1

我在此链接中使用此工具为 Windows 网络服务器生成自签名证书。

生成证书的命令如下

New-SelfSignedCertificateEx -Subject "CN=192.168.56.111" -SAN "192.168.56.111" -IsCA $true -EKU "Server Authentication", "Client Authentication" -KeyLength 2048  -KeySpec "Signature" -KeyUsage "DigitalSignature" -FriendlyName "192.168.56.111" -NotAfter $([datetime]::now.AddYears(5)) -StoreLocation "LocalMachine" -Exportable

使用 IIS 安装证书并将证书添加到 Windows 10 客户端中受信任的根 CA 存储后,我能够浏览网站而没有证书错误。

但是,当我尝试通过将证书安装到 CA 证书存储并使用 cURL 测试在 ubuntu 18.04 客户端中执行相同操作时,它不起作用

将证书安装到 Ubuntu ca-certificates

openssl s_client -connect 192.168.56.111:443 -showcerts > out.txt
#then use vim to edit out.txt and save the cert to 192.168.56.111.crt

sudo cp 192.168.56.111.crt /usr/local/share/ca-certificates
sudo update-ca-certificates

使用 cURL 测试连接

curl https://192.168.56.111

并收到错误消息

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

将证书添加到 Chrome 证书商店时,Chrome 显示 NET::ERR_CERT_INVALID

所以我的问题是,为什么它可以在 Windows 客户端而不是 Ubuntu 18.04 中工作?我看不到任何错误表明 Ubuntu 中的证书有什么问题,所以我现在被卡住了。

4

1 回答 1

0

您的openssl命令不正确:

jonathan.muller@jonathan-muller-C02ZC4EPLVDQ$ openssl s_client -connect drylm.org:443 -showcerts
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = blog.drylm.org
verify return:1
---
Certificate chain
 0 s:/CN=blog.drylm.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgISA0xYp5ZHU+NGF1EW/RcUuV0fMA0GCSqGSIb3DQEBCwUA
...

你的输出中有很多噪音。以下是提取证书的方法:

echo | openssl s_client -connect 192.168.56.111:443 2>/dev/null | openssl x509 > 192.168.56.111.pem

您可以将此 pem 文件复制到信任库。

编辑

我刚刚通过在此网站上创建自签名证书来进行练习

在我的外壳中:

john@kona$ curl https://test.drylm.org
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

然后

john@kona$ echo | openssl s_client -connect test.drylm.org:443 2>/dev/null | openssl x509 > test.drylm.org.crt
sudo cp test.drylm.org.crt /usr/local/share/ca-certificates/

john@kona$ sudo update-ca-certificates 
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:test.drylm.org.pem
done.
done.

最后:

john@kona$ curl https://test.drylm.org
      Path : ~

curl 不再有错误消息。

于 2020-06-03T14:18:10.363 回答