自签名证书私钥值不匹配
[英]Self-Signed Certificate private key values mismatch
问题描述
尝试使用自签名证书在网页上进行请求时出现错误。
这是我创建自签名证书的方式:
#!/usr/bin/env bash -x
#
day=300
server="domain.tld"
path_build="domain"
openssl_conf="openssl.cnf"
cd $path_build
# Create CA self-signed certificate
openssl req -config $openssl_conf -new -x509 -subj "/C=COUNTRY/L=Town/O=domain CA/CN=$server" -days $day -key private/rootCA.key -out certs/rootCA.crt
# Server Side
# Create private key for the domain server
openssl genrsa -des3 -passout pass:qwerty -out private/${server}.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/${server}.key -out private/${server}.key
# Create CSR for the domain server
openssl req -config $openssl_conf -new -subj "/C=COUNTRY/L=Town/O=domain/CN=$server" -key private/${server}.key -out csr/${server}.csr
# Create certificate for the domain server
openssl ca -batch -config $openssl_conf -days $day -in csr/${server}.csr -out certs/${server}.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
然后我创建我的客户证书:
#!/usr/bin/env bash -x
path_build="domain"
day=300
CN="client"
openssl_conf="openssl.cnf"
cd $path_build
# Create private key for a client
openssl genrsa -des3 -passout pass:qwerty -out private/${CN}.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/${CN}.key -out private/${CN}.key
# Create CSR for the client.
openssl req -config $openssl_conf -new -subj "/C=COUNTRY/L=Town/O=domain/CN=$CN" -key private/${CN}.key -out csr/${CN}.csr
# Create client certificate.
openssl ca -batch -config $openssl_conf -days $day -in csr/${CN}.csr -out certs/${CN}.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
# Export the client certificate to pkcs12 for import in the browser
openssl pkcs12 -export -passout pass:toto -in certs/${CN}.crt -inkey private/${CN}.key -certfile certs/rootCA.crt -out certs/${CN}cert.p12
所以我最终
ls domain/certs domain/private domain/csr
domain/certs/:
domain.crt client.crt clientcert.p12 rootCA.crt
domain/csr:
domain.csr client.csr
domain/private/:
domain.key client.key rootCA.key
然后,我复制服务端和客户的证书:
服务方:cat /etc/apache2/sites-enabled/default.conf
<VirtualHost *:443>
ServerAlias domain.tld
ServerName domain.tld
WSGIDaemonProcess daemon user=user group=group threads=5
WSGIScriptAlias / /home/user/current/apache/preprod.wsgi
WSGIPassAuthorization On
SSLEngine On
SSLCertificateFile /home/user/current/apache/certs/domain.crt
SSLCertificateKeyFile /home/user/current/apache/certs/domain.key
<Directory /home/user/current/apache>
Require all granted
WSGIProcessGroup procsGroup
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
然后在客户端:
#!/usr/bin/env python
import requests
import urllib3.contrib.pyopenssl
urllib3.contrib.pyopenssl.inject_into_urllib3()
_certfile = "certs/rootCA.crt"
_private_key = "certs/client.key"
_client_cert = "certs/client.crt"
username="user"
password="pass"
url='https://domain.tld/api/1.0/bob/create'
r = requests.post(url, auth=(username, password), params={}, verify=_client_cert, cert=(_certfile, _private_key))
我得到了答案:
Traceback (most recent call last):
File "codes_generation.py", line 167, in <module>
print(request(""))
File "codes_generation.py", line 74, in request
r = requests.post(url, auth=(username, password), params=order, verify=_client_cert, cert=(_certfile, _private_key))
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/api.py", line 107, in post
return request('post', url, data=data, json=json, **kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/api.py", line 53, in request
return session.request(method=method, url=url, **kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/adapters.py", line 376, in send
timeout=timeout
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 559, in urlopen
body=body, headers=headers)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 345, in _make_request
self._validate_conn(conn)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 784, in _validate_conn
conn.connect()
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 252, in connect
ssl_version=resolved_ssl_version)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 277, in ssl_wrap_socket
ctx.use_privatekey_file(keyfile)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/OpenSSL/SSL.py", line 665, in use_privatekey_file
self._raise_passphrase_exception()
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/OpenSSL/SSL.py", line 640, in _raise_passphrase_exception
_raise_current_error()
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('x509 certificate routines', 'X509_check_private_key', 'key values mismatch')]
当我尝试在浏览器中访问时,收到有关自签名证书的警报(正常且正常),但是当我尝试在python中使用请求库时,它不起作用。 (使用python 2.7)
我对证书一点都不擅长,而且我认为我可能只是将错误的文件放在错误的位置,因为我并没有真正获得所使用文件的含义。
因此,我试图了解自签名证书的工作原理以及问题所在。 如果您对此有任何资源,那么我一直在浏览的有关自签名证书的每个链接都很少很清楚。
1 个解决方案
解决方案1
0 2016-02-22 15:15:00
所以我发现哪里出了问题,我使用了错误的文件:
_certfile = "certs/domain.crt"
_private_key = "certs/domain.key"
_client_cert = "certs/rootCA.crt"
而这项工作
_certfile = "certs/client.crt"
_private_key = "certs/client.key"
_client_cert = "certs/rootCA.crt"
但是我仍然不理解证书,我知道它是成对使用的,但是为什么域文件和客户端文件对客户端有效?
因此,如果您有足够清晰的文档,我将很高兴!
感谢大家
使用自签名证书将Metro应用连接到Python SSL服务器
[英]Connect a Metro app to a Python SSL server with a self-signed certificate
带有 TLS 和自签名证书的 Neo4j Bolt:证书验证失败
[英]Neo4j Bolt with TLS and self-signed certificate: Certificate Verify Failed
如何在Python中连接需要我登录并具有自签名证书的站点?
[英]How, in Python, do I connect to a site that requires me to login and has a self-signed certificate?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.