Node.js 在Express中设置HTTPS服务器时遇到问题
我正在尝试将我的Node.js 在Express中设置HTTPS服务器时遇到问题,node.js,express,https,openssl,certificate,Node.js,Express,Https,Openssl,Certificate,我正在尝试将我的express应用程序设置为使用https。到目前为止,我得到的是: var fs = require('fs'); var http = require('http'); var https = require('https'); var app = require('./app'); var port = process.env.PORT || 8080; var credentials = { key: fs.readFileSync('./ssl/private
expresshttpsvar fs = require('fs');
var http = require('http');
var https = require('https');
var app = require('./app');
var port = process.env.PORT || 8080;
var credentials = {
key: fs.readFileSync('./ssl/private_key.pem', 'utf8'),
cert: fs.readFileSync('./ssl/certificate.pem', 'utf8'),
ca: [
fs.readFileSync('./ssl/certificate_chain_1.pem', 'utf8'),
fs.readFileSync('./ssl/certificate_chain_2.pem', 'utf8')
]
};
https.createServer(credentials, app, function (req, res) {
res.writeHead(200);
res.end('HTTPS server started on port ' + port + '...');
}).listen(port);
curl-k-v-Ihttps://127.0.0.1:8080* Rebuilt URL to: https://127.0.0.1:8080/
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: *.hiwarren.com
* Server certificate: COMODO RSA Domain Validation Secure Server CA
* Server certificate: COMODO RSA Certification Authority
* Server certificate: AddTrust External CA Root
> HEAD / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: 127.0.0.1:8080
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< X-Powered-By: Express
X-Powered-By: Express
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 14
Content-Length: 14
< Date: Wed, 15 Apr 2015 19:32:28 GMT
Date: Wed, 15 Apr 2015 19:32:28 GMT
< Connection: keep-alive
Connection: keep-alive
<
* Connection #0 to host 127.0.0.1 left intact
root\u证书运行相同的命令时,我能够解决错误20
,如下所示:OpenSSL s\u客户端-connect127.0.0.1:8080/-CAfile certificate\u root.pem
这是我的新输出:
MacBook-Pro-de-Bruno-3:ssl brunomacedo$ OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.hiwarren.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
... certificate hash ...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4627 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: CFD47EDA05B183790D25B32295550DB4DF74C483F3B1FEACD76C39548254FD9C
Session-ID-ctx:
Master-Key: DE16062EE238F854A4578F2E0F8FBE6874AF8550086E61C1D50EF3FBDB04F42355A6BD2072B8216B68477516E7F034C5
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 25 2c fa ce af 2d f9 6e-8e fd 7e 9c f4 e6 c8 2b %,...-.n..~....+
0010 - 16 26 97 0b a6 00 c6 12-d3 9a 91 1c d1 0f a4 d7 .&..............
0020 - 96 30 88 54 3c e7 42 a1-db 4c 97 e6 68 5c d4 81 .0.T<.B..L..h\..
0030 - f5 bf 7f 16 59 d2 32 bd-fa c7 9b c4 b5 1f a2 4d ....Y.2........M
0040 - 3b fe f9 af ad 29 58 31-c5 2e 2b 31 b1 52 62 9c ;....)X1..+1.Rb.
0050 - 1a 34 d0 c5 e4 e7 80 1f-d4 8a a3 0f 6b f4 2b d9 .4..........k.+.
0060 - 4e 5d c0 8c 11 5a 0d de-00 23 19 0f 01 73 92 32 N]...Z...#...s.2
0070 - 50 ee 08 56 4b a0 1c 20-c6 d7 9d de 58 b0 d4 70 P..VK.. ....X..p
0080 - 2f b6 ca 3b 48 d0 bb fe-4c ea 6e 60 31 5d 4f 3d /..;H...L.n`1]O=
0090 - a4 6e f8 cd a2 15 1a 0e-36 6d b7 16 72 b9 e4 bf .n......6m..r...
Start Time: 1429126610
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
MacBook-Pro-de-Bruno-3:ssl brunomacedo$OpenSSL s_客户端-连接127.0.0.1:8080/-CAfile证书_root.pem
已连接(00000003)
深度=3 C=SE,O=AddTrust AB,OU=AddTrust外部TTP网络,CN=AddTrust外部CA根
验证返回:1
深度=2 C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA认证机构
验证返回:1
深度=1 C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA域验证安全服务器CA
验证返回:1
深度=0 OU=域控制已验证,OU=PositiveSSL通配符,CN=*.hiwarren.com
验证返回:1
---
证书链
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA域验证安全服务器CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA域验证安全服务器CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA认证机构
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA认证机构
i:/C=SE/O=AddTrust AB/OU=AddTrust外部TTP网络/CN=AddTrust外部CA根
---
服务器证书
-----开始证书-----
... 证书哈希。。。
-----结束证书-----
subject=/OU=域控制已验证/OU=PositiveSSL通配符/CN=*.hiwarren.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA域验证安全服务器CA
---
未发送客户端证书CA名称
---
SSL握手读取4627字节,写入626字节
---
新的TLSv1/SSLv3密码是AES256-GCM-SHA384
服务器公钥为2048位
支持安全的重新协商
压缩:无
扩展:无
SSL会话:
协议:TLSv1.2
密码:AES256-GCM-SHA384
会话ID:CFD47EDA05B183790D25B3229550DB4DF74C483F3B1FEACD76C39548254FD9C
会话ID ctx:
主密钥:DE16062EE238F854A4578F2E0F8FBE6874AF8550086E61C50EF3FBDB04F4235A6BD2072B8216B68477516E7F034C5
键Arg:无
PSK身份:无
PSK标识提示:无
SRP用户名:无
TLS会话票证生存期提示:300(秒)
TLS会话票证:
0000-25 2c光纤自动对焦2d f9 6e-8e fd 7e 9c f4 e6 c8 2b%,…-.n+
0010-16 26 97 0b a6 00 c6 12-d3 9a 91 1c d1 0f a4 d7和。。。。。。。。。。。。。。
0020-96 30 88 54 3c e7 42 a1 db 4c 97 e6 68 5c d4 81.0.T
CA不再为IP地址颁发证书。而且他们已经多年没有颁发证书了(比如127.0.0.1)
您需要修复证书或修复名称解析。首先,通过在证书的主题alternatename
(SAN
)中包含localhost
和127.0.0.1
等名称来修复
第二,通过使用证书中使用的名称访问该服务器来修复它。您可以通过使用本地主机
文件或DNS来实现这一点
无法获取本地颁发者证书
请确保设置根证书。根证书是AddTrust外部CA root
确保链与服务器证书一起发送。在这里,链是所有中间证书减去根证书。您必须已经拥有根证书并信任它。我不确定确切的问题是什么
当我使用root_证书运行相同的命令时,我能够解决错误20,如下所示:OpenSSL s_client-connect 127.0.0.1:8080/-CAfile certificate_root.pem
因此,我认为客户端需要以某种方式发送这个root_证书,以使其工作,但我不确定客户端如何拥有并发送它
提供根证书时,错误20消失。这是因为客户端可以使用提供的CAfile成功验证(验证代码0(确定))服务器证书
当您没有提供根证书时,客户端对服务器是谁一无所知。无法验证服务器的凭据。因此出现了错误20
客户端不向服务器发送根证书。一个人是如何拥有它的?您应该知道并公开拥有可用的可信CA证书。
(例如,您的浏览器预装了一组著名的CA证书。因此,您可以通过HTTPS连接到任何知名网站)我对部署的应用程序版本尝试了相同的过程,因此127.0.0.1
是“固定”的。而AddTrust外部CA根
是我随-CAfile
一起传递的证书的根.pem
。那么,现在我从您的回答中有两个问题:1)如何设置根证书?2) 如何确保链与服务器证书一起发送?谢谢你的回答!!对于(1)使用cURL
,可以通过命令行上的--cacerts
选项或cURL\u easy\u setopt(cURL,CURLOPT\u CAPATH,CAPATH)
设置根。对于(1)使用OpenSSL,请使用命令行上的-CApath
选项或程序中的SSL\u CTX\u load\u verify\u locations
。对于(2),您可以使用OpenSSL的s\u客户端
:OpenSSL s\u客户端-connect:-showcerts
showcerts
应显示服务器发送2或3个证书。第一个是终端实体(服务器)证书,另一个或两个是中间证书
MacBook-Pro-de-Bruno-3:ssl brunomacedo$ OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.hiwarren.com
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
... certificate hash ...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4627 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: CFD47EDA05B183790D25B32295550DB4DF74C483F3B1FEACD76C39548254FD9C
Session-ID-ctx:
Master-Key: DE16062EE238F854A4578F2E0F8FBE6874AF8550086E61C1D50EF3FBDB04F42355A6BD2072B8216B68477516E7F034C5
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 25 2c fa ce af 2d f9 6e-8e fd 7e 9c f4 e6 c8 2b %,...-.n..~....+
0010 - 16 26 97 0b a6 00 c6 12-d3 9a 91 1c d1 0f a4 d7 .&..............
0020 - 96 30 88 54 3c e7 42 a1-db 4c 97 e6 68 5c d4 81 .0.T<.B..L..h\..
0030 - f5 bf 7f 16 59 d2 32 bd-fa c7 9b c4 b5 1f a2 4d ....Y.2........M
0040 - 3b fe f9 af ad 29 58 31-c5 2e 2b 31 b1 52 62 9c ;....)X1..+1.Rb.
0050 - 1a 34 d0 c5 e4 e7 80 1f-d4 8a a3 0f 6b f4 2b d9 .4..........k.+.
0060 - 4e 5d c0 8c 11 5a 0d de-00 23 19 0f 01 73 92 32 N]...Z...#...s.2
0070 - 50 ee 08 56 4b a0 1c 20-c6 d7 9d de 58 b0 d4 70 P..VK.. ....X..p
0080 - 2f b6 ca 3b 48 d0 bb fe-4c ea 6e 60 31 5d 4f 3d /..;H...L.n`1]O=
0090 - a4 6e f8 cd a2 15 1a 0e-36 6d b7 16 72 b9 e4 bf .n......6m..r...
Start Time: 1429126610
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
curl -k -v -I https://127.0.0.1:8080
...
openssl s_client -connect 127.0.0.1:8080
...
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
....