gpt4 book ai didi

powershell - 由 New-SelfSignedCertificateEx 生成的自签名 SSL 证书在 Ubuntu 中不受信任

转载 作者:行者123 更新时间:2023-12-04 18:49:46 25 4
gpt4 key购买 nike

我在这个 link 中使用了这个工具为 Windows 网络服务器生成自签名证书。

生成证书的命令如下

New-SelfSignedCertificateEx -Subject "CN=192.168.56.111" -SAN "192.168.56.111" -IsCA $true -EKU "Server Authentication", "Client Authentication" -KeyLength 2048  -KeySpec "Signature" -KeyUsage "DigitalSignature" -FriendlyName "192.168.56.111" -NotAfter $([datetime]::now.AddYears(5)) -StoreLocation "LocalMachine" -Exportable

使用 IIS 安装证书并将证书添加到 Windows 10 客户端中受信任的根 CA 存储后,我能够浏览网站而没有证书错误。

但是,当我尝试通过将证书安装到 CA 证书存储并使用 cURL 测试在 ubuntu 18.04 客户端中执行相同操作时,它不起作用

将证书安装到 Ubuntu ca-certificates
openssl s_client -connect 192.168.56.111:443 -showcerts > out.txt
#then use vim to edit out.txt and save the cert to 192.168.56.111.crt

sudo cp 192.168.56.111.crt /usr/local/share/ca-certificates
sudo update-ca-certificates

使用 cURL 测试连接
curl https://192.168.56.111

并收到错误消息
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

将证书添加到 Chrome 证书商店时,Chrome 显示 NET::ERR_CERT_INVALID

所以我的问题是,为什么它可以在 Windows 客户端而不是 Ubuntu 18.04 中工作?我看不到任何错误表明 Ubuntu 中的证书有什么问题,所以我现在被卡住了。

最佳答案

您的 openssl 命令不正确:

jonathan.muller@jonathan-muller-C02ZC4EPLVDQ$ openssl s_client -connect drylm.org:443 -showcerts
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = blog.drylm.org
verify return:1
---
Certificate chain
0 s:/CN=blog.drylm.org
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgISA0xYp5ZHU+NGF1EW/RcUuV0fMA0GCSqGSIb3DQEBCwUA
...

你的输出中有很多噪音。
以下是提取证书的方法:
echo | openssl s_client -connect 192.168.56.111:443 2>/dev/null | openssl x509 > 192.168.56.111.pem

您可以将此 pem 文件复制到信任库。

编辑 :

我刚刚通过在此 website 上创建自签名证书来进行练习

在我的外壳中:
john@kona$ curl https://test.drylm.org
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

然后
john@kona$ echo | openssl s_client -connect test.drylm.org:443 2>/dev/null | openssl x509 > test.drylm.org.crt
sudo cp test.drylm.org.crt /usr/local/share/ca-certificates/
john@kona$ sudo update-ca-certificates 
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:test.drylm.org.pem
done.
done.

最后:
john@kona$ curl https://test.drylm.org
Path : ~


curl 不再有错误消息。

关于powershell - 由 New-SelfSignedCertificateEx 生成的自签名 SSL 证书在 Ubuntu 中不受信任,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62165946/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com