使用 https 连接到具有由我创建的 CA 签名的证书的服务器 [英] Connecting using https to a server with a certificate signed by a CA I created

问题描述

我有一个使用 Ruby 通过 https 连接驱动服务器的测试环境.由于最新版本的 Ruby 拒绝使用无效证书连接到 https 服务器(请参阅 我的这个较早的问题)并且我想开始使用更新版本的 Ruby，我正在尝试设置一个有效的证书.

I have a test environment that uses Ruby to drive a server over an https connection. Since the latest versions of Ruby refuse to connect to an https server with an invalid certificate (see this earlier question of mine) and I would like to start using a newer version of Ruby, I am trying to set up a valid certificate.

我创建了一个要使用的 CA 证书(有多个服务器正在测试，所以这似乎是更简单的方法)，并已成功使用它来签署已安装在服务器上并正在使用的新证书.我已将 CA 证书添加到浏览器存储中，它(浏览器)现在将毫无怨言地连接到服务器.因此，我确信我的证书有效且设置正确.

I have created a CA certificate to use (there are multiple servers being tested so this seems the easier way), and have successfully used it to sign a new certificate which has been installed on a server and is being used. I have added the CA certificate to the browser store and it (the browser) will now connect to the server without complaint. So I am confident my certificates are valid and set up correctly.

我知道 Ruby 不使用与浏览器相同的商店.我使用了可用的 CA 文件 here 来测试连接到其他(公共)服务器(使用 Net::HTTP#ca_file= 方法设置)，这也有效.

I know that Ruby does not use the same store as the browser. I have used the CA file available here to test connecting to other (public) servers (set using the Net::HTTP#ca_file= method) and this also works.

我无法开始工作的是 Ruby 使用我的证书连接到我的服务器.我尝试了各种方法将其指向我的证书(包括将我的证书添加到上面链接的文件中)，但它总是给出相同的错误:

What I cannot get to work is Ruby connecting to my server using my certificate. I have tried various ways of pointing it at my certificate (including adding my certificate to the file linked above) and it always gives the same error:

SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (OpenSSL::SSL::SSLError)

我必须做什么才能说服 Ruby 接受我的证书并连接到我的服务器?

What do I have to do to convince Ruby to accept my certificate and connect to my server?

我使用的代码是:

require 'net/https'

uri = URI.parse("https://hostname/index.html")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = "My CA cert file"
request = Net::HTTP::Get.new(uri.path)
response = http.request(request)

我假设这是错误的.我想知道的是，我应该如何使用我的 CA 证书?

I'm assuming this is wrong somehow. What I want to know is, what should I do to use my CA certificate?

推荐答案

我假设您的 Tomcat 不喜欢 Ruby 尝试协商的协议版本.Ruby 默认使用 SSLv23，但我听说过其他情况下这是基于 Java 的 Web 服务器的问题.您收到的错误消息表明在建立连接并尝试读取服务器的响应时握手失败.尝试添加任一

I assume that your Tomcat doesn't like the protocol version that Ruby tries to negotiate. Ruby uses SSLv23 by default, but I've heard other cases where this was a problem for Java-based web servers. The error message you are getting indicates that the handshake fails while setting up the connection and trying to read the server's response. Try adding either

http.ssl_version = :TLSv1

或

http.ssl_version = :SSLv3

看看这是否已经有帮助.

and see if that already helps.

如果这还不能解决问题，那么看看您的服务器拒绝连接尝试的原因会非常有趣.尝试使用 -Djavax.net.debug=ssl 运行您的 Tomcat，并请发布相关部分(连接信息、异常堆栈跟踪)以说明尝试失败的原因.

If this does not fix the problem yet, it would be very interesting to see why your server rejects the connection attempt. Try running your Tomcat with -Djavax.net.debug=ssl and please post the relevant parts (connection information, exception stacktrace) as to why the attempt fails.

这篇关于使用 https 连接到具有由我创建的 CA 签名的证书的服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！