当前位置：文江博客话题详情

使用 NO-IP 信任认证配置 Rocket 0.5 TLS

发布于 2025-01-12 14:34:41 字数 1803 浏览 4 评论 0 原文

过去几周我一直在使用 Rust-lang Rocket v0.5-rc 来创建我的 Web 应用程序。为了获得我的SSL证书和域名，我一直在使用NO-IP免费服务。

我使用 OpenSSL 生成了 2048 位 RSA 密钥，将其转换为 PKCS-8，创建了 CSR（使用预制密钥）并将其上传到 NO-IP。一段时间后，我下载了证书链并按照所述配置了 Rocket.toml：

[global]
port = 443
address = "0.0.0.0"

[default.tls]
certs = "certs.pem"
key = "key.key"

但是，当我尝试通过 Firefox 连接到网站时，我收到“连接丢失”或“SSL 格式错误”警告。

服务器输出：

    Finished dev [unoptimized + debuginfo] target(s) in 0.13s
     Running `target\debug\rocket_project.exe`
Configured for debug.
   >> address: 0.0.0.0
   >> port: 443
   >> workers: 8
   >> ident: Rocket
   >> keep-alive: 5s
   >> limits: bytes = 8KiB, data-form = 2MiB, file = 1MiB, form = 32KiB, json = 1MiB, msgpack = 1MiB, string = 8KiB
   >> tls: enabled
   >> temp dir: C:\Users\talhk\AppData\Local\Temp\
   >> log level: normal
   >> cli colors: true
   >> shutdown: ctrlc = true, force = true, grace = 2s, mercy = 3s
Warning: found set deprecated profile `development`
   >> profile was replaced by `debug`
Warning: found set deprecated profile `production`
   >> profile was replaced by `release`
Routes:
   >> (index) GET /
   >> (get_file_external) GET /<file..>
Fairings:
   >> Shield (liftoff, response, singleton)
Shield:
   >> Permissions-Policy: interest-cohort=()
   >> X-Content-Type-Options: nosniff
   >> X-Frame-Options: SAMEORIGIN
Rocket has launched from https://0.0.0.0:443
Error: connection accept error: received corrupt message
Error: optimistically retrying now
Warning: Received SIGINT. Requesting shutdown.
Received shutdown request. Waiting for pending I/O...

附加信息：当我使用 Wireshark 找出发生的情况时，它将其描述为 TCP（而不是 TLS）通信。

有什么想法吗？

原文

I've been using Rust-lang Rocket v0.5-rc for the past couple of weeks in order to create my web application.
In order to get my SSL certificate and a domain name, I've been using NO-IP free services.

I generated a 2048 bit RSA key with OpenSSL, converted it to PKCS-8, created a CSR (using the pre-made key) and uploaded it to NO-IP.
After a while, I downloaded the cert chain and configured Rocket.toml as described:

[global]
port = 443
address = "0.0.0.0"

[default.tls]
certs = "certs.pem"
key = "key.key"

However, when I try to connect via firefox to the website I get either a "Connection Lost" or a "SSL Malformed" warning.

Server output:

    Finished dev [unoptimized + debuginfo] target(s) in 0.13s
     Running `target\debug\rocket_project.exe`
Configured for debug.
   >> address: 0.0.0.0
   >> port: 443
   >> workers: 8
   >> ident: Rocket
   >> keep-alive: 5s
   >> limits: bytes = 8KiB, data-form = 2MiB, file = 1MiB, form = 32KiB, json = 1MiB, msgpack = 1MiB, string = 8KiB
   >> tls: enabled
   >> temp dir: C:\Users\talhk\AppData\Local\Temp\
   >> log level: normal
   >> cli colors: true
   >> shutdown: ctrlc = true, force = true, grace = 2s, mercy = 3s
Warning: found set deprecated profile `development`
   >> profile was replaced by `debug`
Warning: found set deprecated profile `production`
   >> profile was replaced by `release`
Routes:
   >> (index) GET /
   >> (get_file_external) GET /<file..>
Fairings:
   >> Shield (liftoff, response, singleton)
Shield:
   >> Permissions-Policy: interest-cohort=()
   >> X-Content-Type-Options: nosniff
   >> X-Frame-Options: SAMEORIGIN
Rocket has launched from https://0.0.0.0:443
Error: connection accept error: received corrupt message
Error: optimistically retrying now
Warning: Received SIGINT. Requesting shutdown.
Received shutdown request. Waiting for pending I/O...

Additional Info: When I used Wireshark to find out what's happening it described it as TCP (not TLS) communication.

Any ideas?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

爱要勇敢去追 2025-01-19 14:34:41

问题可能是您实际上并未连接到 Rocket 网络服务器。您使用的主机名很可能会解析为其他设备可能正在监听的公共 IP 地址。首先尝试使用 localhost 和 https://localhost 进行测试，并接受无效证书（或跳到此消息的末尾了解如何更改主机文件）。如果情况确实如此，您将需要在路由器中为端口 443 设置端口转发。

但这只是猜测。我不知道为什么你会得到这个特定的错误，但我能够使用 TrustCor 证书设置 Rocket，以获得来自 https://www.noip.com。以下是我采取的步骤：

我使用入门页面< /a>.我的 main.rs 看起来和他们的一样，我使用的是 0.5.0-rc.1 版本。我得到“你好世界！”在 http://127.0.0.1:8000 上使用curl。所以我知道一切都在没有 TLS 的情况下工作。

接下来，我使用 openssl 生成了密钥和 csr，

openssl req -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.csr

重要的一行是“通用名称”，我将其设置为 rocket-test.zapto.org。我没有为密钥设置密码。无需更改密钥或 csr 格式。 openssl 默认情况下以正确的格式为 Rocket / rustls 和 No-IP 生成它们。

我创建了主机名，然后按照 No-IP 指南上传 CSR，https://www.noip.com/support/knowledgebase/configure-trustcor-standard-dv-ssl/

我等待证书颁发，然后从“PEM链（推荐）”链接。

我将该文件与我的密钥一起移动到我的货物项目目录中。我还更改了 Rocket 正在侦听 443 的端口，正如您所拥有的那样。我的文件如下所示：

$ grep ^rocket Cargo.toml
rocket = { version = "0.5.0-rc.1", features = ["tls"] }

$ cat Rocket.toml
[global]
port = 443

[default.tls]
certs = "rocket-test_zapto_org.pem-chain"
key = "key.pem"

$ ls -1 *pem*
key.pem
rocket-test_zapto_org.pem-chain

$ head -n 2 key.pem 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4gZZbg2iWPlyi

$ head -n 2 rocket-test_zapto_org.pem-chain
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIMV2rPeuY8+0gQuie4MA0GCSqGSIb3DQEBCwUAMFsxCzAJ

cargo run 显示它在 https://127.0.0.1:443 上监听，不再是 http:/ /127.0.0.1:8000，

$ cargo run

...

The problem could be that you are not actually connecting to your Rocket webserver. The hostname you are using most likely resolves to a public IP address where something else might be listening. Try testing using localhost first with https://localhost and accept the invalid certificate (or skip to the end of this message for how to change your hosts file). If that turns out to be the case you will need to set up port forwarding in your router for port 443.

But that is just a guess. I'm not sure why you got that specific error, but I was able to set up Rocket with a TrustCor cert for a free hostname from https://www.noip.com. Here are the steps I took:

I got rocket working using the Getting Started page. My main.rs looks just like theirs and I'm using version 0.5.0-rc.1. I get "Hello World!" with curl on http://127.0.0.1:8000. So I know everything is working without TLS.

Next, I generated a key and csr with openssl,

openssl req -nodes -days 365 -newkey rsa:2048 -keyout key.pem -out cert.csr

The important line is the "Common Name" which I set to rocket-test.zapto.org. I did not set a password for the key. There is no need to change the key or csr format. openssl by default generates them in the correct format for Rocket / rustls and No-IP.

I created the hostname and then I followed the No-IP guide to upload the CSR, https://www.noip.com/support/knowledgebase/configure-trustcor-standard-dv-ssl/

I waited for the cert to be issued and then I downloaded it from the "PEM Chain (Recommended)" link.

I moved the file to my cargo project directory along with my key. I also changed the port Rocket is listening on to 443 as your have it. Here is what my files look like:

$ grep ^rocket Cargo.toml
rocket = { version = "0.5.0-rc.1", features = ["tls"] }

$ cat Rocket.toml
[global]
port = 443

[default.tls]
certs = "rocket-test_zapto_org.pem-chain"
key = "key.pem"

$ ls -1 *pem*
key.pem
rocket-test_zapto_org.pem-chain

$ head -n 2 key.pem 
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4gZZbg2iWPlyi

$ head -n 2 rocket-test_zapto_org.pem-chain
-----BEGIN CERTIFICATE-----
MIIGpzCCBY+gAwIBAgIMV2rPeuY8+0gQuie4MA0GCSqGSIb3DQEBCwUAMFsxCzAJ

cargo run shows it listening on https://127.0.0.1:443, no longer http://127.0.0.1:8000,

$ cargo run
...
???? Rocket has launched from https://127.0.0.1:443

First we test that it is working without verifying the hostname (--insecure does not verify the Common Name of the certificate),

$ curl --insecure https://127.0.0.1
Hello, world!

Now we can use curl with --resolve to check that it is working with the correct Common Name,

$ curl --resolve rocket-test.zapto.org:443:127.0.0.1 https://rocket-test.zapto.org
Hello, world!

To test locally with a browser we need the name to resolve to 127.0.0.1 in the browser. We can do that by adding it to the /etc/hosts file. It looks like you're on Windows so the hosts file is at C:\Windows\System32\Drivers\etc\hosts. Create the file if it does not exist and add an entry at the end that looks like this (with your hostname of course),