如何为HTTPS Node.js服务器使用自签名证书? [英] How do I use a self signed certificate for a HTTPS Node.js server?
问题描述
我已经开始为API编写一个包装器,它要求所有请求都通过HTTPS。我在开发和测试它时没有向实际的API发出请求,而是想在本地运行我自己的服务器来模拟响应。
I have started writing a wrapper for an API which requires all requests to be over HTTPS. Instead of making requests to the actual API while I am developing and testing it I would like to run my own server locally which mocks the responses.
我很困惑如何生成我需要创建HTTPS服务器并向其发送请求的证书。
I am confused about how to generate the certificates I need to create a HTTPS server and send requests to it.
我的服务器看起来像这样:
My server looks something like this:
var options = {
key: fs.readFileSync('./key.pem'),
cert: fs.readFileSync('./cert.pem')
};
https.createServer(options, function(req, res) {
res.writeHead(200);
res.end('OK\n');
}).listen(8000);
pem文件的生成时间为:
The pem files were generated with:
openssl genrsa 1024 > key.pem
openssl req -x509 -new -key key.pem > cert.pem
请求看起来像这样:
var options = {
host: 'localhost',
port: 8000,
path: '/api/v1/test'
};
https.request(options, function(res) {
res.pipe(process.stdout);
}).end();
通过此设置,我得到错误:DEPTH_ZERO_SELF_SIGNED_CERT ,所以我想我需要为请求添加 ca 选项。
With this setup I get Error: DEPTH_ZERO_SELF_SIGNED_CERT, so I think I need to add a ca option for the request.
所以我的问题是我应该怎么做生成以下内容:
So my question is how should I generate the following:
- 服务器
密钥? - 服务器
证书? - 请求的
ca?
- The server
key? - The server
cert? - The
cafor the request?
我已经阅读了一些关于使用openssl生成自签名证书的内容,但似乎无法绕过它找出我的节点代码中使用哪些密钥和证书。
I have read a few things about generating self signed certificates with openssl, but can't seem to wrap my head around it and figure out which keys and certificates to use where in my node code.
更新
API提供要使用的CA证书而不是默认值。以下代码使用他们的证书,这是我想在本地重现的。
The API provides a CA certificate to use instead of the defaults. The following code works using their certificate and this is what I want to reproduce locally.
var ca = fs.readFileSync('./certificate.pem');
var options = {
host: 'example.com',
path: '/api/v1/test',
ca: ca
};
options.agent = new https.Agent(options);
https.request(options, function(res) {
res.pipe(process.stdout);
}).end();
推荐答案
ScreenCast
https ://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/
- 创建证书
- 运行node.js服务器
- node.js客户端没有警告或错误
- cURL中没有警告或错误
- creates certificates
- runs node.js server
- no warnings or errors in node.js client
- no warnings or errors in cURL
https://github.com/coolaj86/nodejs-self-signed -certificate-example
以 localhost.daplie.com 为例(它指向127.0 .0.1):
Using localhost.daplie.com as an example (it points to 127.0.0.1):
'use strict';
var https = require('https')
, port = process.argv[2] || 8043
, fs = require('fs')
, path = require('path')
, server
, options
;
require('ssl-root-cas')
.inject()
.addFile(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem'))
;
options = {
key: fs.readFileSync(path.join(__dirname, 'server', 'privkey.pem'))
// You don't need to specify `ca`, it's done by `ssl-root-cas`
//, ca: [ fs.readFileSync(path.join(__dirname, 'server', 'my-private-root-ca.cert.pem'))]
, cert: fs.readFileSync(path.join(__dirname, 'server', 'fullchain.pem'))
};
function app(req, res) {
res.setHeader('Content-Type', 'text/plain');
res.end('Hello, encrypted world!');
}
server = https.createServer(options, app).listen(port, function () {
port = server.address().port;
console.log('Listening on https://127.0.0.1:' + port);
console.log('Listening on https://' + server.address().address + ':' + port);
console.log('Listening on https://localhost.daplie.com:' + port);
});
client.js
client.js
'use strict';
var https = require('https')
, fs = require('fs')
, path = require('path')
, ca = fs.readFileSync(path.join(__dirname, 'client', 'my-private-root-ca.cert.pem'))
, port = process.argv[2] || 8043
, hostname = process.argv[3] || 'localhost.daplie.com'
;
var options = {
host: hostname
, port: port
, path: '/'
, ca: ca
};
options.agent = new https.Agent(options);
https.request(options, function(res) {
res.pipe(process.stdout);
}).end();
以及制作证书文件的脚本:
And the script that makes the certificate files:
#!/bin/bash
FQDN=$1
# make directories to work from
mkdir -p server/ client/ all/
# Create your very own Root Certificate Authority
openssl genrsa \
-out all/my-private-root-ca.privkey.pem \
2048
# Self-sign your Root Certificate Authority
# Since this is private, the details can be as bogus as you like
openssl req \
-x509 \
-new \
-nodes \
-key all/my-private-root-ca.privkey.pem \
-days 1024 \
-out all/my-private-root-ca.cert.pem \
-subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=example.com"
# Create a Device Certificate for each domain,
# such as example.com, *.example.com, awesome.example.com
# NOTE: You MUST match CN to the domain name or ip address you want to use
openssl genrsa \
-out all/privkey.pem \
2048
# Create a request from your Device, which your Root CA will sign
openssl req -new \
-key all/privkey.pem \
-out all/csr.pem \
-subj "/C=US/ST=Utah/L=Provo/O=ACME Tech Inc/CN=${FQDN}"
# Sign the request from Device with your Root CA
openssl x509 \
-req -in all/csr.pem \
-CA all/my-private-root-ca.cert.pem \
-CAkey all/my-private-root-ca.privkey.pem \
-CAcreateserial \
-out all/cert.pem \
-days 500
# Put things in their proper place
rsync -a all/{privkey,cert}.pem server/
cat all/cert.pem > server/fullchain.pem # we have no intermediates in this case
rsync -a all/my-private-root-ca.cert.pem server/
rsync -a all/my-private-root-ca.cert.pem client/
# create DER format crt for iOS Mobile Safari, etc
openssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt
例如:
bash make-certs.sh 'localhost.daplie.com'
希望这能把这个钉在棺材上。
Hopefully this puts the nail in the coffin on this one.
还有一些解释: https://github.com/coolaj86/node- ssl-root-cas / wiki / Painless-Self-Signed-Certificates-in-node.js
您需要创建一个带有.crt扩展名的DER格式的根ca证书的副本:
You need to create a copy of the root ca certificate a DER format with a .crt extension:
# create DER format crt for iOS Mobile Safari, etc
openssl x509 -outform der -in all/my-private-root-ca.cert.pem -out client/my-private-root-ca.crt
然后你可以随便用你的文件服务网络服务器。当您单击该链接时,系统会询问您是否要安装证书。
Then you can simply serve that file with your webserver. When you click the link you should be asked if you want to install the certificate.
有关其工作原理的示例,您可以尝试安装MIT的证书颁发机构: https://ca.mit.edu/mitca.crt
For an example of how this works you can try installing MIT's Certificate Authority: https://ca.mit.edu/mitca.crt
- https://github.com/coolaj86/nodejs-ssl-example
- https://github.com/coolaj86/nodejs-ssl-trusted-peer-example
- https://github.com/coolaj86/node-ssl-root-cas
- https://github.com/ coolaj86 / nodejs-https-sni-vhost-example
- (在同一系列上使用SSL的多个虚拟主机) ver)
- https://github.com/coolaj86/nodejs-ssl-example
- https://github.com/coolaj86/nodejs-ssl-trusted-peer-example
- https://github.com/coolaj86/node-ssl-root-cas
- https://github.com/coolaj86/nodejs-https-sni-vhost-example
- (Multiple vhosts with SSL on the same server)
- (您可以使用REAL SSL证书今天在localhost上测试)
这篇关于如何为HTTPS Node.js服务器使用自签名证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
