实施 letsencrypt 服务器证书的混合结果
Mixed results implementing letsencrypt server cert
总结:
为什么 macOS curl 可以获取我的 letsencrypt 服务,但其他 tools/OS 无法验证证书?
我在 Ubuntu 18.04 机器上使用 letsencrypt 证书 运行 在龙卷风中实现了一个小型 REST 服务。我这样设置我的服务器:
sslContext = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
certFile = '/etc/letsencrypt/live/my.server.com/cert.pem'
keyFile = '/etc/letsencrypt/live/my.server.com/privkey.pem'
sslContext.load_cert_chain(certFile, keyFile)
server = tornado.httpserver.HTTPServer(app, ssl_options=sslContext)
当我在 MacBookPro 上使用 curl -v 时,一切看起来不错:
curl -v https://my.server.com:8899/rest
* Trying aa.bb.cc.dd...
* TCP_NODELAY set
* Connected to my.server.com (aa.bb.cc.dd) port 8899 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=my.server.com
* start date: Jan 26 15:27:27 2019 GMT
* expire date: Apr 26 15:27:27 2019 GMT
* subjectAltName: host "my.server.com" matched cert's "my.server.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
但是当我在不同的 Ubuntu 机器上尝试同样的操作时(实际上是 2 个,以及两个 Debian buster/testing 机器),我得到错误:
curl -v https://my.server.com:8899/rest
* Trying aa.bb.cc.dd...
* TCP_NODELAY set
* Connected to my.server.com (aa.bb.cc.dd) port 8899 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
我的目标是使用 python requests 模块来查询这个 API,但我没能在任何地方使用它,包括 macOS 盒子。即使我从 certifi 来源复制了最新的 cacert.pem。
需要注意的是README文件中的这些注释:
fullchain.pem: the certificate file used in most server software.
和
cert.pem: will break many server configurations, and should not be
used without reading further documentation (see link below).
底线。使用 fullchain.pem
总结:
为什么 macOS curl 可以获取我的 letsencrypt 服务,但其他 tools/OS 无法验证证书?
我在 Ubuntu 18.04 机器上使用 letsencrypt 证书 运行 在龙卷风中实现了一个小型 REST 服务。我这样设置我的服务器:
sslContext = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
certFile = '/etc/letsencrypt/live/my.server.com/cert.pem'
keyFile = '/etc/letsencrypt/live/my.server.com/privkey.pem'
sslContext.load_cert_chain(certFile, keyFile)
server = tornado.httpserver.HTTPServer(app, ssl_options=sslContext)
当我在 MacBookPro 上使用 curl -v 时,一切看起来不错:
curl -v https://my.server.com:8899/rest
* Trying aa.bb.cc.dd...
* TCP_NODELAY set
* Connected to my.server.com (aa.bb.cc.dd) port 8899 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=my.server.com
* start date: Jan 26 15:27:27 2019 GMT
* expire date: Apr 26 15:27:27 2019 GMT
* subjectAltName: host "my.server.com" matched cert's "my.server.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
但是当我在不同的 Ubuntu 机器上尝试同样的操作时(实际上是 2 个,以及两个 Debian buster/testing 机器),我得到错误:
curl -v https://my.server.com:8899/rest
* Trying aa.bb.cc.dd...
* TCP_NODELAY set
* Connected to my.server.com (aa.bb.cc.dd) port 8899 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
我的目标是使用 python requests 模块来查询这个 API,但我没能在任何地方使用它,包括 macOS 盒子。即使我从 certifi 来源复制了最新的 cacert.pem。
需要注意的是README文件中的这些注释:
fullchain.pem: the certificate file used in most server software.
和
cert.pem: will break many server configurations, and should not be used without reading further documentation (see link below).
底线。使用 fullchain.pem