使用HTTP2返回的Vite代理“无法验证第一个证书”
我正在尝试使用VITE和本地后端的HTTP2请求来设置开发环境。我在Localhost上运行的客户端和服务器之间的代理请求。该服务器使用MKCERT使用生成证书( https://github.com/filosottile/mkcert )。
配置:
要配置证书我运行以下步骤:
mkcert.exe -pkcs12“ test”“ 127.0.0.0.1”“ localhost”- 配置后端使用生成的证书
mkcert.exe -install- 使用以下VITE配置:
server: {
https: {
pfx: fs.readFileSync(`./cert/test.pfx`),
passphrase: "some-phrase",
},
proxy: {
"/api": {
target: `https://localhost:15000`,
changeOrigin: true,
secure: true,
},
},
},
当前此配置在Mac上起作用,但在Windows上失败。两者都使用相同的后端和证书,但是在Windows上,代理将失败:“无法验证第一个证书”。在浏览器中,证书链已正确验证。
故障排除:
当我运行openssl s_client -showcerts -showcerts -connect localhost:15000 -servername localhost查询导致“无法验证第一个证书”,也基本上表示MKCERT表示MKCERT根CA找不到正确的发现。
使用openssl s_client -showcerts -cafile“ c:\ users \ someuser \ appdata \ local \ local \ mkcert \ mkcert \ rootca.pem” -connect localhost:15000 -servername localhost localhost证书将得到正确验证。这应该表明代理缺乏对MKCERT的rootca的引用。
我尝试使用以下脚本在package.json中提供rootca:
“ dev”:“ cross-env node_extra_ca_cer_certs = \ \” c:\\ users \\ users \\ someuser \\ someuser \\ appdata local \\ mkcert \\ rootca.pem \“&& vite”,
这无济于事,而代理仍然会出现相同的错误。我认为Mac和Windows在向节点提供CA根证书时的工作方式有所不同,或者默默失败?
无论如何,这如何解决?我一直在考虑将完整的证书链提供给Vite的证书,但是如果节点可以正确地引用rootca,则不需要。
I am trying to setup a development environment using HTTP2 requests with Vite and a local backend. I proxy requests between client and server both running on localhost. The server is configured with a generated certificate using Mkcert (https://github.com/FiloSottile/mkcert).
Configuration:
To configure the certificate I run the following steps:
mkcert.exe -pkcs12 "test" "127.0.0.1" "localhost"- Configure the backend to use the generated cert
mkcert.exe -install- Use the following vite configuration:
server: {
https: {
pfx: fs.readFileSync(`./cert/test.pfx`),
passphrase: "some-phrase",
},
proxy: {
"/api": {
target: `https://localhost:15000`,
changeOrigin: true,
secure: true,
},
},
},
Currently this configuration works on Mac but fails on Windows. Both use the same backend and certificates but on Windows the proxy will fail with: "unable to verify the first certificate". In the browser the certificate chain is a correctly validated.
Troubleshooting:
When I run openssl s_client -showcerts -connect localhost:15000 -servername localhost the query results in "unable to verify the first certificate" as well basically indicating that the mkcert Root CA isn't properly found.
Using openssl s_client -showcerts -CAfile "C:\Users\SomeUser\AppData\Local\mkcert\rootCA.pem" -connect localhost:15000 -servername localhost the certificates will be correctly validated. This should indicate that the proxy lacks a reference to the rootCA of Mkcert.
I have tried supplying the rootCA using the following script in package.json:
"dev": "cross-env NODE_EXTRA_CA_CERTS=\"C:\\Users\\SomeUser\\AppData\\Local\\mkcert\\rootCA.pem\" && vite",
This doesn't help however and the proxy still fails with the same error. I assume Mac and Windows work differently when supplying the CA root certs to Node or fails silently?
Anyway, how can this solved? I have been thinking about supplying the full cert chain in a cert that I supply to Vite, but this shouldn't be needed if Node could just reference the RootCA correctly.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您需要为 Target 这样的CA配置:
Vite似乎不会使用Windows的Rootca Cert Store,因此我们需要自己配置它。
you need to configure ca for target like that:
Seems vite will not use Windows's rootCA cert store, so we need to configure it by ourselves.