自簽名證書私鑰值不匹配
[英]Self-Signed Certificate private key values mismatch
問題描述
嘗試使用自簽名證書在網頁上進行請求時出現錯誤。
這是我創建自簽名證書的方式:
#!/usr/bin/env bash -x
#
day=300
server="domain.tld"
path_build="domain"
openssl_conf="openssl.cnf"
cd $path_build
# Create CA self-signed certificate
openssl req -config $openssl_conf -new -x509 -subj "/C=COUNTRY/L=Town/O=domain CA/CN=$server" -days $day -key private/rootCA.key -out certs/rootCA.crt
# Server Side
# Create private key for the domain server
openssl genrsa -des3 -passout pass:qwerty -out private/${server}.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/${server}.key -out private/${server}.key
# Create CSR for the domain server
openssl req -config $openssl_conf -new -subj "/C=COUNTRY/L=Town/O=domain/CN=$server" -key private/${server}.key -out csr/${server}.csr
# Create certificate for the domain server
openssl ca -batch -config $openssl_conf -days $day -in csr/${server}.csr -out certs/${server}.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
然后我創建我的客戶證書:
#!/usr/bin/env bash -x
path_build="domain"
day=300
CN="client"
openssl_conf="openssl.cnf"
cd $path_build
# Create private key for a client
openssl genrsa -des3 -passout pass:qwerty -out private/${CN}.key 2048
# Remove passphrase
openssl rsa -passin pass:qwerty -in private/${CN}.key -out private/${CN}.key
# Create CSR for the client.
openssl req -config $openssl_conf -new -subj "/C=COUNTRY/L=Town/O=domain/CN=$CN" -key private/${CN}.key -out csr/${CN}.csr
# Create client certificate.
openssl ca -batch -config $openssl_conf -days $day -in csr/${CN}.csr -out certs/${CN}.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
# Export the client certificate to pkcs12 for import in the browser
openssl pkcs12 -export -passout pass:toto -in certs/${CN}.crt -inkey private/${CN}.key -certfile certs/rootCA.crt -out certs/${CN}cert.p12
所以我最終
ls domain/certs domain/private domain/csr
domain/certs/:
domain.crt client.crt clientcert.p12 rootCA.crt
domain/csr:
domain.csr client.csr
domain/private/:
domain.key client.key rootCA.key
然后,我復制服務端和客戶的證書:
服務方:cat /etc/apache2/sites-enabled/default.conf
<VirtualHost *:443>
ServerAlias domain.tld
ServerName domain.tld
WSGIDaemonProcess daemon user=user group=group threads=5
WSGIScriptAlias / /home/user/current/apache/preprod.wsgi
WSGIPassAuthorization On
SSLEngine On
SSLCertificateFile /home/user/current/apache/certs/domain.crt
SSLCertificateKeyFile /home/user/current/apache/certs/domain.key
<Directory /home/user/current/apache>
Require all granted
WSGIProcessGroup procsGroup
WSGIApplicationGroup %{GLOBAL}
Order deny,allow
Allow from all
</Directory>
</VirtualHost>
然后在客戶端:
#!/usr/bin/env python
import requests
import urllib3.contrib.pyopenssl
urllib3.contrib.pyopenssl.inject_into_urllib3()
_certfile = "certs/rootCA.crt"
_private_key = "certs/client.key"
_client_cert = "certs/client.crt"
username="user"
password="pass"
url='https://domain.tld/api/1.0/bob/create'
r = requests.post(url, auth=(username, password), params={}, verify=_client_cert, cert=(_certfile, _private_key))
我得到了答案:
Traceback (most recent call last):
File "codes_generation.py", line 167, in <module>
print(request(""))
File "codes_generation.py", line 74, in request
r = requests.post(url, auth=(username, password), params=order, verify=_client_cert, cert=(_certfile, _private_key))
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/api.py", line 107, in post
return request('post', url, data=data, json=json, **kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/api.py", line 53, in request
return session.request(method=method, url=url, **kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/sessions.py", line 468, in request
resp = self.send(prep, **send_kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/sessions.py", line 576, in send
r = adapter.send(request, **kwargs)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/adapters.py", line 376, in send
timeout=timeout
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 559, in urlopen
body=body, headers=headers)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 345, in _make_request
self._validate_conn(conn)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 784, in _validate_conn
conn.connect()
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 252, in connect
ssl_version=resolved_ssl_version)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 277, in ssl_wrap_socket
ctx.use_privatekey_file(keyfile)
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/OpenSSL/SSL.py", line 665, in use_privatekey_file
self._raise_passphrase_exception()
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/OpenSSL/SSL.py", line 640, in _raise_passphrase_exception
_raise_current_error()
File "/Users/user/.pyenv/versions/mailchimp/lib/python2.7/site-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('x509 certificate routines', 'X509_check_private_key', 'key values mismatch')]
當我嘗試在瀏覽器中訪問時,收到有關自簽名證書的警報(正常且正常),但是當我嘗試在python中使用請求庫時,它不起作用。 (使用python 2.7)
我對證書一點都不擅長,而且我認為我可能只是將錯誤的文件放在錯誤的位置,因為我並沒有真正獲得所使用文件的含義。
因此,我試圖了解自簽名證書的工作原理以及問題所在。 如果您對此有任何資源,那么我一直在瀏覽的有關自簽名證書的每個鏈接都很少很清楚。
1 個解決方案
解決方案1
0 2016-02-22 15:15:00
所以我發現哪里出了問題,我使用了錯誤的文件:
_certfile = "certs/domain.crt"
_private_key = "certs/domain.key"
_client_cert = "certs/rootCA.crt"
而這項工作
_certfile = "certs/client.crt"
_private_key = "certs/client.key"
_client_cert = "certs/rootCA.crt"
但是我仍然不理解證書,我知道它是成對使用的,但是為什么域文件和客戶端文件對客戶端有效?
因此,如果您有足夠清晰的文檔,我將很高興!
感謝大家
使用自簽名證書將Metro應用連接到Python SSL服務器
[英]Connect a Metro app to a Python SSL server with a self-signed certificate
帶有 TLS 和自簽名證書的 Neo4j Bolt:證書驗證失敗
[英]Neo4j Bolt with TLS and self-signed certificate: Certificate Verify Failed
如何在Python中連接需要我登錄並具有自簽名證書的站點?
[英]How, in Python, do I connect to a site that requires me to login and has a self-signed certificate?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.