问题描述
我正在尝试使用node.js v0.10.5和einaros/ws(WebSockets)模块创建TLS/SSL连接,但是出现以下错误:
I am trying to create a TLS/SSL connection using node.js v0.10.5 and the einaros/ws (WebSockets) module, but I get the following error:
错误:SELF_SIGNED_CERT_IN_CHAIN
Error: SELF_SIGNED_CERT_IN_CHAIN
我从自己的CA(这是EJBCA服务器,版本:EJBCA 4.0.15(r16671))获得证书,并且在客户端中使用以下代码:
I get my cert from my own CA, which is an EJBCA server, Version : EJBCA 4.0.15 (r16671) and I am using the following code in my client:
define(["ws", "fs"], function (WebSocket, fs) {
"use strict";
return function (jsonRequest) {
var response,
error,
successCallback,
errorCallback,
HB_PFX = "server.domain.com.p12",
HB_CA = "certs/my-ca.pem";
var secureOptions = {
passphrase: "the-passphrase",
pfx: fs.readFileSync(HB_PFX),
ca : [fs.readFileSync(HB_CA)]
};
var sendRequest = function () {
var client = new WebSocket("wss://server.domain.com:8080/draft", secureOptions);
client.on("open", function () {
client.send(jsonRequest);
});
client.on("error", function (e) {
error = e.toString();
console.log(error);
if (errorCallback) {
errorCallback(error);
}
});
client.on("message", function (message) {
response = message;
if (successCallback) {
successCallback(message);
}
});
client.on("close", function (code) {
console.log("Connection closed with code: " + code);
});
};
return {
send: function (callback) {
if (response && !error) {
callback(response);
} else {
successCallback = callback;
}
sendRequest();
return this;
},
ifError: function (callback) {
if (error) {
callback(response);
} else {
errorCallback = callback;
}
return this;
}
};
};
});
p12存储库(PKCS12)由CA生成,它包括密钥,我的服务器证书和CA证书.
The p12 store (PKCS12) is generated by the CA, and it includes the key, my server certificate, and the CA certificate.
我可以使用浏览器毫无问题地连接到服务器,只是在第一次连接时提示我接受证书.但是,当我尝试与客户建立联系时,总是会遇到该错误.我正在使用服务器的FQDN(而不是IP地址)连接到服务器.
I can connect to the server with a browser with no problems, I just get prompted to accept the certificate on first connection. But when I try to connect with my client, I always get that error. I am connecting to the server using its FQDN, not an IP address.
如果我尝试使用自签名证书(在本地计算机上生成的证书,而不是p12文件使用的证书),则会收到DEPTH_ZERO_SELF_SIGNED_CERT错误.
If I try to use a self-signed certificate (a cert generated in my local machine and used instead of the p12 file), I get a DEPTH_ZERO_SELF_SIGNED_CERT error.
我正在Mac OS X 10.8.4上运行.
I am running on Mac OS X 10.8.4.
我几乎尝试了所有排列,甚至将密钥和证书从PKCS12文件导出到PEM文件,但是我得到了完全相同的错误.我还将CA证书添加到了我在计算机中可以找到的所有cacert文件中,如下所示:
I have tried almost every permutation, even exporting the key and certificates from the PKCS12 file to PEM files, but I get the exact same error. I have also added the CA certificate to all the cacert files that I could find in my computer, which are the following:
/Applications/Xcode.app/Contents/Applications/Application Loader.app/Contents/MacOS/itms/java/lib/security/cacerts
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/cacerts
/Library/Java/JavaVirtualMachines/jdk1.7.0_21.jdk/Contents/Home/jre/lib/security/cacerts
/System/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/cacerts
/System/Library/Java/Support/CoreDeploy.bundle/Contents/Home/lib/security/cacerts
/System/Library/Java/Support/Deploy.bundle/Contents/Home/lib/security/cacerts
有人知道如何解决此错误并在节点中创建安全连接吗?
Does anybody know how to solve this error and create secure connections in node?
推荐答案
以下是我作为示例创建的https_server和客户端,看看是否有帮助.
The following is the https_server and client which i created as sample, take a look if this helps you.
https_server.js
https_server.js
var https = require('https');
var fs = require('fs');
var url = require('url');
var options = {
key: fs.readFileSync('privkey.pem'),
cert: fs.readFileSync('cacert.pem')
};
https.createServer(options, function (request, response) {
var url_parts = url.parse(request.url, true);
var query = url_parts.query;
console.log("----------------------------------");
console.log(request.method + " method" + " and " + " timeout is "+ query.timeout);
setTimeout(function () {
console.log(" Executing setTimeout Function ");
if(request.method=='POST') {
console.log(" Inside post " );
var body='';
request.on('data', function (data) {
body +=data;
});
response.setHeader("keyPOST","ValuePair");
response.writeHead(200, {"Content-Type": "text/html"});
response.write("<b>Hello World</b>");
response.end();
request.on('end',function(){
var POST = qs.parse(body);
console.log("on request end " +POST);
console.log("----------------------------------");
});
}
else if(request.method=='GET') {
console.log(" Inside get" );
console.log("Query sent to the server is :" +query.name);
response.setHeader("keyGET","ValuePair");
response.writeHead(200, {"Content-Type": "text/html"});
response.write("<b>Hello User, Response sent at "+query.timeout+" milli seconds from server</b>");
response.end();
request.on('end',function(){
console.log("on request end");
console.log("----------------------------------");
});
}
}, query.timeout);
}).listen(8000, "127.0.0.1",function() {
console.log(' Server has been started at '+(new Date()) +' and running in https://127.0.0.1:8000/');
});
https_client.js:
https_client.js:
var https = require("https");
var fs = require("fs");
var querystring = require('querystring');
var data = querystring.stringify({
name: "Arun",
timeout:5000
});
var options = {
hostname: '127.0.0.1',
port: 8000,
path: '/saveText?name=Arun&timeout=5000',
method: 'GET',
key: fs.readFileSync('privkey.pem'),
cert: fs.readFileSync('cacert.pem'),
agent: false,
rejectUnauthorized: false
};
var req = https.request(options, function(res) {
console.log('STATUS: ' + res.statusCode);
console.log('HEADERS: ' + JSON.stringify(res.headers));
res.setEncoding('utf8');
res.on('data', function (chunk) {
console.log('BODY: ' + chunk);
});
});
req.on('error', function(e) {
console.log('problem with request: ' + e.message);
});
// write data to request body
//req.write(data);
req.end();
使用openssl创建privkey.pem和cacert.pem:
create privkey.pem and cacert.pem using openssl :
1) command to create privkey.pem is : openssl genrsa -out privkey.pem 2048
2) command to create cacert.pem is : openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
(or) if the second command shows unable to locate openssl.cnf error use -config {openssl.cnf file path} option along with second command.
这篇关于如何避免在node.js TLS模块中出现SELF_SIGNED_CERT_IN_CHAIN错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!