我正在设置启用 SSL/TLS (HTTPS) 的hawkBit服务器和 swupdate。步骤是:
生成密钥
# Generate self signed root CA cert: ca.crt and ca.key openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 3650 # Input the info with CN is <domain> # Generate server cert to be signed: server.csr and server.key openssl req -nodes -newkey rsa:2048 -keyout server.key -days 1095 -out server.csr # Input the info with CN is <domain> # Sign the server csr: server.crt openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 1095 -out server.crt # Create pkcs12: server.p12 openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt # Enter Export Password: # Verifying - Enter Export Password: # import pkcs#12 to Java key store keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 \ -destkeystore server.jks -deststoretype pkcs12 \ -alias 1 -deststorepass <pass> -srcstorepass <pass>配置 hawkBit
hawkbit.artifact.url.protocols.download-http.protocol=https hawkbit.artifact.url.protocols.download-http.port=<port> security.require-ssl=true server.use-forward-headers=true server.ssl.key-store=/home/huong/software-update-server/hawkbit/hawkbit-runtime/hawkbit-update-server/jks/self_signed.p12 server.ssl.key-store-password=<pass> server.ssl.key-password=<pass> server.ssl.enabled=true server.ssl.protocol=TLS server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3此时,我可以在浏览器上使用 https 访问 hawkBit。
配置 swupdate
启用:
CONFIG_CURL_SSL、CONFIG_DOWNLOAD_SSL、CONFIG_CHANNEL_CURL_SSL和CONFIG_SURICATTA_SSL运行命令:
swupdate -v -k /etc/public.pem -f /suricatta.cfg -u ""带有 suricatta 部分的 suricatta.cfg:
suricatta : { tenant = "DEFAULT"; id = "dev01"; confirm = 0; url = "https://<domain>:<port>"; polldelay = 20; nocheckcert = false; retry = 4; retrywait = 200; loglevel = 10; userid = 1000; groupid = 1000; cafile = "/ca.crt"; sslkey = "/server.key"; sslcert = "/server.crt"; gatewaytoken = "<getway_token>"; /* targettoken = "3bc13b476cb3962a0c63a5c92beacfh7"; */ };
日志显示错误:
[DEBUG] : SWUPDATE running : [channel_get] : Trying to GET https://<domain>:<port>/DEFAULT/controller/v1/dev01
* Trying <ip_addr>...
* TCP_NODELAY set
* Connected to <domain> (<ip_addr>) port <port> (#0)
* found 1 certificates in /ca.crt
* ALPN, offering http/1.1
* error reading X.509 key or certificate file
* Closing connection 0
[ERROR] : SWUPDATE failed [0] ERROR corelib/channel_curl.c : channel_get : 1091 : Channel get operation failed (35): 'SSL connect error'
通过命令运行swupdate时:swupdate -v -k /etc/public.pem --ca-path="/chain.pem" -u '-t DEFAULT -u https://<domain>:<port> -i dev01 -g <getway_token>',其中chain.pem是服务器的公钥(通过存档openssl rsa -in server.key -pubout -out chain.pem),或者chain.pem是ca的公钥或ca和服务器的公钥链,日志显示错误:
[DEBUG] : SWUPDATE running : [channel_get] : Trying to GET https://<domain>:<port>/DEFAULT/controller/v1/dev01
* Trying <ip_addr>...
* TCP_NODELAY set
* Connected to <domain> (<ip_addr>) port <port> (#1)
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: none CRLfile: none
* Closing connection 1
[ERROR] : SWUPDATE failed [0] ERROR corelib/channel_curl.c : channel_get : 1091 : Channel get operation failed (60): 'SSL peer certificate or SSH remote key was not OK'
请不要告诉我使用 server.crt 或 server.p12 或 ca.crt--ca-path因为它显示错误:
[ERROR] : SWUPDATE failed [0] ERROR corelib/swupdate_rsa_verify.c : load_pubkey : 52 : unable to load key filename /chain.pem
[ERROR] : SWUPDATE failed [0] ERROR corelib/verify_signature.c : swupdate_dgst_init : 135 : Error loading pub key from /chain.pem
而且我认为PEM_read_bio_PUBKEY无法从证书中获取公钥。
在 hawkBit 日志中,我没有发现任何奇怪的日志。
所以请指导我配置 swupdate 以在启用 SSL/TLS 的 hawkBit 上运行。
- 我必须在 swupdate 端使用哪个证书/密钥?
- 我应该使用配置文件而不是
--ca-path参数吗?
提前致谢!