我遇到了一个奇怪的验证错误,在OpenSSL 1.1.1 (Ubuntu 18.04)和OpenSSL 1.1.1f (Ubuntu 20.04)之间生成的证书链。
以下是我的测试环境(两个Docker映像):
- docker run -it ubuntu:18.04/bin/bash
- docker run -it ubuntu:20.04/bin/bash
该场景涉及生成一个自签名根CA,然后生成一个或多个已颁发的证书。在Ubuntu 18.04实例中,结果看起来很好:
root@temp-ubuntu-0:/tmp/cert# openssl version
OpenSSL 1.1.1 11 Sep 2018
root@temp-ubuntu-0:/tmp/cert# openssl verify -CAfile root.cer client.cer
client.cer: OK
在Ubuntu 20.04上,"0深度查找错误20:无法获得本地颁发者证书";发生错误:
root@temp-ubuntu-20-0:/tmp/cert# openssl version
OpenSSL 1.1.1f 31 Mar 2020
root@temp-ubuntu-20-0:/tmp/cert# openssl verify -CAfile root-ca.cer client.cer
C = CA, ST = State, L = City, OU = POC, CN = client
error 20 at 0 depth lookup: unable to get local issuer certificate
error client.cer: verification failed
# Observed the same behaviour with OpenSSL 1.1.1g and 1.1.1i (from NGINX Docker images)
步骤如下:
mkdir -p /tmp/cert
cd /tmp/cert
# Create a ".rnd" file to avoid warnings
openssl rand -writerand ~/.rnd
# Create the root CA private key and certificate
openssl req
-new
-x509
-nodes
-sha256
-newkey rsa:4096
-keyout root-ca.key
-out root-ca.cer
-days 3650
-subj '/C=CA/ST=State/L=City/OU=POC/OU=Certificate Authorities/CN=POC Root CA'
-addext "basicConstraints = CA:TRUE"
-addext "subjectKeyIdentifier = hash"
-addext "authorityKeyIdentifier = keyid:always, issuer:always"
-addext "subjectAltName = DNS:POC Root CA"
-addext "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly"
# Create the CSR and private key
openssl req
-new
-nodes
-sha256
-newkey rsa:4096
-keyout server.key
-out server.csr
-subj "/C=CA/ST=State/L=City/OU=POC/CN=server"
# Confirm the contents of the CSR
openssl req -in server.csr -text -noout
# Create the .conf file
cat > /tmp/cert/server_openssl.conf << EOF
[ v3_attributes ]
basicConstraints = CA:FALSE
subjectAltName = DNS:server
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
extendedKeyUsage = serverAuth
EOF
# Create the certificate
openssl x509
-req
-sha256
-CA root-ca.cer
-CAkey root-ca.key
-in server.csr
-out server.cer
-days 3650
-set_serial `date +%Y%m%d%H%M%S%N`
-extfile /tmp/cert/server_openssl.conf
-extensions v3_attributes
# Confirm the contents of the new certificate
openssl x509 -in server.cer -text -noout
# Create the CSR and private key
openssl req
-new
-nodes
-sha256
-newkey rsa:4096
-keyout client.key
-out client.csr
-subj "/C=CA/ST=State/L=City/OU=POC/CN=client"
# Confirm the contents of the CSR
openssl req -in client.csr -text -noout
# Create the .conf file
cat > /tmp/cert/client_openssl.conf << EOF
[ v3_attributes ]
basicConstraints = CA:FALSE
subjectAltName = DNS:client
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
extendedKeyUsage = clientAuth
EOF
# Create the certificate
openssl x509
-req
-sha256
-CA root-ca.cer
-CAkey root-ca.key
-in client.csr
-out client.cer
-days 3650
-set_serial `date +%Y%m%d%H%M%S%N`
-extfile /tmp/cert/client_openssl.conf
-extensions v3_attributes
# Confirm the contents of the new certificate
openssl x509 -in client.cer -text -noout
同样的问题出现在server.cer;
最终目标是在NGINX上配置mTLS。服务器TLS部分似乎工作正常,但客户机认证身份验证遇到了未解决的问题,这导致了发现这种情况。希望这不是为了转移注意力。
对这种行为的任何见解都是非常赞赏的!
谢谢!
如果根CA被分割成openssl req/openssl x509命令而不是根CA的单个openssl req命令,似乎可以工作。感觉像一个缺陷,但它可以工作。在Ubuntu 20.04上使用OpenSSL 1.1.1f测试。
下面是新的命令集:
# Create the root CA CSR and private key
openssl req
-new
-nodes
-sha256
-newkey rsa:4096
-keyout root.key
-out root.csr
-subj "/C=CA/ST=State/L=City/OU=POC/OU=Certificate Authorities/CN=POC Root CA"
# Create the root CA .conf file
cat > /tmp/cert/root_openssl.conf << EOF
[ v3_attributes ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly
EOF
# Create the root CA certificate
openssl x509
-req
-sha256
-signkey root.key
-in root.csr
-out root.cer
-days 3650
-set_serial `date +%Y%m%d%H%M%S%N`
-extfile /tmp/cert/root_openssl.conf
-extensions v3_attributes
# Use the AKS namespace name for the server certificate
export SERVER_NAME=echo-namespace-1
# Create the server CSR and private key
openssl req
-new
-nodes
-sha256
-newkey rsa:4096
-keyout server.key
-out server.csr
-subj "/C=CA/ST=State/L=City/OU=POC/CN=server"
# Confirm the contents of the server CSR
openssl req -in server.csr -text -noout
# Create the server .conf file
cat > /tmp/cert/server_openssl.conf << EOF
[ v3_attributes ]
basicConstraints = CA:FALSE
subjectAltName = DNS:server
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
EOF
# Create the server certificate
openssl x509
-req
-sha256
-CA root.cer
-CAkey root.key
-in server.csr
-out server.cer
-days 3650
-set_serial `date +%Y%m%d%H%M%S%N`
-extfile /tmp/cert/server_openssl.conf
-extensions v3_attributes
# Confirm the contents of the new server certificate
openssl x509 -in server.cer -text -noout
# Verify the new server certificate against the root CA
openssl verify -CAfile root.cer server.cer
# Create the client CSR and private key
openssl req
-new
-nodes
-sha256
-newkey rsa:4096
-keyout client.key
-out client.csr
-subj "/C=CA/ST=State/L=City/OU=POC/CN=client"
# Confirm the contents of the client CSR
openssl req -in client.csr -text -noout
# Create the client .conf file
cat > /tmp/cert/client_openssl.conf << EOF
[ v3_attributes ]
basicConstraints = CA:FALSE
subjectAltName = DNS:client
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
EOF
# Create the client certificate
openssl x509
-req
-sha256
-CA root.cer
-CAkey root.key
-in client.csr
-out client.cer
-days 3650
-set_serial `date +%Y%m%d%H%M%S%N`
-extfile /tmp/cert/client_openssl.conf
-extensions v3_attributes
# Confirm the contents of the new client certificate
openssl x509 -in client.cer -text -noout
# Verify the new client certificate against the root CA
openssl verify -CAfile root.cer client.cer
谢谢大家!