在 Express 中设置 HTTPS 服务器时遇到问题

Having trouble setting up a HTTPS server in Express

我正在尝试设置我的 express 应用程序以与 https 一起使用。这是我到目前为止得到的:

var fs = require('fs');
var http = require('http');
var https = require('https');
var app = require('./app');
var port = process.env.PORT || 8080;

var credentials = {
    key: fs.readFileSync('./ssl/private_key.pem', 'utf8'),
    cert: fs.readFileSync('./ssl/certificate.pem', 'utf8'),
    ca: [
        fs.readFileSync('./ssl/certificate_chain_1.pem', 'utf8'),
        fs.readFileSync('./ssl/certificate_chain_2.pem', 'utf8')
    ]
};
https.createServer(credentials, app, function (req, res) {
    res.writeHead(200);
    res.end('HTTPS server started on port ' + port + '...');
}).listen(port);

当我 运行、curl -k -v -I https://127.0.0.1:8080 时,我得到这个:

* Rebuilt URL to: https://127.0.0.1:8080/
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: *.hiwarren.com
* Server certificate: COMODO RSA Domain Validation Secure Server CA
* Server certificate: COMODO RSA Certification Authority
* Server certificate: AddTrust External CA Root
> HEAD / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: 127.0.0.1:8080
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< X-Powered-By: Express
X-Powered-By: Express
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 14
Content-Length: 14
< Date: Wed, 15 Apr 2015 19:32:28 GMT
Date: Wed, 15 Apr 2015 19:32:28 GMT
< Connection: keep-alive
Connection: keep-alive

<
* Connection #0 to host 127.0.0.1 left intact

而当我 运行 OpenSSL s_client -connect 127.0.0.1:8080/

我收到这个错误:

MacBook-Pro-de-Bruno-3:ssl brunomacedo$ OpenSSL s_client -connect 127.0.0.1:8080/
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
... certificate hash ...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4627 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 957E02E1D64D1F1E0ADBF4369057DD56B5FBE5A66269686DD590DF4D3B9A3D8C
    Session-ID-ctx:
    Master-Key: 0B531BBFE5AA8AACEFC99749CD696926956419FFD61F7CCAF6E94C7574F6ECCEA31098D236E51F800F690D508E700444
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 25 2c fa ce af 2d f9 6e-8e fd 7e 9c f4 e6 c8 2b   %,...-.n..~....+
    0010 - 10 b6 f9 08 28 23 6f ec-98 0d c9 1d dd 78 34 25   ....(#o......x4%
    0020 - ab 21 55 37 02 42 a8 6c-84 9f 31 c0 60 ed 77 ae   .!U7.B.l..1.`.w.
    0030 - ab ea 4f 84 07 e7 d0 29-24 41 35 0f d7 01 09 21   ..O....)$A5....!
    0040 - a2 0f 1c 10 ab e4 47 67-f0 0d b0 f2 32 8d 3e f0   ......Gg....2.>.
    0050 - 10 30 35 82 48 df 09 ac-7c 12 98 11 99 7f 97 5b   .05.H...|......[
    0060 - d2 ef 47 69 4c 86 8b 2f-48 ff 62 58 08 7b 6c 7b   ..GiL../H.bX.{l{
    0070 - c2 f5 c5 1d 52 13 ad c4-95 d8 54 f8 a5 d2 5c 94   ....R.....T...\.
    0080 - c0 f3 c1 40 c1 44 5e b0-37 fa 3b 68 73 a7 ca 4f   ...@.D^.7.;hs..O
    0090 - ac d9 99 12 62 72 10 48-f1 9a 56 eb e6 89 d8 d4   ....br.H..V.....

    Start Time: 1429126474
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

当我 运行 使用 root_certificate 相同的命令时,我能够解决 error 20,如下所示:OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem.

所以,这是我的新输出:

MacBook-Pro-de-Bruno-3:ssl brunomacedo$ OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.hiwarren.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
... certificate hash ...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4627 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: CFD47EDA05B183790D25B32295550DB4DF74C483F3B1FEACD76C39548254FD9C
    Session-ID-ctx:
    Master-Key: DE16062EE238F854A4578F2E0F8FBE6874AF8550086E61C1D50EF3FBDB04F42355A6BD2072B8216B68477516E7F034C5
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 25 2c fa ce af 2d f9 6e-8e fd 7e 9c f4 e6 c8 2b   %,...-.n..~....+
    0010 - 16 26 97 0b a6 00 c6 12-d3 9a 91 1c d1 0f a4 d7   .&..............
    0020 - 96 30 88 54 3c e7 42 a1-db 4c 97 e6 68 5c d4 81   .0.T<.B..L..h\..
    0030 - f5 bf 7f 16 59 d2 32 bd-fa c7 9b c4 b5 1f a2 4d   ....Y.2........M
    0040 - 3b fe f9 af ad 29 58 31-c5 2e 2b 31 b1 52 62 9c   ;....)X1..+1.Rb.
    0050 - 1a 34 d0 c5 e4 e7 80 1f-d4 8a a3 0f 6b f4 2b d9   .4..........k.+.
    0060 - 4e 5d c0 8c 11 5a 0d de-00 23 19 0f 01 73 92 32   N]...Z...#...s.2
    0070 - 50 ee 08 56 4b a0 1c 20-c6 d7 9d de 58 b0 d4 70   P..VK.. ....X..p
    0080 - 2f b6 ca 3b 48 d0 bb fe-4c ea 6e 60 31 5d 4f 3d   /..;H...L.n`1]O=
    0090 - a4 6e f8 cd a2 15 1a 0e-36 6d b7 16 72 b9 e4 bf   .n......6m..r...

    Start Time: 1429126610
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

因此,我认为客户端需要以某种方式发送此 root_certificate 才能使其正常工作,但我不确定客户端如何获得并发送它。

有人经历过这个吗?我该怎么办?

curl -k -v -I https://127.0.0.1:8080
...
openssl s_client -connect 127.0.0.1:8080
...
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
....

CA 不再颁发 IP 地址证书。而且他们多年来没有为 RFC 1918 addresses(如 127.0.0.1)颁发证书。

您需要修复证书或修复名称解析。首先,通过在证书的 subjectAlternateName (SAN) 中包含 localhost127.0.0.1 等名称进行修复。

或者其次,通过使证书中使用的名称可以访问该服务器来修复它。您可以通过使用本地 hosts 文件或 DNS 来实现。


unable to get local issuer certificate

一定要设置根证书。根证书是 AddTrust External CA Root.

确保正在发送链服务器证书。在这里,链是所有中间证书 less 根。您必须已经拥有根证书并信任它。

我不确定确切的问题是什么;

I am able to solve the error 20 when I run the same command using the root_certificate like this: OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem.

So, I think that the client needs to send this root_certificate somehow, in order to make it work, but I am not sure how can the client have it and send it.

错误 20 在提供根证书时消失了。这是因为客户端可以使用提供的 CA 文件成功验证(验证码 0(OK))服务器证书。

当您不提供根证书时,客户端不知道服务器是谁。无法验证服务器的凭据。因此错误 20.

客户端没有向服务器发送根证书。一个人如何拥有它?您应该知道并随身携带 公开 可用的可信 CA 证书。 (例如,您的浏览器预装了一组众所周知的 CA 证书。因此您可以通过 HTTPS 连接到任何知名网站)