如何避免在node.js TLS模块中出现SELF_SIGNED_CERT_IN_CHAIN错误?

本文介绍了如何避免在node.js TLS模块中出现SELF_SIGNED_CERT_IN_CHAIN错误?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我正在尝试使用node.js v0.10.5和einaros/ws(WebSockets)模块创建TLS/SSL连接，但是出现以下错误:

I am trying to create a TLS/SSL connection using node.js v0.10.5 and the einaros/ws (WebSockets) module, but I get the following error:

错误:SELF_SIGNED_CERT_IN_CHAIN

Error: SELF_SIGNED_CERT_IN_CHAIN

我从自己的CA(这是EJBCA服务器，版本:EJBCA 4.0.15(r16671))获得证书，并且在客户端中使用以下代码:

I get my cert from my own CA, which is an EJBCA server, Version : EJBCA 4.0.15 (r16671) and I am using the following code in my client:

define(["ws", "fs"], function (WebSocket, fs) {
"use strict";
return function (jsonRequest) {
    var response,
        error,
        successCallback,
        errorCallback,
        HB_PFX = "server.domain.com.p12",
        HB_CA = "certs/my-ca.pem";

    var secureOptions = {
        passphrase: "the-passphrase",
        pfx: fs.readFileSync(HB_PFX),
        ca : [fs.readFileSync(HB_CA)]
    };

    var sendRequest = function () {
        var client = new WebSocket("wss://server.domain.com:8080/draft", secureOptions);

        client.on("open", function () {
            client.send(jsonRequest);
        });
            client.on("error", function (e) {
            error = e.toString();
            console.log(error);
            if (errorCallback) {
                errorCallback(error);
            }
        });

        client.on("message", function (message) {
            response = message;
            if (successCallback) {
                successCallback(message);
            }
        });

        client.on("close", function (code) {
            console.log("Connection closed with code: " + code);
        });
    };

    return {
        send: function (callback) {
            if (response && !error) {
                callback(response);
            } else {
                successCallback = callback;
            }

            sendRequest();

            return this;
        },
        ifError: function (callback) {
            if (error) {
                callback(response);
            } else {
                errorCallback = callback;
            }

            return this;
        }
    };
};

});

p12存储库(PKCS12)由CA生成，它包括密钥，我的服务器证书和CA证书.

The p12 store (PKCS12) is generated by the CA, and it includes the key, my server certificate, and the CA certificate.

我可以使用浏览器毫无问题地连接到服务器，只是在第一次连接时提示我接受证书.但是，当我尝试与客户建立联系时，总是会遇到该错误.我正在使用服务器的FQDN(而不是IP地址)连接到服务器.

I can connect to the server with a browser with no problems, I just get prompted to accept the certificate on first connection. But when I try to connect with my client, I always get that error. I am connecting to the server using its FQDN, not an IP address.

如果我尝试使用自签名证书(在本地计算机上生成的证书，而不是p12文件使用的证书)，则会收到DEPTH_ZERO_SELF_SIGNED_CERT错误.

If I try to use a self-signed certificate (a cert generated in my local machine and used instead of the p12 file), I get a DEPTH_ZERO_SELF_SIGNED_CERT error.

我正在Mac OS X 10.8.4上运行.

I am running on Mac OS X 10.8.4.

我几乎尝试了所有排列，甚至将密钥和证书从PKCS12文件导出到PEM文件，但是我得到了完全相同的错误.我还将CA证书添加到了我在计算机中可以找到的所有cacert文件中，如下所示:

I have tried almost every permutation, even exporting the key and certificates from the PKCS12 file to PEM files, but I get the exact same error. I have also added the CA certificate to all the cacert files that I could find in my computer, which are the following:

    /Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/MacOS/itms/java/lib/security/cacerts
    /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts
    /Library/Java/JavaVirtualMachines/jdk1.7.0_21.jdk/Contents/Home/jre/lib/security/cacerts
    /System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts
    /System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts
    /System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/cacerts

有人知道如何解决此错误并在节点中创建安全连接吗?

Does anybody know how to solve this error and create secure connections in node?

推荐答案

以下是我作为示例创建的https_server和客户端，看看是否有帮助.

The following is the https_server and client which i created as sample, take a look if this helps you.

https_server.js

var https = require('https');
var fs = require('fs');
var url = require('url');

var options = {
  key: fs.readFileSync('privkey.pem'),
  cert: fs.readFileSync('cacert.pem')
};

https.createServer(options, function (request, response) {

  var url_parts = url.parse(request.url, true);
  var query = url_parts.query;
  console.log("----------------------------------");
  console.log(request.method + "  method" + " and " + " timeout is "+  query.timeout);
  setTimeout(function () {
  console.log(" Executing setTimeout Function ");
    if(request.method=='POST') {
        console.log(" Inside post " );
        var body='';
        request.on('data', function (data) {
            body +=data;
        });
        response.setHeader("keyPOST","ValuePair");
        response.writeHead(200, {"Content-Type": "text/html"});
        response.write("<b>Hello World</b>");
        response.end();
        request.on('end',function(){
          var POST =  qs.parse(body);
          console.log("on request end " +POST);
          console.log("----------------------------------");
        });

    }
    else if(request.method=='GET') {
         console.log(" Inside get" );
         console.log("Query sent to the server is :" +query.name);
         response.setHeader("keyGET","ValuePair");
         response.writeHead(200, {"Content-Type": "text/html"});
         response.write("<b>Hello User, Response sent at "+query.timeout+" milli seconds from server</b>");
         response.end();
         request.on('end',function(){
            console.log("on request end");
            console.log("----------------------------------");
        });
    }

}, query.timeout);
}).listen(8000, "127.0.0.1",function() {
    console.log(' Server has been started at '+(new Date()) +' and running in https://127.0.0.1:8000/');
});

https_client.js:

var https = require("https");
var fs = require("fs");
var querystring = require('querystring');
var data = querystring.stringify({
      name: "Arun",
      timeout:5000
    });

var options = {
  hostname: '127.0.0.1',
  port: 8000,
  path: '/saveText?name=Arun&timeout=5000',
  method: 'GET',
  key: fs.readFileSync('privkey.pem'),
  cert: fs.readFileSync('cacert.pem'),
  agent: false,
  rejectUnauthorized: false
};


var req = https.request(options, function(res) {
  console.log('STATUS: ' + res.statusCode);
  console.log('HEADERS: ' + JSON.stringify(res.headers));
  res.setEncoding('utf8');
  res.on('data', function (chunk) {
    console.log('BODY: ' + chunk);
  });
});

req.on('error', function(e) {
  console.log('problem with request: ' + e.message);
});
// write data to request body
//req.write(data);
req.end();

使用openssl创建privkey.pem和cacert.pem:

create privkey.pem and cacert.pem using openssl :

1) command to create privkey.pem is : openssl genrsa  -out privkey.pem 2048
2) command to create cacert.pem is  : openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
 (or) if the second command shows unable to locate openssl.cnf error use -config {openssl.cnf file path} option along with second command.

这篇关于如何避免在node.js TLS模块中出现SELF_SIGNED_CERT_IN_CHAIN错误?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！