服务端未启用证书时的接口请求
[root@ip-172-31-47-53 ~]# curl -I http://api.iot.com
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 19 Mar 2020 07:53:35 GMT
Content-Type: text/html
Content-Length: 169
Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
Connection: keep-alive
ETag: "5e718184-a9"
Accept-Ranges: bytes
[root@ip-172-31-47-53 ~]#
[root@ip-172-31-47-53 ~]# curl http://api.iot.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Welcome to CentOS</title>
</head>
<body>
<h1>Welcome to CentOS</h1>
</body>
</html>
[root@ip-172-31-47-53 ~]#
服务端启用证书时的接口请求
服务器配置
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name api.iot.com;
root /usr/share/nginx/html;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/private/server.key";
#ssl_client_certificate "/etc/pki/nginx/ca.crt";
#ssl_verify_client on;
#ssl_verify_depth 2;
#ssl_session_cache shared:SSL:1m;
#ssl_session_timeout 10m;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
服务端证书配置(去除私钥密码以解决nginx启动报错)
[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/api.iot.com.cert.pem > /etc/pki/nginx/server.crt
[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/ca-chain.cert.pem >> /etc/pki/nginx/server.crt
[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/api.iot.com.key.pem -out /etc/pki/nginx/private/server.key
Enter pass phrase for ca/intermediate/private/api.iot.com.key.pem:
writing RSA key
[root@ip-172-31-47-53 ~]#
检查配置
[root@ip-172-31-47-53 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@ip-172-31-47-53 ~]#
重新加载配置
[root@ip-172-31-47-53 ~]# systemctl restart nginx
客户端发起HEAD请求
[root@ip-172-31-47-53 ~]# curl -k -v -I https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
* Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
* start date: Mar 19 06:48:39 2020 GMT
* expire date: Mar 19 06:48:39 2021 GMT
* common name: api.iot.com
* issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 08:21:44 GMT
Date: Thu, 19 Mar 2020 08:21:44 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "5e718184-a9"
ETag: "5e718184-a9"
< Accept-Ranges: bytes
Accept-Ranges: bytes
<
* Connection #0 to host api.iot.com left intact
[root@ip-172-31-47-53 ~]#
客户端发起GET请求
[root@ip-172-31-47-53 ~]# curl -k https://api.iot.com
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Welcome to CentOS</title>
</head>
<body>
<h1>Welcome to CentOS</h1>
</body>
</html>
[root@ip-172-31-47-53 ~]#
启用客户端证书验证
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name api.iot.com;
root /usr/share/nginx/html;
ssl_certificate "/etc/pki/nginx/server.crt";
ssl_certificate_key "/etc/pki/nginx/private/server.key";
ssl_client_certificate "/etc/pki/nginx/ca.crt";
ssl_verify_client on;
ssl_verify_depth 2;
#ssl_session_cache shared:SSL:1m;
#ssl_session_timeout 10m;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
准备客户端验证CA证书链文件
[root@ip-172-31-47-53 ~]# cat ca/intermediate/certs/ca-chain.cert.pem > /etc/pki/nginx/ca.crt
检查配置文件并重启nginx服务
[root@ip-172-31-47-53 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@ip-172-31-47-53 ~]# systemctl restart nginx
不指定客户端证书的HEAD请求
错误:* NSS: client certificate not found (nickname not specified)
[root@ip-172-31-47-53 ~]# curl -k -v -I https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
* Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
* start date: Mar 19 06:48:39 2020 GMT
* expire date: Mar 19 06:48:39 2021 GMT
* common name: api.iot.com
* issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
>
< HTTP/1.1 400 Bad Request
HTTP/1.1 400 Bad Request
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 08:31:16 GMT
Date: Thu, 19 Mar 2020 08:31:16 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 237
Content-Length: 237
< Connection: close
Connection: close
<
* Closing connection 0
[root@ip-172-31-47-53 ~]#
指定客户端证书的HEAD请求
准备客户端私钥
[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/device.key.pem -out device.key.pem
Enter pass phrase for ca/intermediate/private/device.key.pem:
writing RSA key
[root@ip-172-31-47-53 ~]#
客户端HEAD请求成功
[root@ip-172-31-47-53 ~]# openssl rsa -in ca/intermediate/private/device.key.pem -out device.key.pem
Enter pass phrase for ca/intermediate/private/device.key.pem:
writing RSA key
[root@ip-172-31-47-53 ~]# curl -Ivk --cert ./ca/intermediate/certs/device.cert.pem --key ./device.key.pem https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
* Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
* subject: CN=IOTHS0000238,OU=IT,O=MENGNIU,L=Shenzhen,ST=Guangdong,C=CN
* start date: Mar 19 07:24:28 2020 GMT
* expire date: Sep 15 07:24:28 2020 GMT
* common name: IOTHS0000238
* issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
* start date: Mar 19 06:48:39 2020 GMT
* expire date: Mar 19 06:48:39 2021 GMT
* common name: api.iot.com
* issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.16.1
Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 08:37:24 GMT
Date: Thu, 19 Mar 2020 08:37:24 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 169
Content-Length: 169
< Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
< Connection: keep-alive
Connection: keep-alive
< ETag: "5e718184-a9"
ETag: "5e718184-a9"
< Accept-Ranges: bytes
Accept-Ranges: bytes
<
* Connection #0 to host api.iot.com left intact
[root@ip-172-31-47-53 ~]#
客户端GET请求成功
[root@ip-172-31-47-53 ~]# curl -vk --cert ./ca/intermediate/certs/device.cert.pem --key ./device.key.pem https://api.iot.com
* About to connect() to api.iot.com port 443 (#0)
* Trying 18.163.8.203...
* Connected to api.iot.com (18.163.8.203) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
* subject: CN=IOTHS0000238,OU=IT,O=MENGNIU,L=Shenzhen,ST=Guangdong,C=CN
* start date: Mar 19 07:24:28 2020 GMT
* expire date: Sep 15 07:24:28 2020 GMT
* common name: IOTHS0000238
* issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=api.iot.com,OU=IT,O=YSWL,L=Shenzhen,ST=Guangdong,C=CN
* start date: Mar 19 06:48:39 2020 GMT
* expire date: Mar 19 06:48:39 2021 GMT
* common name: api.iot.com
* issuer: CN=YSWM Intermediate CA,OU=YSWM Certificate Authority,O=YSWM,ST=Guangdong,C=CN
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: api.iot.com
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.16.1
< Date: Thu, 19 Mar 2020 12:09:49 GMT
< Content-Type: text/html
< Content-Length: 169
< Last-Modified: Wed, 18 Mar 2020 02:03:48 GMT
< Connection: keep-alive
< ETag: "5e718184-a9"
< Accept-Ranges: bytes
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Welcome to CentOS</title>
</head>
<body>
<h1>Welcome to CentOS</h1>
</body>
</html>
* Connection #0 to host api.iot.com left intact
[root@ip-172-31-47-53 ~]#