在 Express 中设置 HTTPS 服务器时遇到问题答案

【问题标题】：Having trouble setting up a HTTPS server in Express在 Express 中设置 HTTPS 服务器时遇到问题
【发布时间】：2015-06-21 23:02:56
【问题描述】：

我正在尝试设置我的 express 应用程序以使用 https。这是我到目前为止所得到的：

var fs = require('fs');
var http = require('http');
var https = require('https');
var app = require('./app');
var port = process.env.PORT || 8080;

var credentials = {
    key: fs.readFileSync('./ssl/private_key.pem', 'utf8'),
    cert: fs.readFileSync('./ssl/certificate.pem', 'utf8'),
    ca: [
        fs.readFileSync('./ssl/certificate_chain_1.pem', 'utf8'),
        fs.readFileSync('./ssl/certificate_chain_2.pem', 'utf8')
    ]
};
https.createServer(credentials, app, function (req, res) {
    res.writeHead(200);
    res.end('HTTPS server started on port ' + port + '...');
}).listen(port);

当我运行时，curl -k -v -I https://127.0.0.1:8080，我得到了这个：

* Rebuilt URL to: https://127.0.0.1:8080/
* Hostname was NOT found in DNS cache
*   Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* TLS 1.2 connection using TLS_RSA_WITH_AES_256_CBC_SHA256
* Server certificate: *.hiwarren.com
* Server certificate: COMODO RSA Domain Validation Secure Server CA
* Server certificate: COMODO RSA Certification Authority
* Server certificate: AddTrust External CA Root
> HEAD / HTTP/1.1
> User-Agent: curl/7.37.1
> Host: 127.0.0.1:8080
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< X-Powered-By: Express
X-Powered-By: Express
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 14
Content-Length: 14
< Date: Wed, 15 Apr 2015 19:32:28 GMT
Date: Wed, 15 Apr 2015 19:32:28 GMT
< Connection: keep-alive
Connection: keep-alive

<
* Connection #0 to host 127.0.0.1 left intact

当我运行OpenSSL s_client -connect 127.0.0.1:8080/

我收到此错误：

MacBook-Pro-de-Bruno-3:ssl brunomacedo$ OpenSSL s_client -connect 127.0.0.1:8080/
CONNECTED(00000003)
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
... certificate hash ...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4627 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 957E02E1D64D1F1E0ADBF4369057DD56B5FBE5A66269686DD590DF4D3B9A3D8C
    Session-ID-ctx:
    Master-Key: 0B531BBFE5AA8AACEFC99749CD696926956419FFD61F7CCAF6E94C7574F6ECCEA31098D236E51F800F690D508E700444
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 25 2c fa ce af 2d f9 6e-8e fd 7e 9c f4 e6 c8 2b   %,...-.n..~....+
    0010 - 10 b6 f9 08 28 23 6f ec-98 0d c9 1d dd 78 34 25   ....(#o......x4%
    0020 - ab 21 55 37 02 42 a8 6c-84 9f 31 c0 60 ed 77 ae   .!U7.B.l..1.`.w.
    0030 - ab ea 4f 84 07 e7 d0 29-24 41 35 0f d7 01 09 21   ..O....)$A5....!
    0040 - a2 0f 1c 10 ab e4 47 67-f0 0d b0 f2 32 8d 3e f0   ......Gg....2.>.
    0050 - 10 30 35 82 48 df 09 ac-7c 12 98 11 99 7f 97 5b   .05.H...|......[
    0060 - d2 ef 47 69 4c 86 8b 2f-48 ff 62 58 08 7b 6c 7b   ..GiL../H.bX.{l{
    0070 - c2 f5 c5 1d 52 13 ad c4-95 d8 54 f8 a5 d2 5c 94   ....R.....T...\.
    0080 - c0 f3 c1 40 c1 44 5e b0-37 fa 3b 68 73 a7 ca 4f   ...@.D^.7.;hs..O
    0090 - ac d9 99 12 62 72 10 48-f1 9a 56 eb e6 89 d8 d4   ....br.H..V.....

    Start Time: 1429126474
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

当我使用root_certificate 运行相同的命令时，我能够解决error 20，如下所示：OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem。

所以，这是我的新输出：

MacBook-Pro-de-Bruno-3:ssl brunomacedo$ OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Wildcard, CN = *.hiwarren.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
... certificate hash ...
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 4627 bytes and written 626 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: CFD47EDA05B183790D25B32295550DB4DF74C483F3B1FEACD76C39548254FD9C
    Session-ID-ctx:
    Master-Key: DE16062EE238F854A4578F2E0F8FBE6874AF8550086E61C1D50EF3FBDB04F42355A6BD2072B8216B68477516E7F034C5
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 25 2c fa ce af 2d f9 6e-8e fd 7e 9c f4 e6 c8 2b   %,...-.n..~....+
    0010 - 16 26 97 0b a6 00 c6 12-d3 9a 91 1c d1 0f a4 d7   .&..............
    0020 - 96 30 88 54 3c e7 42 a1-db 4c 97 e6 68 5c d4 81   .0.T<.B..L..h\..
    0030 - f5 bf 7f 16 59 d2 32 bd-fa c7 9b c4 b5 1f a2 4d   ....Y.2........M
    0040 - 3b fe f9 af ad 29 58 31-c5 2e 2b 31 b1 52 62 9c   ;....)X1..+1.Rb.
    0050 - 1a 34 d0 c5 e4 e7 80 1f-d4 8a a3 0f 6b f4 2b d9   .4..........k.+.
    0060 - 4e 5d c0 8c 11 5a 0d de-00 23 19 0f 01 73 92 32   N]...Z...#...s.2
    0070 - 50 ee 08 56 4b a0 1c 20-c6 d7 9d de 58 b0 d4 70   P..VK.. ....X..p
    0080 - 2f b6 ca 3b 48 d0 bb fe-4c ea 6e 60 31 5d 4f 3d   /..;H...L.n`1]O=
    0090 - a4 6e f8 cd a2 15 1a 0e-36 6d b7 16 72 b9 e4 bf   .n......6m..r...

    Start Time: 1429126610
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

所以，我认为客户端需要以某种方式发送此root_certificate 以使其正常工作，但我不确定客户端如何拥有并发送它。

有人经历过吗？我该怎么办？

【问题讨论】：

标签： node.js express https openssl certificate

【解决方案1】：

curl -k -v -I https://127.0.0.1:8080
...
openssl s_client -connect 127.0.0.1:8080
...
0 s:/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.hiwarren.com
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
....

CA 不再为 IP 地址颁发证书。而且他们多年来没有为RFC 1918 addresses（如127.0.0.1）颁发证书。

您需要修复证书或修复名称解析。首先，通过在证书的subjectAlternateName (SAN) 中包含 localhost 和 127.0.0.1 之类的名称来修复。

或者第二个，通过使该服务器可以通过证书中使用的名称访问来修复它。您可以通过使用本地 hosts 文件或 DNS 来实现这一点。

unable to get local issuer certificate

请务必设置根证书。根证书是AddTrust External CA Root。

确保发送链与服务器证书。在这里，链是所有中间证书less的根。您必须已经拥有根证书并信任它。

【讨论】：

我已经为应用程序的部署版本尝试了相同的过程，所以127.0.0.1 是“固定的”。而AddTrust External CA Root 是certificate_root.pem 我和-CAfile 一起传递的。所以，现在我从你的回答中有两个问题：1）如何设置根证书？ 2）如何确保链与服务器证书一起发送？谢谢你的回答！！
对于 (1) 和 cURL，您可以通过命令行上的 --cacerts 选项或 curl_easy_setopt(curl, CURLOPT_CAPATH, capath) 设置根。对于 (1) 使用 OpenSSL，请在命令行中使用 -CApath 选项或在程序中使用 SSL_CTX_load_verify_locations。
对于(2)，可以使用OpenSSL的s_client:openssl s_client -connect <server>:<port> -showcerts。 showcerts 应该显示服务器发送了 2 或 3 个证书。第一个将是最终实体（服务器）证书，另外一个或两个将是构建从最终实体证书到根的路径所需的中间证书。不应发送根目录 - 您必须拥有并信任它。
@bmpasini - 配置良好的服务器将发送 2 或 3 个证书（最终实体证书和所需的中间体），因为这解决了客户端的 Which Directory 问题。它在 PKI 中是一个众所周知的问题。为了解决配置不完善的服务器，人们需要在cacerts.pem 这样的集合中填充所需的中间体。

【解决方案2】：

我不确定确切的问题是什么；

当我使用这样的 root_certificate 运行相同的命令时，我能够解决错误 20：OpenSSL s_client -connect 127.0.0.1:8080/ -CAfile certificate_root.pem。

所以，我认为客户端需要以某种方式发送此 root_certificate 才能使其正常工作，但我不确定客户端如何拥有并发送它。

提供根证书时，错误 20 消失。这是因为客户端可以使用提供的 CAfile 成功验证（验证代码 0（OK））服务器证书。

当您没有提供根证书时，客户端不知道服务器是谁。无法验证服务器的凭据。因此出现错误 20。

客户端不将根证书发送到服务器。一个人怎么拥有它？您应该知道并拥有公开可用的可信 CA 证书。（例如，您的浏览器预装了一组知名 CA 证书。因此您可以通过 HTTPS 连接到任何知名网站）

【讨论】：