我正在运行nginx,我想代理另一个https主机并验证它的证书。我创建了一个CA证书,为代理主机创建了一个证书,并用CA对其进行了签名。CA证书已添加到服务器的根证书中。
我的nginx配置如下:
proxy_ssl_verify_depth 1; # tried 0,1,2,3
proxy_ssl_trusted_certificate /etc/nginx/ca.pem;
proxy_ssl_verify on;
请求完成后,nginx日志返回:
[error] 26578#26578: *2 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream
运行openssl s_client -connect 1.1.1.1:8000返回:
CONNECTED(00000003)
depth=1 C = CY, ST = CY, L = CY, O = TEST.TEST, CN = TEST.TEST, emailAddress = admin@test.test
verify return:1
depth=0 C = CY, ST = CY, L = CY, O = TEST.TEST, OU = TEST.TEST, CN = 1.1.1.1
verify return:1
---
Certificate chain
0 s:/C=CY/ST=CY/L=CY/O=TEST.TEST/OU=test.test/CN=1.1.1.1
i:/C=CY/ST=CY/L=CY/O=TEST.TEST/CN=test.test/emailAddress=admin@test.test
---
Server certificate
-----BEGIN CERTIFICATE-----
.... cer
-----END CERTIFICATE-----
subject=/C=CY/ST=CY/L=CY/O=TEST.TEST/OU=test.test/CN=1.1.1.1
issuer=/C=CY/ST=CY/L=CY/O=TEST.TEST/CN=test.test/emailAddress=admin@test.test
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1491 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 94195986FED8C203B09C6A3870DC8B972A6FB3C98D69868CFAF9C4BFC2B7A714
Session-ID-ctx:
Master-Key: D804526744415E7E6C3E0AFBAF4F5BB3B6315BE8785C46FCF7AA232A31E6D7C780E7A8D4B8413BE8D1F1758CF8DD8FE8
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 0a 5f b9 15 a5 78 d0 6c-32 24 77 3b 16 7a 10 75 ._...x.l2$w;.z.u
0010 - 76 ed 08 18 8b 23 a8 15-24 3f eb 83 d8 6e 56 d6 v....#..$?...nV.
0020 - 98 13 c2 36 62 35 17 42-b4 f9 e9 f7 99 50 14 77 ...6b5.B.....P.w
0030 - 8b a3 e6 b5 2f ef ca af-7d 25 7c d8 7e b8 3a 96 ..../...}%|.~.:.
0040 - 11 87 b2 e2 0a d6 de b6-60 75 c5 4a 58 57 8b 1b ........`u.JXW..
0050 - 73 6d 36 c6 9f 6a ec 31-71 2d 02 ad 50 45 8a 14 sm6..j.1q-..PE..
0060 - 01 c1 6c 4a 2f 46 9b cb-e6 4c 09 97 17 fa 46 f4 ..lJ/F...L....F.
0070 - 29 e6 a5 cb a7 37 fb 31-b3 a0 d7 55 ac cb fd 59 )....7.1...U...Y
0080 - 42 a5 7b 45 9a 53 24 90-52 8c 8e 1c eb c4 db f9 B.{E.S$.R.......
0090 - 27 04 b9 7e ba 0a 2d 9e-3b 92 67 ec 42 d6 69 78 '..~..-.;.g.B.ix
Start Time: 1527255600
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
在此结果中,IP /证书名称被虚拟版本替换。
curl https://1.1.1.1也可以正常工作。
我一直在阅读谷歌搜索并检查所有类似的stackoverflow问题,但是所提出的修复措施似乎都无法解决这个问题。
| 归档时间: |
|
| 查看次数: |
1269 次 |
| 最近记录: |