无法在Express中设置HTTPS服务器
我试图设置我的express
应用程序使用https
。 这是我到目前为止:
var fs = require('fs'); var http = require('http'); var https = require('https'); var app = require('./app'); var port = process.env.PORT || 8080; var credentials = { key: fs.readFileSync('./ssl/private_key.pem', 'utf8'), cert: fs.readFileSync('./ssl/certificate.pem', 'utf8'), ca: [ fs.readFileSync('./ssl/certificate_chain_1.pem', 'utf8'), fs.readFileSync('./ssl/certificate_chain_2.pem', 'utf8') ] }; https.createServer(credentials, app, function (req, res) { res.writeHead(200); res.end('HTTPS server started on port ' + port + '...'); }).listen(port);
当我运行时, curl -k -v -I https://127.0.0.1:8080
,我得到这个:
* Rebuilt URL to: https://127.0.0.1:8080/ * Hostname was NOT found in DNS cache * Trying 127.0.0.1... * Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0) * TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256 * Server certificate: *.hiwarren.com * Server certificate: COMODO RSA Domain Validation Secure Server CA * Server certificate: COMODO RSA Certification Authority * Server certificate: AddTrust External CA Root > HEAD / HTTP/1.1 > User-Agent: curl/7.37.1 > Host: 127.0.0.1:8080 > Accept: */* > < HTTP/1.1 404 Not Found HTTP/1.1 404 Not Found < X-Powered-By: Express X-Powered-By: Express < X-Content-Type-Options: nosniff X-Content-Type-Options: nosniff < Content-Type: text/html; charset=utf-8 Content-Type: text/html; charset=utf-8 < Content-Length: 14 Content-Length: 14 < Date: Wed, 15 Apr 2015 19:32:28 GMT Date: Wed, 15 Apr 2015 19:32:28 GMT < Connection: keep-alive Connection: keep-alive < * Connection #0 to host 127.0.0.1 left intact
而当我运行OpenSSL s_client -connect 127.0.0.1:8080/
我得到这个错误:
MacBook-Pro-de-Bruno-3:ssl brunomacedo$ OpenSSL s_client -connect 127.0.0.1:8080/ CONNECTED(00000003) depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- ... certificate hash ... -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 4627 bytes and written 626 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: 957E02E1D64D1F1E0ADBF4369057DD56B5FBE5A66269686DD590DF4D3B9A3D8C Session-ID-ctx: Master-Key: 0B531BBFE5AA8AACEFC99749CD696926956419FFD61F7CCAF6E94C7574F6ECCEA31098D236E51F800F690D508E700444 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 25 2c fa ce af 2d f9 6e-8e fd 7e 9c f4 e6 c8 2b %,...-.n..~....+ 0010 - 10 b6 f9 08 28 23 6f ec-98 0d c9 1d dd 78 34 25 ....(#o......x4% 0020 - ab 21 55 37 02 42 a8 6c-84 9f 31 c0 60 ed 77 ae .!U7.Bl.1.`.w. 0030 - ab ea 4f 84 07 e7 d0 29-24 41 35 0f d7 01 09 21 ..O....)$A5....! 0040 - a2 0f 1c 10 ab e4 47 67-f0 0d b0 f2 32 8d 3e f0 ......Gg....2.>. 0050 - 10 30 35 82 48 df 09 ac-7c 12 98 11 99 7f 97 5b .05.H...|......[ 0060 - d2 ef 47 69 4c 86 8b 2f-48 ff 62 58 08 7b 6c 7b ..GiL../H.bX.{l{ 0070 - c2 f5 c5 1d 52 13 ad c4-95 d8 54 f8 a5 d2 5c 94 ....R.....T...\. 0080 - c0 f3 c1 40 c1 44 5e b0-37 fa 3b 68 73 a7 ca 4f ...@.D^.7.;hs..O 0090 - ac d9 99 12 62 72 10 48-f1 9a 56 eb e6 89 d8 d4 ....br.H..V..... Start Time: 1429126474 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ---
我能够解决error 20
当我运行相同的命令使用root_certificate
是这样的: OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem
。
所以,这是我的新产出:
MacBook-Pro-de-Bruno-3:ssl brunomacedo$ OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem CONNECTED(00000003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.hiwarren.com verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- ... certificate hash ... -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent --- SSL handshake has read 4627 bytes and written 626 bytes --- New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES256-GCM-SHA384 Session-ID: CFD47EDA05B183790D25B32295550DB4DF74C483F3B1FEACD76C39548254FD9C Session-ID-ctx: Master-Key: DE16062EE238F854A4578F2E0F8FBE6874AF8550086E61C1D50EF3FBDB04F42355A6BD2072B8216B68477516E7F034C5 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 25 2c fa ce af 2d f9 6e-8e fd 7e 9c f4 e6 c8 2b %,...-.n..~....+ 0010 - 16 26 97 0b a6 00 c6 12-d3 9a 91 1c d1 0f a4 d7 .&.............. 0020 - 96 30 88 54 3c e7 42 a1-db 4c 97 e6 68 5c d4 81 .0.T<.B..L..h\.. 0030 - f5 bf 7f 16 59 d2 32 bd-fa c7 9b c4 b5 1f a2 4d ....Y.2........M 0040 - 3b fe f9 af ad 29 58 31-c5 2e 2b 31 b1 52 62 9c ;....)X1..+1.Rb. 0050 - 1a 34 d0 c5 e4 e7 80 1f-d4 8a a3 0f 6b f4 2b d9 .4..........k.+. 0060 - 4e 5d c0 8c 11 5a 0d de-00 23 19 0f 01 73 92 32 N]...Z...#...s.2 0070 - 50 ee 08 56 4b a0 1c 20-c6 d7 9d de 58 b0 d4 70 P..VK.. ....X..p 0080 - 2f b6 ca 3b 48 d0 bb fe-4c ea 6e 60 31 5d 4f 3d /..;H...Ln`1]O= 0090 - a4 6e f8 cd a2 15 1a 0e-36 6d b7 16 72 b9 e4 bf .n......6m..r... Start Time: 1429126610 Timeout : 300 (sec) Verify return code: 0 (ok) ---
所以,我认为客户端需要以某种方式发送这个root_certificate
,为了使其工作,但我不知道客户端如何发送它。
任何人都已经通过这个? 我该怎么办?
curl -k -v -I https://127.0.0.1:8080 ... openssl s_client -connect 127.0.0.1:8080 ... 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA ....
CA不再颁发IP地址证书。 而且他们还没有发布多年的RFC 1918地址 (如127.0.0.1)的证书。
您需要修复证书或修复名称parsing。 首先,通过在证书的subjectAlternateName
( SAN
)中包含localhost
和127.0.0.1
等名称进行修复。
或者,通过使证书中使用的名称可以访问该服务器来修复它。 你可以通过玩你的本地hosts
文件或DNS的技巧来做到这一点。
unable to get local issuer certificate
一定要设置根证书。 根证书是AddTrust External CA Root
。
确保链正在与服务器证书一起发送。 在这里,链是所有的中间证书less根。 您必须拥有根证书并信任它。
我不知道确切的问题是什么,
我能够解决错误20当我运行相同的命令使用root_certificate是这样的:OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem。
所以,我认为客户端需要以某种方式发送这个root_certificate,为了使其工作,但我不知道客户端如何发送它。
提供根证书时,错误20消失了。 这是因为客户端可以使用提供的CAfile成功validation(validation代码0(OK))服务器证书。
当你没有提供根证书时,客户端不知道服务器是谁。 无法validation服务器的凭据。 因此,错误20。
客户端不会将根证书发送到服务器。 如何拥有它? 您应该知道并拥有公开的可信CA证书。 (例如,您的浏览器预先加载了一套众所周知的CA证书,因此您可以连接到HTTPS上的任何知名网站)