(2个字母的代号),默认CN;
使用案列:
[root@nginx ok]# ./create_self-signed-cert.sh --ssl-domain=jetto.jettech.com --ssl-trusted-domain=jetto.jettech.com --ssl-trusted-ip=172.16.10.21,192.168.1.65,172.16.10.59,172.16.10.33 --ssl-size=2048 --ssl-date=3650
5. 验证证书#
注意: 因为使用的是自签名证书,浏览器会提示证书的颁发机构是未知的。
把生成的 ca 证书和去除密码的私钥文件部署到 web 服务器后,执行以下命令验证:
-
通过 openssl 本地校验,应该返回状态为
ok
[root@nginx ok]# ls
cacerts.pem cakey.pem jetto.jettech.com.crt jetto.jettech.com.key tls.crt
cacerts.srl create_self-signed-cert.sh jetto.jettech.com.csr openssl.cnf tls.key
[root@nginx ok]# openssl verify -CAfile cacerts.pem tls.crt
tls.crt: OK
openssl x509 -in tls.crt -noout -text
执行后查看对应的域名和扩展 iP 是否正确
[root@nginx ok]# openssl x509 -in tls.crt -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
92:75:63:e3:78:e8:61:81
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, CN=localhost
Validity
Not Before: Jan 2 02:57:29 2024 GMT
Not After : Dec 30 02:57:29 2033 GMT
Subject: C=CN, CN=jetto.jettech.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d7:8d:dc:3e:e7:f6:aa:cb:76:86:03:92:9c:a1:
30:f8:4e:94:81:da:3a:3a:86:9d:8e:94:50:df:05:
31:3c:92:a0:86:01:ad:52:54:ff:d8:b0:3e:64:4b:
5c:da:23:e4:1d:d8:86:da:54:3c:d8:3d:78:2c:9b:
09:bf:47:1d:f2:76:4f:7b:c7:3f:55:23:d9:6a:ca:
34:be:81:6e:ae:a2:8f:fd:56:90:fb:45:31:22:1a:
0c:f8:cf:bb:91:9d:d9:dd:d8:ae:6f:e2:49:e6:9f:
04:71:9b:ea:64:94:13:46:a2:aa:05:45:17:48:a6:
ac:9e:db:d0:10:af:17:f1:cd:8e:b8:ce:ec:24:1b:
cd:1f:59:fa:04:a9:81:ce:88:be:9a:53:37:b2:bb:
51:ee:ea:81:76:70:62:f2:5a:0d:8a:d2:40:ce:95:
e0:cb:0c:09:08:a2:7c:50:c1:5b:b1:0d:0a:6d:e5:
46:e2:5f:df:30:c8:94:bc:eb:ed:2e:59:24:3b:04:
35:b7:69:7e:34:53:0d:d2:b1:cd:84:46:38:ae:af:
3f:96:3a:b8:df:7a:cb:ec:06:55:86:20:ad:42:4b:
c5:96:73:2c:bf:31:c8:81:1d:7f:af:49:05:27:8e:
6b:99:a4:86:3e:26:e6:01:4e:21:e3:ef:3d:d6:0f:
7b:bb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:jetto.jettech.com, DNS:jetto.jettech.com, IP Address:172.16.10.21, IP Address:192.168.1.65, IP Address:172.16.10.59, IP Address:172.16.10.33
Signature Algorithm: sha256WithRSAEncryption
11:72:53:fe:34:c5:9c:e9:85:79:df:68:b2:1f:e0:a9:db:cd:
d6:72:ca:ed:07:bd:10:b6:11:9c:f5:ce:81:e2:54:ed:6e:5b:
77:a1:9f:d5:8c:40:80:73:21:54:31:a1:f0:b2:e2:37:dd:e5:
14:3d:f1:87:ee:fa:69:ac:8a:05:f4:32:ab:04:fb:0d:d5:b9:
7b:d3:cc:84:47:89:b6:27:45:d5:e0:89:b9:a9:c5:14:36:ed:
d2:5b:f0:20:96:7e:8c:8e:87:fe:e9:71:08:18:d1:f9:6f:30:
91:d9:ba:eb:7f:f7:32:f1:94:dd:5b:bf:02:bd:cb:51:99:b2:
43:51:d0:ae:69:d7:1f:f5:ec:a3:e6:98:1d:2d:8c:07:78:3e:
23:0b:73:fb:25:41:61:fb:88:bf:a1:f2:92:ed:50:48:47:f2:
37:a8:67:c6:0b:db:05:24:1d:38:4e:97:d7:51:06:1e:5f:09:
d9:04:77:20:79:63:43:45:a6:b9:c2:f6:92:ae:fd:26:e7:0f:
15:27:91:ee:96:e1:90:0f:3b:00:62:d5:6d:29:17:cd:95:45:
06:af:92:a8:9f:ed:8e:c1:7b:67:1b:de:4b:45:eb:94:a3:4f:
8e:f1:bc:2a:3c:dd:aa:93:13:33:15:03:fe:95:30:54:7b:45:
7a:2b:a0:cd
- 不加 CA 证书验证
[root@nginx ok]# openssl s_client -connect jetto.jettech.com:443 -servername jetto.jettech.com
socket: Bad file descriptor
connect:errno=9
次错误是由于服务没有启动,启动nginx服务且配置ssl
[root@nginx nginx]# cat nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
upstream rancher_servers_http {
least_conn;
server 192.168.99.189:80 max_fails=3 fail_timeout=5s;
}
server {
listen 80;
listen [::]:80;
server_name jetto.jettech.com;
location / {
proxy_pass http://rancher_servers_http;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name jetto.jettech.com;
ssl_certificate "/home/wubo/rancher/cert/ok/tls.crt";
ssl_certificate_key "/home/wubo/rancher/cert/ok/tls.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://rancher_servers_http;
}
}
}
再次执行:
[root@nginx ok]# openssl s_client -connect jetto.jettech.com:443 -servername jetto.jettech.com
CONNECTED(00000003)
depth=1 C = CN, CN = localhost
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/C=CN/CN=jetto.jettech.com
i:/C=CN/CN=localhost
1 s:/C=CN/CN=localhost
i:/C=CN/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIJAJJ1Y+N46GGBMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
BAYTAkNOMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjQwMTAyMDI1NzI5WhcNMzMx
MjMwMDI1NzI5WjApMQswCQYDVQQGEwJDTjEaMBgGA1UEAwwRamV0dG8uamV0dGVj
aC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXjdw+5/aqy3aG
A5KcoTD4TpSB2jo6hp2OlFDfBTE8kqCGAa1SVP/YsD5kS1zaI+Qd2IbaVDzYPXgs
mwm/Rx3ydk97xz9VI9lqyjS+gW6uoo/9VpD7RTEiGgz4z7uRndnd2K5v4knmnwRx
m+pklBNGoqoFRRdIpqye29AQrxfxzY64zuwkG80fWfoEqYHOiL6aUzeyu1Hu6oF2
cGLyWg2K0kDOleDLDAkIonxQwVuxDQpt5UbiX98wyJS86+0uWSQ7BDW3aX40Uw3S
sc2ERjiurz+WOrjfesvsBlWGIK1CS8WWcyy/MciBHX+vSQUnjmuZpIY+JuYBTiHj
7z3WD3u7AgMBAAGjgYMwgYAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0l
BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMEcGA1UdEQRAMD6CEWpldHRvLmpldHRl
Y2guY29tghFqZXR0by5qZXR0ZWNoLmNvbYcErBAKFYcEwKgBQYcErBAKO4cErBAK
ITANBgkqhkiG9w0BAQsFAAOCAQEAEXJT/jTFnOmFed9osh/gqdvN1nLK7Qe9ELYR
nPXOgeJU7W5bd6Gf1YxAgHMhVDGh8LLiN93lFD3xh+76aayKBfQyqwT7DdW5e9PM
hEeJtidF1eCJuanFFDbt0lvwIJZ+jI6H/ulxCBjR+W8wkdm663/3MvGU3Vu/Ar3L
UZmyQ1HQrmnXH/Xso+aYHS2MB3g+Iwtz+yVBYfuIv6Hyku1QSEfyN6hnxgvbBSQd
OE6X11EGHl8J2QR3IHljQ0WmucL2kq79JucPFSeR7pbhkA87AGLVbSkXzZVFBq+S
qJ/tjsF7ZxveS0XrlKNPjvG8KjzdqpMTMxUD/pUwVHtFeiugzQ==
-----END CERTIFICATE-----
subject=/C=CN/CN=jetto.jettech.com
issuer=/C=CN/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2339 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 60F07007FE335A3F64723F91A7C7141BED0A9877306264554FAD006C598C4B93
Session-ID-ctx:
Master-Key: FA55E587A368FC67E6330CCA9BF43EE463A7D721D3ED6195BE40D2FEB310E3261C095B1AFF910CFD21198DF9200D9D1B
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - 84 8b eb 52 3d 31 df 8c-d3 f8 03 72 88 cb 5f d6 ...R=1.....r.._.
0010 - 44 3f 3a 2a 3c e4 b7 ad-53 8b 05 92 de 44 b6 51 D?:*<...S....D.Q
0020 - 48 60 79 f4 7a 42 a2 8f-92 94 08 27 78 14 8e 1c H`y.zB.....'x...
0030 - a8 2b e7 6f 04 46 26 cb-cd b4 b0 90 7b a8 70 44 .+.o.F&.....{.pD
0040 - d2 5a 60 67 56 0b 05 b4-53 26 b7 32 42 ae 8f 87 .Z`gV...S&.2B...
0050 - 24 65 99 85 02 4c 30 0a-a3 cb f6 2d f3 e8 84 3a $e...L0....-...:
0060 - fe 5f e7 13 9c 4d 2c 53-fc 7d 24 26 73 65 51 88 ._...M,S.}$&seQ.
0070 - 80 43 3e d3 71 f3 95 6f-ea 47 4c e7 a8 67 a8 33 .C>.q..o.GL..g.3
0080 - 0f 81 30 cb f2 33 cb 89-1f 5f c7 5d d1 d4 65 05 ..0..3..._.]..e.
0090 - 16 1d c4 de cc 49 cc 55-dd 27 58 62 34 0f 6a 05 .....I.U.'Xb4.j.
00a0 - 22 51 bf 17 b0 73 7f 19-64 04 80 2e f8 cd fc 7b "Q...s..d......{
00b0 - 0b be bc 74 7c e9 e5 a0-bc 82 d5 c8 8f 1d 1e 79 ...t|..........y
Start Time: 1704175421
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
有错误:depth=1 C = CN, CN = localhost
verify error:num=19:self signed certificate in certificate chain
- 添加 CA 证书验证:
[root@nginx ok]# openssl s_client -connect jetto.jettech.com:443 -servername jetto.jettech.com -CAfile cacerts.pem CONNECTED(00000003) depth=1 C = CN, CN = localhost verify return:1 depth=0 C = CN, CN = jetto.jettech.com verify return:1 --- Certificate chain 0 s:/C=CN/CN=jetto.jettech.com i:/C=CN/CN=localhost 1 s:/C=CN/CN=localhost i:/C=CN/CN=localhost --- Server certificate -----BEGIN CERTIFICATE----- MIIDUTCCAjmgAwIBAgIJAJJ1Y+N46GGBMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV BAYTAkNOMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjQwMTAyMDI1NzI5WhcNMzMx MjMwMDI1NzI5WjApMQswCQYDVQQGEwJDTjEaMBgGA1UEAwwRamV0dG8uamV0dGVj aC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXjdw+5/aqy3aG A5KcoTD4TpSB2jo6hp2OlFDfBTE8kqCGAa1SVP/YsD5kS1zaI+Qd2IbaVDzYPXgs mwm/Rx3ydk97xz9VI9lqyjS+gW6uoo/9VpD7RTEiGgz4z7uRndnd2K5v4knmnwRx m+pklBNGoqoFRRdIpqye29AQrxfxzY64zuwkG80fWfoEqYHOiL6aUzeyu1Hu6oF2 cGLyWg2K0kDOleDLDAkIonxQwVuxDQpt5UbiX98wyJS86+0uWSQ7BDW3aX40Uw3S sc2ERjiurz+WOrjfesvsBlWGIK1CS8WWcyy/MciBHX+vSQUnjmuZpIY+JuYBTiHj 7z3WD3u7AgMBAAGjgYMwgYAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0l BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMEcGA1UdEQRAMD6CEWpldHRvLmpldHRl Y2guY29tghFqZXR0by5qZXR0ZWNoLmNvbYcErBAKFYcEwKgBQYcErBAKO4cErBAK ITANBgkqhkiG9w0BAQsFAAOCAQEAEXJT/jTFnOmFed9osh/gqdvN1nLK7Qe9ELYR nPXOgeJU7W5bd6Gf1YxAgHMhVDGh8LLiN93lFD3xh+76aayKBfQyqwT7DdW5e9PM hEeJtidF1eCJuanFFDbt0lvwIJZ+jI6H/ulxCBjR+W8wkdm663/3MvGU3Vu/Ar3L UZmyQ1HQrmnXH/Xso+aYHS2MB3g+Iwtz+yVBYfuIv6Hyku1QSEfyN6hnxgvbBSQd OE6X11EGHl8J2QR3IHljQ0WmucL2kq79JucPFSeR7pbhkA87AGLVbSkXzZVFBq+S qJ/tjsF7ZxveS0XrlKNPjvG8KjzdqpMTMxUD/pUwVHtFeiugzQ== -----END CERTIFICATE----- subject=/C=CN/CN=jetto.jettech.com issuer=/C=CN/CN=localhost --- No client certificate CA names sent Peer signing digest: SHA256 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 2339 bytes and written 441 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 95FE938078066FABC655FB417B9BA69E250EAACF2F7778AC8764044D5006AE5A Session-ID-ctx: Master-Key: 741A656493A66E006BB21504DE4E6C32E5B4D8A251149438B1ACCDE235FC1C3069B15F4BF28A190381B15EF2C9F690BA Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 600 (seconds) TLS session ticket: 0000 - 84 8b eb 52 3d 31 df 8c-d3 f8 03 72 88 cb 5f d6 ...R=1.....r.._. 0010 - 31 09 68 8f 35 10 82 f9-c2 b4 61 91 dd 95 36 11 1.h.5.....a...6. 0020 - 2d 8e 2d 5f 85 8a c4 cb-64 f6 a1 ac 1d 8e e9 4f -.-_....d......O 0030 - 26 79 03 c0 fa f1 58 44-28 52 00 d5 1e e5 f5 27 &y....XD(R.....' 0040 - 1f e6 d7 fe e2 38 7d 0d-fa 0a f2 5d 38 c5 36 75 .....8}....]8.6u 0050 - 94 a5 77 08 79 95 37 45-b7 e7 ba 38 79 00 42 db ..w.y.7E...8y.B. 0060 - 3b 54 aa db e9 9c 07 b2-80 74 dc 21 b7 41 31 c3 ;T.......t.!.A1. 0070 - cd a3 46 68 3f 84 0f 91-1f ae 74 35 d6 8d 88 06 ..Fh?.....t5.... 0080 - 42 07 2a 14 67 52 f4 bd-db 0a 13 08 49 b3 d9 bd B.*.gR......I... 0090 - 7c f9 1d b0 45 5d d3 85-c9 82 c6 5a dc 35 f4 5a |...E].....Z.5.Z 00a0 - 8e ec f0 cc 78 da 3e 90-7d 7f 96 66 1d dd 5d 03 ....x.>.}..f..]. 00b0 - 0b 51 f6 ff f9 77 a5 5d-75 e5 73 0c 30 e7 ae 11 .Q...w.]u.s.0... Start Time: 1704175560 Timeout : 300 (sec) Verify return code: 0 (ok) ---