带有 ssl LetsEncrypt 证书和自签名客户端证书的 mosquitto 代理
我已经读过有关此内容的内容,但我不确定我是否正确理解。
情况是我的 duckdns 服务器有 ssl 的 LetsEncrypt 证书。
我也想将它重用于 mosquitto 服务器,我将其配置为
listener 8884
allow_anonymous false
password_file /mosquitto/config/passwords
certfile /mosquitto/ssl/live/xxxxxx.duckdns.org/fullchain.pem
keyfile /mosquitto/ssl/live/xxxxxx.duckdns.org/privkey.pem
tls_version tlsv1.2
其中 certfile 和 keyfile 是由 LetsEncrypt 生成的。这按预期工作。
现在,为了将其公开到网络上,我宁愿使用客户端证书。 据我了解,我应该使用“私有”CA,否则由 LetsEncrypt 签名的任何证书都将作为有效客户端。
因此,我在配置中添加了以下几行
require_certificate true
use_identity_as_username true
cafile /mosquitto/certs/ca.crt
,其中 ca.crt 是我生成的证书
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt
,并使用它生成了客户端证书,
openssl genrsa -out keyfile.key 4096
openssl req -new -key keyfile.key -out keyfile.csr
openssl x509 -req -days 36500 -in keyfile.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out keyfile.crt
我使用 openssl verify 检查了客户端证书是否已正确签名。 现在通过调用
mosquitto_pub --cafile /mosquitto/certs/ca.crt --key keyfile.key --cert keyfile.crt -h xxxxxx.duckdns.org -p 8884 -t broker/hello -m "online"
我得到一个 TLS 错误,并且在 mosquitto 日志中我看到
OpenSSL Error[0]: error:1404A418:SSL routines:ST_ACCEPT:tlsv1 alert unknown ca
我想我将服务器证书和具有不同 CA 的客户端证书混淆了,尽管我不知道我做错了什么以及如何做达到目标。
对于我的操作中出现的问题,任何帮助或提示都是值得赞赏的。
I read already about this but I am not sure I got it correctly.
The situation is I have LetsEncrypt certificates for ssl for my duckdns server.
I wanted to reuse it for a mosquitto server as well, I configured it as
listener 8884
allow_anonymous false
password_file /mosquitto/config/passwords
certfile /mosquitto/ssl/live/xxxxxx.duckdns.org/fullchain.pem
keyfile /mosquitto/ssl/live/xxxxxx.duckdns.org/privkey.pem
tls_version tlsv1.2
where the certfile and keyfile are the ones generated by LetsEncrypt. This works as expected.
Now to expose it to the web though, I'd rather use client certificates.
For what I understood, I should use then a "private" CA, otherwise any certificate signed by LetsEncrypt would do as a valid client.
So I added to the configuration the following lines
require_certificate true
use_identity_as_username true
cafile /mosquitto/certs/ca.crt
Where ca.crt is a certificate I generated with
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 36500 -key ca.key -out ca.crt
and with it generated a client certificate using
openssl genrsa -out keyfile.key 4096
openssl req -new -key keyfile.key -out keyfile.csr
openssl x509 -req -days 36500 -in keyfile.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out keyfile.crt
I checked that the client certificate is correctly signed using openssl verify.
Now by calling
mosquitto_pub --cafile /mosquitto/certs/ca.crt --key keyfile.key --cert keyfile.crt -h xxxxxx.duckdns.org -p 8884 -t broker/hello -m "online"
I get a TLS error and in mosquitto logs I see
OpenSSL Error[0]: error:1404A418:SSL routines:ST_ACCEPT:tlsv1 alert unknown ca
I suppose I'm mixing up things with the server certificate and the client certificate having different CAs, though I'm not getting where I'm doing it wrong and how to reach the goal.
Any help or hint on what's wrong in my operations, is appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
问题在于您传递给
mosquitto_pub命令的 CA 证书。mosquitto_pub 使用传递给它的 ca 证书来验证代理提供的证书来验证其自身,因此它应该指向具有 Let's Encrypt 根 CA 的某个位置。 CA 证书不应链接到客户端用于身份验证的证书/密钥。
所以你可能应该将其指向系统 CA 证书包,例如
The problem is the CA cert you've passed to the
mosquitto_pubcommand.mosquitto_pub uses the ca cert passed to it to verify the certificate the broker presents to authenticate it's self, so it should point to somewhere that has the Let's Encrypt root CA. The CA cert should not be linked to the cert/key the client uses to authenticate.
So you should probably be pointing it at the system CA cert bundle e.g.