nginx上游的客户端证书不工作_Nginx_Openssl_Mqtt

nginx上游的客户端证书不工作

nginx openssl mqtt

nginx上游的客户端证书不工作,nginx,openssl,mqtt,Nginx,Openssl,Mqtt,对于nginx，我尽可能地遵循此指南：这就是结果 stream{ upstream broker { server 10.110.0.4:1883 fail_timeout=10s max_fails=1; server 10.110.0.3:1883 fail_timeout=10s max_fails=1; server 10.110.0.6:1883 fail_timeout=10s max_fa

对于nginx，我尽可能地遵循此指南：

这就是结果

 stream{
        upstream broker {
            server 10.110.0.4:1883 fail_timeout=10s max_fails=1;
            server 10.110.0.3:1883 fail_timeout=10s max_fails=1;
            server 10.110.0.6:1883 fail_timeout=10s max_fails=1;
        }
    
        server {
    
            error_log /var/log/nginx/mqtt_error.log debug;
                        
        ssl_certificate /etc/nginx/ssl/mqtt.domain.com/server.crt;
        ssl_certificate_key /etc/nginx/ssl/mqtt.domain.com/server.key;
        ssl_client_certificate /root/clientca/ca.crt;
    
    ssl_verify_client on;  
    
        ssl_protocols TLSv1.2;
            listen mqtt.domain.com:8883 ssl;
    
    proxy_pass broker;
    proxy_ssl_server_name on;
            proxy_connect_timeout 1s;
        }
    
    }

当我尝试连接mqtt客户端时，nginx中出现错误：

2021/04/28 07:34:20 [debug] 780885#780885: accept on 188.166.22.84:8883, ready: 1
2021/04/28 07:34:20 [debug] 780885#780885: posix_memalign: 0000563822D6D490:256 @16
2021/04/28 07:34:20 [debug] 780885#780885: *5 accept: 11.65.81.90:51256 fd:3
2021/04/28 07:34:20 [debug] 780885#780885: posix_memalign: 0000563822D6D6F0:256 @16
2021/04/28 07:34:20 [info] 780885#780885: *5 client 11.65.81.90:51256 connected to 111.166.22.84:8883
2021/04/28 07:34:20 [debug] 780885#780885: *5 posix_memalign: 0000563822D6D930:256 @16
2021/04/28 07:34:20 [debug] 780885#780885: *5 generic phase: 0
2021/04/28 07:34:20 [debug] 780885#780885: *5 generic phase: 1
2021/04/28 07:34:20 [debug] 780885#780885: *5 generic phase: 2
2021/04/28 07:34:20 [debug] 780885#780885: *5 tcp_nodelay
2021/04/28 07:34:20 [debug] 780885#780885: *5 posix_memalign: 0000563822D6D820:256 @16
2021/04/28 07:34:20 [debug] 780885#780885: *5 SSL_do_handshake: -1
2021/04/28 07:34:20 [debug] 780885#780885: *5 SSL_get_error: 2
2021/04/28 07:34:20 [debug] 780885#780885: *5 epoll add event: fd:3 op:1 ev:80002001
2021/04/28 07:34:20 [debug] 780885#780885: *5 event timer add: 3: 60000:9742886896
2021/04/28 07:34:20 [debug] 780885#780885: accept() not ready (11: Resource temporarily unavailable)
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL handshake handler: 0
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_do_handshake: -1
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_get_error: 2
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL handshake handler: 0
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_do_handshake: -1
2021/04/28 07:34:25 [debug] 780885#780885: *5 SSL_get_error: 1
2021/04/28 07:34:25 [info] 780885#780885: *5 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking, client: 11.65.81.90, server: 111.166.22.84:8883
2021/04/28 07:34:25 [debug] 780885#780885: *5 finalize stream session: 500
2021/04/28 07:34:25 [debug] 780885#780885: *5 stream log handler
2021/04/28 07:34:25 [debug] 780885#780885: *5 close stream connection: 3
2021/04/28 07:34:25 [debug] 780885#780885: *5 event timer del: 3: 9742886896
2021/04/28 07:34:25 [debug] 780885#780885: *5 reusable connection: 0
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D490, unused: 64
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D6F0, unused: 80
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D930, unused: 80
2021/04/28 07:34:25 [debug] 780885#780885: *5 free: 0000563822D6D820, unused: 136

我在服务器端的经验很少

所以，我最终通过上面的链接解决了这个问题。以下是问题和解决方案列表：

我有域的letsencrypt，客户端密钥与此链接中的相同。Mosquetto正在传递ca链并首先验证来自letsencrypt的SSL，但失败了

我想根ca.cert.pem没有包含所有需要的数据，所以我使用了中间的ca-chain.cert.pem

mosquitto需要--unsecure标志（如果我使用付费SSL，如本例中所示，则与此无关：

类似的问题，但不确定解决方案如何应用