4
好吧,我想用客戶端證書來驗證一個Nginx服務器的Python客戶端。以下是我試過到目前爲止:做SSL客戶端身份驗證是python
創建本地CA
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
創建服務器密鑰和證書
openssl genrsa -des3 -out server.key 1024 openssl rsa -in server.key -out server.key openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
的類似程序來創建客戶端密鑰和證書
openssl genrsa -des3 -out client.key 1024 openssl rsa -in client.key -out client.key openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
將這些行添加到我的nginx配置中
server {
listen 443;
ssl on;
server_name dev.lightcloud.com;
keepalive_timeout 70;
access_log /usr/local/var/log/nginx/lightcloud.access.log;
error_log /usr/local/var/log/nginx/lightcloud.error.log;
ssl_certificate /Users/wombat/Lightcloud-Web/ssl/server.crt;
ssl_certificate_key /Users/wombat/Lightcloud-Web/ssl/server.key;
ssl_client_certificate /Users/wombat/Lightcloud-Web/ssl/ca.crt;
ssl_verify_client on;
location/{
uwsgi_pass unix:///tmp/uwsgi.socket;
include uwsgi_params;
}
}
創建PEM客戶端文件
cat client.crt client.key ca.crt > client.pem
創建了一個測試python腳本
import ssl
import http.client
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.load_verify_locations("ca.crt")
context.load_cert_chain("client.pem")
conn = http.client.HTTPSConnection("localhost", context=context)
conn.set_debuglevel(3)
conn.putrequest('GET', '/')
conn.endheaders()
response = conn.getresponse()
print(response.read())
現在我得到400來自服務器的SSL證書錯誤。我究竟做錯了什麼?
它看起來像我的問題可能是自簽名的證書。看起來像nginx支持的客戶端驗證的唯一選項是全自動在自簽名上失敗,而optional_no_ca允許客戶端即使沒有提供證書。有沒有辦法讓nginx需要有效的客戶端證書而不檢查可信任的CA?或者讓它信任我的本地CA? –