[英]Using a Self-Signed CA Certificate for WebSocket (ws) in Node JS
I need to use the ws client in Node JS to connect to a separate WebSocket server.我需要使用 Node JS 中的ws客户端连接到单独的 WebSocket 服务器。
I am able to connect using a sample program in my Chrome since I installed my Self-Signed Root CA in the Trusted Root Certification Authorities Store on my machine.因为我在我的机器上的受信任的根证书颁发机构商店中安装了我的自签名根 CA,所以我能够在我的 Chrome 中使用示例程序进行连接。
I know that Node JS uses a hard coded list of Root CAs (stupid), but I was hoping there was some way I could import my own.我知道 Node JS 使用根 CA 的硬编码列表(愚蠢),但我希望有某种方法可以导入我自己的 CA。
I tried:我试过:
export NODE_EXTRA_CA_CERTS=C:\\Users\\IT1\\Documents\\security\\rootCA.pem
// Using just ca
var test = new WebSocket(uri, {
ca: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.pem")
});
// Using cert and key
var test = new WebSocket(uri, {
cert: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.crt"),
key: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.key")
});
// Using ca, cert and key
var test = new WebSocket(uri, {
ca: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.pem"),
cert: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.crt"),
key: fs.readFileSync("C:\\Users\\IT1\\Documents\\security\\rootCA.key")
});
And NO MATTER WHAT, I always get the following error message:无论如何,我总是收到以下错误消息:
events.js:200
throw er; // Unhandled 'error' event
^
Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1321:34)
at TLSSocket.emit (events.js:223:5)
at TLSSocket._finishInit (_tls_wrap.js:794:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:608:12)
Emitted 'error' event on WebSocket instance at:
at ClientRequest.<anonymous> (C:\Users\IT1\source\repos\WebSocketTest\WebSocketTest\node_modules\ws\lib\websocket.js:554:15)
at ClientRequest.emit (events.js:223:5)
at TLSSocket.socketErrorListener (_http_client.js:406:9)
at TLSSocket.emit (events.js:223:5)
at emitErrorNT (internal/streams/destroy.js:92:8)
at emitErrorAndCloseNT (internal/streams/destroy.js:60:3)
at processTicksAndRejections (internal/process/task_queues.js:81:21) {
code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
}
Also, I cannot use rejectUnauthorized: true
.另外,我不能使用rejectUnauthorized: true
。 I need it to be authorized, so please don't suggest that as a solution.我需要它被授权,所以请不要建议将其作为解决方案。
Please help, I'm really scratching my head on this one.请帮忙,我真的在摸不着头脑。
After almost a day or two of scratching my head, I decided to verify the certificates in OpenSSL.经过近一两天的摸索,我决定验证 OpenSSL 中的证书。 It turned out that the certificate was using a different encryption algorithm (SHA 256 vs. DES3 or something like that).结果证明该证书使用了不同的加密算法(SHA 256 与 DES3 或类似的算法)。 The reason that it worked fine in the browser is because I already installed a different certificate for that domain earlier.它在浏览器中运行良好的原因是我之前已经为该域安装了不同的证书。
Moral of the story:故事的道德启示:
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.