3月 212020
服务端未启用证书时的接口请求
[root@ip-172-31-47-53 ~]# curl -I http://api.iot.com HTTP/1.1 200 OK Server: nginx/1.16.1 Date: Thu, 19 Mar 2020 07:53:35 GMT Content-Type: text/html Content-Length: 169 Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT Connection: keep-alive ETag: "5e718184-a9" Accept-Ranges: bytes [root@ip-172-31-47-53 ~]#
[root@ip-172-31-47-53 ~]# curl http://api.iot.com <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Welcome to CentOS</title> </head> <body> <h1>Welcome to CentOS</h1> </body> </html> [root@ip-172-31-47-53 ~]#
服务端启用证书时的接口请求
服务器配置
server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name api.iot.com; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/private/server.key"; #ssl_client_certificate "/etc/pki/nginx/ca.crt"; #ssl_verify_client on; #ssl_verify_depth 2; #ssl_session_cache shared:SSL:1m; #ssl_session_timeout 10m; #ssl_ciphers HIGH:!aNULL:!MD5; #ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
服务端证书配置(去除私钥密码以解决nginx启动报错)
[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/api.iot.com.cert.pem > /etc/pki/nginx/server.crt [root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/ca-chain.cert.pem >> /etc/pki/nginx/server.crt [root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/api.iot.com.key.pem -out /etc/pki/nginx/private/server.key Enter pass phrase for ca/intermediate/private/api.iot.com.key.pem: writing RSA key [root@ip-172-31-47-53 ~]#
检查配置
[root@ip-172-31-47-53 ~]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@ip-172-31-47-53 ~]#
重新加载配置
[root@ip-172-31-47-53 ~]# systemctl restart nginx
客户端发起HEAD请求
[root@ip-172-31-47-53 ~]# curl -k -v -I https://api.iot.com * About to connect() to api.iot.com port 443 (#0) * Trying 18.163.8.203... * Connected to api.iot.com (18.163.8.203) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 06:48:39 2020 GMT * expire date: Mar 19 06:48:39 2021 GMT * common name: api.iot.com * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN > HEAD / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: api.iot.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: nginx/1.16.1 Server: nginx/1.16.1 < Date: Thu, 19 Mar 2020 08:21:44 GMT Date: Thu, 19 Mar 2020 08:21:44 GMT < Content-Type: text/html Content-Type: text/html < Content-Length: 169 Content-Length: 169 < Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT < Connection: keep-alive Connection: keep-alive < ETag: "5e718184-a9" ETag: "5e718184-a9" < Accept-Ranges: bytes Accept-Ranges: bytes < * Connection #0 to host api.iot.com left intact [root@ip-172-31-47-53 ~]#
客户端发起GET请求
[root@ip-172-31-47-53 ~]# curl -k https://api.iot.com <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Welcome to CentOS</title> </head> <body> <h1>Welcome to CentOS</h1> </body> </html> [root@ip-172-31-47-53 ~]#
启用客户端证书验证
server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name api.iot.com; root /usr/share/nginx/html; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/private/server.key"; ssl_client_certificate "/etc/pki/nginx/ca.crt"; ssl_verify_client on; ssl_verify_depth 2; #ssl_session_cache shared:SSL:1m; #ssl_session_timeout 10m; #ssl_ciphers HIGH:!aNULL:!MD5; #ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; location / { } error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } }
准备客户端验证CA证书链文件
[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/ca-chain.cert.pem > /etc/pki/nginx/ca.crt
检查配置文件并重启nginx服务
[root@ip-172-31-47-53 ~]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@ip-172-31-47-53 ~]# systemctl restart nginx
不指定客户端证书的HEAD请求
错误:* NSS: client certificate not found (nickname not specified)
[root@ip-172-31-47-53 ~]# curl -k -v -I https://api.iot.com * About to connect() to api.iot.com port 443 (#0) * Trying 18.163.8.203... * Connected to api.iot.com (18.163.8.203) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate not found (nickname not specified) * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 06:48:39 2020 GMT * expire date: Mar 19 06:48:39 2021 GMT * common name: api.iot.com * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN > HEAD / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: api.iot.com > Accept: */* > < HTTP/1.1 400 Bad Request HTTP/1.1 400 Bad Request < Server: nginx/1.16.1 Server: nginx/1.16.1 < Date: Thu, 19 Mar 2020 08:31:16 GMT Date: Thu, 19 Mar 2020 08:31:16 GMT < Content-Type: text/html Content-Type: text/html < Content-Length: 237 Content-Length: 237 < Connection: close Connection: close < * Closing connection 0 [root@ip-172-31-47-53 ~]#
指定客户端证书的HEAD请求
准备客户端私钥
[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/device.key.pem -out device.key.pem Enter pass phrase for ca/intermediate/private/device.key.pem: writing RSA key [root@ip-172-31-47-53 ~]#
客户端HEAD请求成功
[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/device.key.pem -out device.key.pem Enter pass phrase for ca/intermediate/private/device.key.pem: writing RSA key [root@ip-172-31-47-53 ~]# curl -Ivk --cert ./ca/intermediate/certs/device.cert.pem --key ./device.key.pem https://api.iot.com * About to connect() to api.iot.com port 443 (#0) * Trying 18.163.8.203... * Connected to api.iot.com (18.163.8.203) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate from file * subject: CN=IOTHS0000238,OU=IT,O=MENGNIU,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 07:24:28 2020 GMT * expire date: Sep 15 07:24:28 2020 GMT * common name: IOTHS0000238 * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 06:48:39 2020 GMT * expire date: Mar 19 06:48:39 2021 GMT * common name: api.iot.com * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN > HEAD / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: api.iot.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: nginx/1.16.1 Server: nginx/1.16.1 < Date: Thu, 19 Mar 2020 08:37:24 GMT Date: Thu, 19 Mar 2020 08:37:24 GMT < Content-Type: text/html Content-Type: text/html < Content-Length: 169 Content-Length: 169 < Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT < Connection: keep-alive Connection: keep-alive < ETag: "5e718184-a9" ETag: "5e718184-a9" < Accept-Ranges: bytes Accept-Ranges: bytes < * Connection #0 to host api.iot.com left intact [root@ip-172-31-47-53 ~]#
客户端GET请求成功
[root@ip-172-31-47-53 ~]# curl -vk --cert ./ca/intermediate/certs/device.cert.pem --key ./device.key.pem https://api.iot.com * About to connect() to api.iot.com port 443 (#0) * Trying 18.163.8.203... * Connected to api.iot.com (18.163.8.203) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * skipping SSL peer certificate verification * NSS: client certificate from file * subject: CN=IOTHS0000238,OU=IT,O=MENGNIU,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 07:24:28 2020 GMT * expire date: Sep 15 07:24:28 2020 GMT * common name: IOTHS0000238 * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN * start date: Mar 19 06:48:39 2020 GMT * expire date: Mar 19 06:48:39 2021 GMT * common name: api.iot.com * issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: api.iot.com > Accept: */* > < HTTP/1.1 200 OK < Server: nginx/1.16.1 < Date: Thu, 19 Mar 2020 12:09:49 GMT < Content-Type: text/html < Content-Length: 169 < Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT < Connection: keep-alive < ETag: "5e718184-a9" < Accept-Ranges: bytes < <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Welcome to CentOS</title> </head> <body> <h1>Welcome to CentOS</h1> </body> </html> * Connection #0 to host api.iot.com left intact [root@ip-172-31-47-53 ~]#