我正在牛仔网络服务器上使用氮气网络框架开发一个应用程序。当我通过http运行服务器时,它运行得非常好。现在在生产中,应用程序必须在https上运行。
我已经从默认修改了氮气etc目录中的bown.config文件
% vim: ts=4 sw=4 et ft=erlang
[
{cowboy,[
{bind_address,"127.0.0.1"},
{port,80},
{server_name,nitrogen},
{document_root,"./site/static"},
%% some comments.........
{static_paths, ["/js/","/images/","/css/","/nitrogen/","/favicon.ico"]}
]}
].
到这个
% vim: ts=4 sw=4 et ft=erlang
[
{cowboy,[
{bind_address,"127.0.0.1"},
{port,443},
{server_name,nitrogen},
{cacertfile, "Path/cacert.pem"},
{certfile, "Path/webservercert.pem"},
{keyfile, "Path/webserverkey.pem"},
{password, "webserverkeypassphrase"}
{document_root,"./site/static"},
%% some comments.........
{static_paths, ["/js/","/images/","/css/","/nitrogen/","/favicon.ico"]}
]}
].
其中Path是我自己使用openSSL生成并签名的SSL证书的绝对路径。我将我的网站名称命名为domainname.com,但我首先根据openSSl文档创建了一个CA
我还从默认修改了nitrogen_sup.erl文件中的Supervisor回调
%% ===================================================================
%% Supervisor callbacks
%% ===================================================================
init([]) ->
%% Start the Process Registry...
application:start(crypto),
application:start(nprocreg),
application:start(ranch),
%% Start Cowboy...
application:start(cowboy),
{ok, BindAddress} = application:get_env(cowboy, bind_address),
{ok, Port} = application:get_env(cowboy, port),
{ok, ServerName} = application:get_env(cowboy, server_name),
{ok, DocRoot} = application:get_env(cowboy, document_root),
{ok, StaticPaths} = application:get_env(cowboy, static_paths),
io:format("Starting Cowboy Server (~s) on ~s:~p, root: '~s'~n",
[ServerName, BindAddress, Port, DocRoot]),
Dispatch = init_dispatch(DocRoot, StaticPaths),
{ok, _} = cowboy:start_http(http, 100,
[
{port, Port}
], [
{env, [{dispatch, Dispatch}]},
{max_keepalive, 50}
]),
{ok, { {one_for_one, 5, 10}, []} }.
到下面的这个
%% ===================================================================
%% Supervisor callbacks
%% ===================================================================
init([]) ->
%% Start the Process Registry...
application:start(crypto),
application:start(nprocreg),
application:start(ranch),
%% Start Cowboy...
application:start(cowboy),
{ok, BindAddress} = application:get_env(cowboy, bind_address),
{ok, Port} = application:get_env(cowboy, port),
{ok, ServerName} = application:get_env(cowboy, server_name),
{ok, DocRoot} = application:get_env(cowboy, document_root),
{ok, StaticPaths} = application:get_env(cowboy, static_paths),
{ok, CAcertfile} = application:get_env(cowboy, cacertfile),
{ok, Certfile} = application:get_env(cowboy, certfile),
{ok, Keyfile} = application:get_env(cowboy, keyfile),
{ok, Password} = application:get_env(cowboy, password),
io:format("Starting Cowboy Server (~s) on ~s:~p, root: '~s'~n",
[ServerName, BindAddress, Port, DocRoot]),
Dispatch = init_dispatch(DocRoot, StaticPaths),
{ok, _} = cowboy:start_https(https, 100,
[
{port, Port},
{cacertfile, CAcertfile},
{certfile, Certfile},
{keyfile, Keyfile},
{password, Password}
], [
{env, [{dispatch, Dispatch}]},
{max_keepalive, 50}
]),
{ok, { {one_for_one, 5, 10}, []} }.
使用sync:go()编译并重新加载该文件。然而,我关闭了氮气并重新启动。
在shell中,我使用curl实用程序来测试服务器是否正在侦听
$ curl --cacert Absolute_path/cacert.pem -i https://domainname.com
当索引页面上的内容显示在外壳中时,响应被放置
然而,当我进入Firefox浏览器时,它会发出安全警告,我承认这是一个安全警告,除非我知道它的原因,我会永久添加到异常中。当我再次尝试获取页面时,浏览器会抛出此错误。
Secure Connection Failed
The key does not support the requested operation.
(Error code: sec_error_invalid_key)
.The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
.Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
当我在氮气控制台检查时,如果发现这个错误报告
(nitrogen@127.0.0.1)4> user@user:~/nitrogen/rel/nitrogen$
user@user:~/nitrogen/rel/nitrogen$ sudo ./bin/nitrogen console
Exec: /home/user/nitrogen/rel/nitrogen/erts-5.10.4/bin/erlexec -boot /home/user/nitrogen/rel/nitrogen/releases/2.2.2/nitrogen -mode interactive -config /home/user/nitrogen/rel/nitrogen/etc/app.config -config /home/user/nitrogen/rel/nitrogen/etc/cowboy.config -config /home/user/nitrogen/rel/nitrogen/etc/sync.config -args_file /home/dotshule/nitrogen/rel/nitrogen/etc/vm.args -- console
Root: /home/dotshule/nitrogen/rel/nitrogen
Erlang R16B03 (erts-5.10.4) [source] [smp:2:2] [async-threads:5] [hipe] [kernel-poll:true]
Eshell V5.10.4 (abort with ^G)
(nitrogen@127.0.0.1)1> Starting Cowboy Server (nitrogen) on 127.0.0.1:443, root: './site/static'
=ERROR REPORT==== 20-Feb-2014::14:51:12 ===
SSL: certify: tls_connection.erl:375:Fatal error: unknown ca
现在我不明白的是,是服务器拒绝了我的证书,还是我跳过了一个步骤,或者一两个步骤出了问题,或者问题出在我自己创建的CA(根证书cacert.pem)上,还是问题出在openSSL上!
我现在开始怀疑,如果我生成CSR并将其发送到受信任的CA,如symantec、digcert、thawte、geotrust等。。等等,所得到的证书也可能无法工作。
我需要你的帮助,请在这个https的氮牛仔网络服务器问题。感谢你迄今为止的帮助。。。。
我不知道牛仔为什么会抛出那个特定的错误(tls_connection.erl实际上是Erlang的一部分,而不是cowboy或Nitrogen)。
也就是说,当谈到使用氮气运行SSL时,我通常只建议用户在氮气前面使用nginx作为反向代理,并且在氮气站点上有nginx配置示例http://nitrogenproject.com/doc/config.html(向下滚动到仅限SSL的示例)。
我意识到这并不完全理想,所以我想看看nginx或apache是否能够成功地使用相同的密钥/证书组合为示例页面提供服务。显然,"未知ca"错误表示Erlang不喜欢它是一个自签名证书。因此,您可以尝试使用您可能拥有的其他签名证书/密钥,或者在StartSSL.com上免费生成一个真正的证书/密钥。
同样,这些都不是可靠的答案,但它们应该有助于为你指明一些方向,帮助你解决问题。
就我个人而言,我在nginx后面运行所有的Nitrogen实例,并让nginx处理SSL和负载平衡。
我的方法确实有效,我已经使用SYMANTEC和VERISIGN SSL证书成功测试了它,它可能是在Cowboy web服务器上安装SSL证书的正式方式。