在 Node JS 中为 WebSocket (ws) 使用自签名 CA 证书
[英]Using a Self-Signed CA Certificate for WebSocket (ws) in Node JS
问题描述
I need to use the ws client in Node JS to connect to a separate WebSocket server.
我需要使用 Node JS 中的ws客户端连接到单独的 WebSocket 服务器。
I am able to connect using a sample program in my Chrome since I installed my Self-Signed Root CA in the Trusted Root Certification Authorities Store on my machine.因为我在我的机器上的受信任的根证书颁发机构商店中安装了我的自签名根 CA,所以我能够在我的 Chrome 中使用示例程序进行连接。
I know that Node JS uses a hard coded list of Root CAs (stupid), but I was hoping there was some way I could import my own.我知道 Node JS 使用根 CA 的硬编码列表(愚蠢),但我希望有某种方法可以导入我自己的 CA。
I tried:我试过:
export NODE_EXTRA_CA_CERTS=C:\\Users\\IT1\\Documents\\security\\rootCA.pem
- using the ssl-root-cas library suggested in many forum posts, but I think it may not be applicable here because it doesn't change the https for the ws client that I'm using.使用许多论坛帖子中建议的ssl-root-cas库,但我认为它在这里可能不适用,因为它不会更改我正在使用的 ws 客户端的 https。 (I THINK, I'm spitballing at this point) (我想,此时我正在吐痰)
- using the ca, cert, and key options available for the WebSocket constructor.使用可用于 WebSocket 构造函数的 ca、cert 和 key 选项。
// Using just ca
var test = new WebSocket(uri, {
ca: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.pem")
});
// Using cert and key
var test = new WebSocket(uri, {
cert: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.crt"),
key: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.key")
});
// Using ca, cert and key
var test = new WebSocket(uri, {
ca: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.pem"),
cert: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.crt"),
key: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.key")
});
And NO MATTER WHAT, I always get the following error message:无论如何,我总是收到以下错误消息:
events.js:200
throw er; // Unhandled 'error' event
^
Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
at TLSSocket.emit (events.js:223:5)
at TLSSocket._finishInit (_tls_wrap.js:794:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12)
Emitted 'error' event on WebSocket instance at:
at ClientRequest.<anonymous> (C:\Users\IT1\source\repos\WebSocketTest\WebSocketTest\node_modules\ws\lib\websocket.js:554:15)
at ClientRequest.emit (events.js:223:5)
at TLSSocket.socketErrorListener (_http_client.js:406:9)
at TLSSocket.emit (events.js:223:5)
at emitErrorNT (internal/streams/destroy.js:92:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
at processTicksAndRejections (internal/process/task_queues.js:81:21) {
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
}
Also, I cannot use rejectUnauthorized: true .另外,我不能使用rejectUnauthorized: true 。 I need it to be authorized, so please don't suggest that as a solution.我需要它被授权,所以请不要建议将其作为解决方案。
Please help, I'm really scratching my head on this one.请帮忙,我真的在摸不着头脑。
1 个解决方案
解决方案1
1 已采纳 2020-01-23 14:47:11
After almost a day or two of scratching my head, I decided to verify the certificates in OpenSSL.经过近一两天的摸索,我决定验证 OpenSSL 中的证书。 It turned out that the certificate was using a different encryption algorithm (SHA 256 vs. DES3 or something like that).结果证明该证书使用了不同的加密算法(SHA 256 与 DES3 或类似的算法)。 The reason that it worked fine in the browser is because I already installed a different certificate for that domain earlier.它在浏览器中运行良好的原因是我之前已经为该域安装了不同的证书。
Moral of the story:故事的道德启示:
- ALWAYS test your SSL certificates with OpenSSL before trying to use them in your code.在尝试在代码中使用 SSL 证书之前,请始终使用 OpenSSL 测试它们。 OpenSSL will always present a LOT more information about why your certificate isn't working than NodeJS, Java or any runtime environment.与 NodeJS、Java 或任何运行时环境相比,OpenSSL 将始终提供更多有关为什么您的证书不起作用的信息。
- Remove all certificates for a domain from your trusted root store before testing a Root Certificate.在测试根证书之前,从受信任的根存储中删除域的所有证书。
- I was following tutorials online about generating a Self-Signed Root CA in Windows, and the tutorials I found did not offer a lot of information about what I was doing, more so "this is how you do it".我在网上学习了关于在 Windows 中生成自签名根 CA 的教程,我发现的教程没有提供很多关于我在做什么的信息,更多的是“这就是你怎么做的”。 This is where I went wrong because I was following a couple of tutorials and combining the info to find a solution.这是我出错的地方,因为我遵循了几个教程并结合信息来找到解决方案。 This meant I generated a root certificate and private key using one tutorial and then signed other certificates using another tutorial (which specified a different algorithm, but did NOT explain that the algorithms must match for the root CA and the signed certificate).这意味着我使用一个教程生成了一个根证书和私钥,然后使用另一个教程签署了其他证书(指定了不同的算法,但没有说明算法必须与根 CA 和签名证书匹配)。
- It helps to have a decent understanding of how SSL and Root Certificates work before diving into making a Self-Signed root CA.在深入制作自签名根 CA 之前,它有助于对 SSL 和根证书的工作方式有一个很好的了解。 Not from a technical perspective, but from the perspective of why there are Root CAs, how they're used in the real world, and how it applies to your application as a developer.不是从技术角度,而是从为什么存在根 CA、它们在现实世界中的使用方式以及它作为开发人员如何应用于您的应用程序的角度来看。 I found this article extremely helpful. 我发现这篇文章非常有帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.