0

我正在设置启用 SSL/TLS (HTTPS) 的hawkBit服务器和 swupdate。步骤是:

  1. 生成密钥

    # Generate self signed root CA cert: ca.crt and ca.key
    openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 3650
    # Input the info with CN is <domain>
    
    # Generate server cert to be signed: server.csr and server.key
    openssl req -nodes -newkey rsa:2048 -keyout server.key -days 1095 -out server.csr
    # Input the info with CN is <domain>
    
    # Sign the server csr: server.crt
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 1095 -out server.crt
    
    # Create pkcs12: server.p12
    openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt
    # Enter Export Password:
    # Verifying - Enter Export Password:
    
    # import pkcs#12 to Java key store
    keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 \
        -destkeystore server.jks -deststoretype pkcs12 \
        -alias 1 -deststorepass <pass> -srcstorepass <pass>
    
  2. 配置 hawkBit

    hawkbit.artifact.url.protocols.download-http.protocol=https
    hawkbit.artifact.url.protocols.download-http.port=<port>
    security.require-ssl=true
    server.use-forward-headers=true 
    
    server.ssl.key-store=/home/huong/software-update-server/hawkbit/hawkbit-runtime/hawkbit-update-server/jks/self_signed.p12
    server.ssl.key-store-password=<pass>
    server.ssl.key-password=<pass>
    server.ssl.enabled=true
    server.ssl.protocol=TLS
    server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
    

    此时,我可以在浏览器上使用 https 访问 hawkBit。

  3. 配置 swupdate

  • 启用:CONFIG_CURL_SSLCONFIG_DOWNLOAD_SSLCONFIG_CHANNEL_CURL_SSLCONFIG_SURICATTA_SSL

  • 运行命令:swupdate -v -k /etc/public.pem -f /suricatta.cfg -u ""

  • 带有 suricatta 部分的 suricatta.cfg:

    suricatta :
    {
        tenant      = "DEFAULT";
        id          = "dev01";
        confirm     = 0;
        url         = "https://<domain>:<port>";
        polldelay   = 20;
        nocheckcert = false;
        retry       = 4;
        retrywait   = 200;
        loglevel    = 10;
        userid      = 1000;
        groupid     = 1000;
        cafile      = "/ca.crt";
        sslkey      = "/server.key";
        sslcert     = "/server.crt";
        gatewaytoken    = "<getway_token>";
        /*
        targettoken     = "3bc13b476cb3962a0c63a5c92beacfh7";
        */
    };
    

日志显示错误:

[DEBUG] : SWUPDATE running :  [channel_get] : Trying to GET https://<domain>:<port>/DEFAULT/controller/v1/dev01
*   Trying <ip_addr>...
* TCP_NODELAY set
* Connected to <domain> (<ip_addr>) port <port> (#0)
* found 1 certificates in /ca.crt
* ALPN, offering http/1.1
* error reading X.509 key or certificate file
* Closing connection 0
[ERROR] : SWUPDATE failed [0] ERROR corelib/channel_curl.c : channel_get : 1091 : Channel get operation failed (35): 'SSL connect error'

通过命令运行swupdate时:swupdate -v -k /etc/public.pem --ca-path="/chain.pem" -u '-t DEFAULT -u https://<domain>:<port> -i dev01 -g <getway_token>',其中chain.pem是服务器的公钥(通过存档openssl rsa -in server.key -pubout -out chain.pem),或者chain.pem是ca的公钥或ca和服务器的公钥链,日志显示错误:

[DEBUG] : SWUPDATE running :  [channel_get] : Trying to GET https://<domain>:<port>/DEFAULT/controller/v1/dev01
*   Trying <ip_addr>...
* TCP_NODELAY set
* Connected to <domain> (<ip_addr>) port <port> (#1)
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: none CRLfile: none
* Closing connection 1
[ERROR] : SWUPDATE failed [0] ERROR corelib/channel_curl.c : channel_get : 1091 : Channel get operation failed (60): 'SSL peer certificate or SSH remote key was not OK'

请不要告诉我使用 server.crt 或 server.p12 或 ca.crt--ca-path因为它显示错误:

[ERROR] : SWUPDATE failed [0] ERROR corelib/swupdate_rsa_verify.c : load_pubkey : 52 : unable to load key filename /chain.pem
[ERROR] : SWUPDATE failed [0] ERROR corelib/verify_signature.c : swupdate_dgst_init : 135 : Error loading pub key from /chain.pem

而且我认为PEM_read_bio_PUBKEY无法从证书中获取公钥。

在 hawkBit 日志中,我没有发现任何奇怪的日志。

所以请指导我配置 swupdate 以在启用 SSL/TLS 的 hawkBit 上运行。

  • 我必须在 swupdate 端使用哪个证书/密钥?
  • 我应该使用配置文件而不是--ca-path参数吗?

提前致谢!

4

0 回答 0