Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

你好,自定义客户端证书功能没实现 tls CERT KEY CA #15

Open
victor-infosec opened this issue Jul 1, 2021 · 19 comments
Open

Comments

@victor-infosec
Copy link

tls CERT KEY CA
这个配置无法使用,没看到相关代码

@leiless
Copy link
Owner

leiless commented Jul 1, 2021

	case "tls":
		args := c.RemainingArgs()
		if len(args) > 3 {
			return c.ArgErr()
		}
		tlsConfig, err := pkgtls.NewTLSConfigFromArgs(args...)
		if err != nil {
			return err
		}
		// Merge server name if tls_servername set previously
		tlsConfig.ServerName = u.transport.tlsConfig.ServerName
		u.transport.tlsConfig = tlsConfig
		log.Infof("%v: %v", dir, args)

https://github.com/leiless/dnsredir/blob/master/upstream.go#L399-L411

是有的呢,难道说你的Corefile没有honor tls CERT KEY CA配置吗?
如果是这样,麻烦贴一下你现有Corefile,以及TLS握手报错信息?

@leiless
Copy link
Owner

leiless commented Jul 1, 2021

经我测试发现,tls CERT KEY CA是可以工作的,具体而言:

Corefile

.:10053 {
    debug
    loop

    dnsredir . {
        to tls://94.140.14.14
        # tls CA - No client authentication is used, and the CA file is used to verify the server certificate.
        tls dns-adguard-com.pem
    }
}

dns-adguard-com.pem 这个文件你可以从Firefox里面打开 https://94.140.14.14/dns-query ,然后将其 PEM证书下载下来放到和Corefile同一级目录下。

image

$ ./coredns_dnsredir-linux-amd64 -conf Corefile
[INFO] plugin/dnsredir: Initializing, version v0.0.7, HEAD f660931
[INFO] plugin/dnsredir: Match any
[INFO] plugin/dnsredir: Transport: tls Address: 94.140.14.14:853
[INFO] plugin/dnsredir: Upstream: &{tls 94.140.14.14:853 0 0x1a47040 <nil> <nil> <nil> }
[INFO] plugin/dnsredir: tls: [dns-adguard-com.pem]
.:10053
CoreDNS-1.8.3
linux/amd64, go1.16.2, 4293992-dirty
[DEBUG] plugin/dnsredir: "6855361830932061722.4471371409727006771." in name list, t: 1.959µs
[DEBUG] plugin/dnsredir: Upstream host tls://94.140.14.14:853 is selected
[DEBUG] plugin/dnsredir: New connection established for tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: rtt: 403.312866ms
[DEBUG] plugin/dnsredir: "dns.google." in name list, t: 1.879µs
[DEBUG] plugin/dnsredir: Upstream host tls://94.140.14.14:853 is selected
[DEBUG] plugin/dnsredir: Cached connection used for tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: rtt: 90.859µs
[DEBUG] plugin/dnsredir: cached connection was closed by peer: tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: New connection established for tls://94.140.14.14:853
[DEBUG] plugin/dnsredir: rtt: 352.598933ms

$ dig @127.0.0.1 -p10053 dns.google +short A
8.8.4.4
8.8.8.8

@leiless
Copy link
Owner

leiless commented Jul 1, 2021

除非你使用了自签发的TLS证书,否则我能想到针对公证签发证书的DoT(也就是公共DoT),大部分时候只需要设置 tls_servername 即可。
类似这样:

dnsredir . {
    to tls://103.2.57.5 tls://103.2.57.6
    tls_servername public.dns.iij.jp
}

具体可以参考 https://github.com/leiless/dnsredir#examples

@victor-infosec
Copy link
Author

victor-infosec commented Jul 1, 2021

是的,我按照这个链接生成了自签名证书 https://www.jianshu.com/p/5938432e2130

在192.168.1.9上配置如下,目的是转发到192.168.1.10上

. {
    dnsredir . {
        to ietf-doh://192.168.1.10:8853/dns-query
        tls client.cert.pem client.key.pem ca.cert.pem
        health_check 60s
        max_fails 3
        expire 15s
    }
}

192.168.1.10上配置如下,目的是转发到192.168.1.11的基于UDP的DNS

https://.:8853 {
    tls server.cert.pem server.key.pem ca.cert.pem
    log
    errors
    forward . 192.168.1.11:53
}

9连接10报错
[WARNING] plugin/dnsredir: hc: DNS https://192.168.1.10:8853/dns-query failed rtt: 7.4982ms err: Get "https://192.168.1.10:8853/dns-query?ct=application/dns-message&dns=AAABAAABAAAAAAAAAAACAAE": x509: certificate signed by unknown authority

@leiless
Copy link
Owner

leiless commented Jul 1, 2021

你能贴一下
openssl x509 -text -noout -in client.cert.pem

openssl x509 -text -noout -in server.cert.pem
输出的结果吗?

看错误提示x509: certificate signed by unknown authority应该是证书有什么地方配错啦?

@victor-infosec
Copy link
Author

你能贴一下
openssl x509 -text -noout -in client.cert.pem

openssl x509 -text -noout -in server.cert.pem
输出的结果吗?

看错误提示x509: certificate signed by unknown authority应该是证书有什么地方配错啦?

$ openssl x509 -text -noout -in server.cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            70:9b:18:eb:27:6c:4d:e6:71:e8:12:6a:60:a6:e5:e0:6c:9f:ee:d8
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = ca
        Validity
            Not Before: Jul  1 08:21:02 2021 GMT
            Not After : Jul  1 08:21:02 2022 GMT
        Subject: CN = server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bf:33:b5:dd:ac:68:65:d6:d7:9a:d1:35:2d:e7:
                    d2:1e:22:30:2f:2c:a6:f0:c2:50:8d:ab:26:d6:c2:
                    94:87:f1:43:d2:31:87:06:6e:8d:3f:b2:21:30:17:
                    f8:d7:79:bf:dd:21:e1:76:77:cc:86:fc:b3:b4:fa:
                    b7:75:6f:a6:d8:e6:ab:ec:da:90:a5:de:9f:29:5a:
                    6a:a9:cb:47:7b:37:29:6a:9f:39:b5:a0:36:9f:df:
                    40:dd:82:14:46:8b:0c:19:33:20:d6:d0:0f:77:24:
                    39:0a:e8:ca:56:89:8e:00:aa:25:ca:b6:a5:86:ff:
                    da:c2:1a:79:90:ce:d9:da:ff:bb:8e:5d:47:6c:2a:
                    db:67:87:65:e0:57:50:ff:ee:09:a8:e6:45:e2:a6:
                    92:40:74:5f:eb:5c:a5:72:f7:ef:15:b6:99:f9:9b:
                    7f:3c:1d:e1:be:02:aa:7d:70:0b:1c:68:b5:bb:29:
                    38:e5:0f:fd:1d:a4:fe:d1:bb:a1:6a:1d:0b:c2:a8:
                    c6:df:a0:83:04:d5:d8:f3:7b:d2:7d:d6:35:ef:ff:
                    d2:18:24:9c:5d:ee:e8:83:40:b1:32:d6:a3:27:62:
                    01:a7:6d:a4:82:04:23:d8:80:97:2a:68:07:d4:86:
                    90:80:69:dc:fb:df:8c:3b:0a:f4:89:aa:fb:09:4f:
                    62:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Alternative Name:
                DNS:cc.local, DNS:test.cc.local, IP Address:192.168.1.10
    Signature Algorithm: sha256WithRSAEncryption
         6d:85:84:38:92:ab:8f:2f:3e:47:0d:ed:30:d7:0c:f1:51:cf:
         e9:2f:09:58:33:5e:1a:28:3e:96:5c:92:32:cf:e6:b5:d0:a2:
         41:28:28:99:72:06:70:9c:0d:dd:56:93:b4:c6:f3:1a:7c:f6:
         8d:6e:ab:dd:2d:0d:f0:54:b9:61:55:9c:60:cf:65:10:7c:0d:
         fe:ef:a0:3b:d0:56:8a:bd:75:4b:11:6a:0e:bc:a2:8e:65:01:
         f9:68:4b:df:a6:28:95:a2:3a:29:e4:6d:f7:95:2f:70:2c:a4:
         44:f2:79:f1:77:da:c3:b3:35:57:b0:ff:40:97:bc:f3:3b:d5:
         04:05:66:85:82:93:d6:ea:cb:54:9e:53:b8:18:6b:95:ff:08:
         7e:83:97:c3:2e:d8:d5:1b:4c:31:0f:24:81:6a:f1:ad:fd:7c:
         bf:51:43:aa:2c:fc:ea:5f:ea:84:72:89:80:4b:25:dc:76:89:
         80:8b:28:50:7a:cf:45:69:d8:9c:63:57:99:9d:1f:f5:28:fc:
         a0:c0:79:dc:55:4a:08:9d:6a:9c:82:38:e5:8a:39:3c:04:b4:
         20:bd:5f:b1:58:f4:17:2d:cc:d2:4f:4b:6a:7c:79:a0:cc:9d:
         1c:d2:a4:2d:03:0c:55:7f:8a:06:10:ad:d7:9c:cc:6f:27:a6:
         d4:a4:da:15:f6:3a:a2:14:d6:f1:0b:fa:9c:f8:0b:0d:26:97:
         53:bb:bc:3f:62:ba:2b:89:cf:4f:31:81:37:51:bb:f5:0b:d9:
         82:23:0b:f0:c5:a2:20:5c:cf:ca:49:cf:dc:52:fa:77:d9:59:
         c6:72:c3:98:68:b8:88:ad:c9:8a:64:96:2c:c3:58:87:d5:ce:
         27:b2:ce:eb:ea:a4:05:21:95:94:2a:d1:a0:7d:52:5e:de:d4:
         0b:5c:61:f8:67:26:ab:69:41:8c:cf:1e:00:aa:97:d4:69:56:
         f2:e8:b8:20:a2:f7:d0:9e:81:6d:79:19:d5:95:52:9e:9d:20:
         9b:08:44:a5:fb:a0:5e:f7:65:85:bc:fe:ee:12:6f:81:94:4d:
         e6:4c:e9:7b:bc:84:aa:11:24:dc:17:dc:1a:61:e9:c2:ba:96:
         22:af:32:8b:53:8a:a3:c6:e9:c1:95:9e:f6:be:fb:67:c8:b8:
         b6:89:96:2c:23:3d:be:19:4d:35:6f:8e:fc:76:bc:fc:ae:2d:
         6f:3b:b8:8a:f3:b9:c5:ff:4d:44:34:ad:78:19:10:44:69:14:
         65:67:b4:fa:9f:94:bf:2d:f1:53:4a:94:a0:40:f7:c1:7c:aa:
         f4:2b:a8:8a:b5:d6:82:75:e0:7e:77:35:6c:f0:2e:ce:82:1c:
         81:f0:47:cd:f2:c7:f7:2a











$ openssl x509 -text -noout -in client.cert.pem
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            70:9b:18:eb:27:6c:4d:e6:71:e8:12:6a:60:a6:e5:e0:6c:9f:ee:d9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = ca
        Validity
            Not Before: Jul  1 08:21:02 2021 GMT
            Not After : Jul  1 08:21:02 2022 GMT
        Subject: CN = client
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:f0:f7:cb:f8:28:35:cd:50:9f:67:d3:31:36:82:
                    eb:44:89:d9:d0:80:2a:60:95:ca:69:7c:30:01:f5:
                    b9:e2:a5:c4:5a:58:cd:92:94:10:99:04:b9:e8:58:
                    60:b8:f6:69:c6:dc:ea:71:5c:ce:01:ac:6d:f5:0f:
                    46:3c:33:06:b0:90:b3:10:59:ac:31:de:36:fe:a4:
                    02:49:85:6c:48:b2:70:33:bf:72:e7:71:12:86:5a:
                    59:58:06:a0:34:34:78:f6:29:2c:3f:52:18:71:9b:
                    72:09:45:83:61:b4:d0:0e:31:85:2d:66:72:c2:36:
                    ef:3e:49:ef:c3:a1:f1:ae:36:f9:70:d6:58:8b:10:
                    9f:d4:49:b4:b6:d4:48:3d:e2:d4:62:a5:30:34:92:
                    e4:17:58:ee:12:41:24:1c:f2:0a:65:26:52:2e:97:
                    b7:2c:03:46:42:89:5f:b6:58:8e:b2:c8:7a:1a:c8:
                    65:c2:34:a5:d6:41:3d:03:8c:3d:46:80:4c:1d:dc:
                    bd:37:5a:d4:ea:91:d6:cd:33:51:01:c6:b5:00:bc:
                    ff:0e:64:6d:ce:3a:bb:fa:78:af:0a:56:4c:2e:53:
                    44:1c:cd:26:aa:64:c9:8f:92:f4:cc:50:a9:60:ed:
                    80:c5:65:64:69:85:6d:81:b4:49:c5:3f:90:96:bb:
                    3c:4b
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         1a:92:9d:71:e2:c0:f1:9e:64:d9:30:35:da:05:f3:ea:ef:be:
         d3:d2:97:9f:8b:6a:4a:a1:e5:bf:4b:28:e0:9c:30:4c:12:3d:
         8f:8b:50:f7:8f:17:d2:b1:b5:f2:9d:35:de:8b:71:0b:f2:76:
         05:1a:ae:2d:30:aa:07:04:0a:04:d7:c9:af:54:96:64:5a:68:
         61:9c:03:8c:39:25:a3:b8:b3:33:57:6f:7b:00:55:df:7e:a7:
         61:de:54:ca:c6:df:3e:a5:0e:8e:bb:d3:a7:9a:16:fe:cf:10:
         57:33:9b:c8:ed:92:94:2e:a7:cc:9f:7b:6d:27:61:6e:11:d9:
         d8:13:79:43:a1:e4:fe:05:a2:ee:cc:f5:c4:00:7d:de:f2:12:
         ee:85:08:36:6c:c5:be:d8:32:62:24:58:5f:a1:cd:3e:7e:e9:
         d8:eb:2c:36:3a:84:8e:a4:15:63:65:46:3c:58:c5:c7:cb:a1:
         43:73:11:25:12:68:8a:47:8b:0e:6a:27:1f:15:62:ec:80:b6:
         b3:1c:77:20:42:26:95:b4:e4:18:63:7e:89:ac:35:2d:d9:78:
         1a:30:f4:b6:46:1a:f6:5e:2b:58:e4:90:6a:a3:e6:c4:43:b7:
         26:79:5d:78:de:2b:de:67:24:9a:fa:4b:a8:43:17:4c:19:66:
         b7:ba:26:7a:3b:9b:dd:fb:8d:f8:18:69:3f:71:e0:4c:54:2f:
         5a:dd:3a:8b:f5:f8:fb:3c:ad:f0:90:4f:31:3b:26:c2:10:51:
         c6:92:72:79:9f:6a:8b:8c:97:bb:0a:5a:77:64:8d:8b:0c:ee:
         6a:df:bc:54:5c:21:11:6a:c7:47:0e:d1:ff:ad:37:c0:f4:fd:
         30:e1:21:20:7a:cd:1b:24:74:31:80:55:52:dc:bd:57:47:86:
         cf:51:d2:40:65:02:cf:04:b3:ed:70:b0:97:19:b8:b2:6f:37:
         5a:74:54:b3:d5:05:24:59:62:37:5b:fb:6e:04:4b:72:34:c1:
         a6:69:fc:4e:4d:3b:d1:1b:d2:fb:58:76:fd:e7:e4:d8:b6:d2:
         ed:8c:d9:bd:ea:35:4f:e9:a9:f7:31:96:c9:ff:ee:b7:01:5d:
         8b:0a:6b:fb:4f:dd:ff:13:ff:0b:79:f9:73:bb:3a:32:97:c3:
         f3:2b:f2:5c:d4:1c:c0:7f:80:49:56:3b:91:9e:ed:bd:6c:a8:
         e9:20:01:69:4f:26:c3:5e:20:17:98:18:45:96:17:7f:83:22:
         af:11:c1:a0:e9:9b:45:a4:0a:63:9d:70:c1:75:94:1e:d6:7e:
         29:cb:57:8c:8c:26:93:63:b7:6c:eb:9e:72:97:f5:fb:e2:a4:
         82:aa:0b:0d:60:5f:4f:8a

@leiless
Copy link
Owner

leiless commented Jul 1, 2021

是的,我按照这个链接生成了自签名证书 https://www.jianshu.com/p/5938432e2130

在192.168.1.9上配置如下,目的是转发到192.168.1.10上

. {
    dnsredir . {
        to ietf-doh://192.168.1.10:8853/dns-query
        tls client.cert.pem client.key.pem ca.cert.pem
        health_check 60s
        max_fails 3
        expire 15s
    }
}

192.168.1.10上配置如下,目的是转发到192.168.1.11的基于UDP的DNS

https://.:8853 {
    tls server.cert.pem server.key.pem ca.cert.pem
    log
    errors
    forward . 192.168.1.11:53
}

9连接10报错
[WARNING] plugin/dnsredir: hc: DNS https://192.168.1.10:8853/dns-query failed rtt: 7.4982ms err: Get "https://192.168.1.10:8853/dns-query?ct=application/dns-message&dns=AAABAAABAAAAAAAAAAACAAE": x509: certificate signed by unknown authority

你能在192.168.1.9的Corefilednsredir添加下tls_servername cc.local然后再运行试试看呢?

@victor-infosec
Copy link
Author

是的,我按照这个链接生成了自签名证书 https://www.jianshu.com/p/5938432e2130
在192.168.1.9上配置如下,目的是转发到192.168.1.10上

. {
    dnsredir . {
        to ietf-doh://192.168.1.10:8853/dns-query
        tls client.cert.pem client.key.pem ca.cert.pem
        health_check 60s
        max_fails 3
        expire 15s
    }
}

192.168.1.10上配置如下,目的是转发到192.168.1.11的基于UDP的DNS

https://.:8853 {
    tls server.cert.pem server.key.pem ca.cert.pem
    log
    errors
    forward . 192.168.1.11:53
}

9连接10报错
[WARNING] plugin/dnsredir: hc: DNS https://192.168.1.10:8853/dns-query failed rtt: 7.4982ms err: Get "https://192.168.1.10:8853/dns-query?ct=application/dns-message&dns=AAABAAABAAAAAAAAAAACAAE": x509: certificate signed by unknown authority

你能在192.168.1.9的Corefilednsredir添加下tls_servername cc.local然后再运行试试看呢?

添加了tls_servername cc.local,还是同样的问题

tls client.cert.pem client.key.pem ca.cert.pem这行注释掉了,问题还是一样

先这样吧,有时间再测试下,感谢感谢!

@leiless
Copy link
Owner

leiless commented Jul 1, 2021

你能在192.168.1.9机器上试试 curl -vL --cacert ca.cert.pem https://192.168.1.10:8853/dns-query?dns=q80BAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB 看能不能正常握手?

@victor-infosec
Copy link
Author

victor-infosec commented Jul 2, 2021

你能在192.168.1.9机器上试试 curl -vL --cacert ca.cert.pem https://192.168.1.10:8853/dns-query 看能不能正常握手?

curl是正常的

└─$ curl -vL --cacert ca.cert.pem https://192.168.1.10:8853/dns-query                                         
*   Trying 10.251.6.132:8853...
* Connected to 10.251.6.132 (10.251.6.132) port 8853 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: ca.cert.pem
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=server
*  start date: Jul  2 01:45:30 2021 GMT
*  expire date: Jul  2 01:45:30 2022 GMT
*  subjectAltName: host "10.251.6.132" matched cert's IP address!
*  issuer: CN=ca
*  SSL certificate verify ok.
> GET /dns-query HTTP/1.1
> Host: 10.251.6.132:8853
> User-Agent: curl/7.74.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS alert, close notify (256):
* Empty reply from server
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (52) Empty reply from server

@victor-infosec
Copy link
Author

victor-infosec commented Jul 2, 2021

我把两台机器的配置都改成tls://的,其他没改,就OK了。使用DoH的话,配置不配置tls都报unknown authority这个错。。。

下面的配置就可以

在192.168.1.9上配置如下,目的是转发到192.168.1.10上
. {
    dnsredir . {
        to tls://192.168.1.10:8853/dns-query
        tls client.cert.pem client.key.pem ca.cert.pem
        health_check 60s
        max_fails 3
        expire 15s
    }
}

192.168.1.10上配置如下,目的是转发到192.168.1.11的基于UDP的DNS
tls://.:8853 {
    tls server.cert.pem server.key.pem ca.cert.pem
    log
    errors
    forward . 192.168.1.11:53
}

@leiless
Copy link
Owner

leiless commented Jul 2, 2021

x509: certificate signed by unknown authority 这个错误看起来意思是说CA证书没有被系统信任,不过我们在tls里面已经指定了使用的CA证书,这个问题需要进一步的调查。

从表现上,看起来像是DoH server验证的时候使用了系统CA证书去完成验证,由于自签发的证书没有被加入到系统列表,所以导致了报错 x509: certificate signed by unknown authority

由于我目前对公私钥体系还不太明白,可能后面有时间再看看这个问题。

@leiless
Copy link
Owner

leiless commented Jul 2, 2021

从表现上,看起来像是DoH server验证的时候使用了系统CA证书去完成验证,由于自签发的证书没有被加入到系统列表,所以导致了报错 x509: certificate signed by unknown authority?

作为验证,你可以帮忙尝试下将你自签发的CA证书 ca.cert.pem 放到 /etc/ssl/certs 这个目录吗?
然后使用你之前的DoH配置再试试看?

https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux/722646#722646

@victor-infosec
Copy link
Author

从表现上,看起来像是DoH server验证的时候使用了系统CA证书去完成验证,由于自签发的证书没有被加入到系统列表,所以导致了报错 x509: certificate signed by unknown authority?

作为验证,你可以帮忙尝试下将你自签发的CA证书 ca.cert.pem 放到 /etc/ssl/certs 这个目录吗?
然后使用你之前的DoH配置再试试看?

https://serverfault.com/questions/62496/ssl-certificate-location-on-unix-linux/722646#722646

我放在/etc/ssl/certs这个目录下了,还是同样的问题。设置成tls://后就可以了说明应该是读取到了当前目录下的ca.cert.pem
关于证书方面的我也不是特别懂,我先转发到阿里云的DoH服务器了,不搞内部转发了。:-(

@leiless
Copy link
Owner

leiless commented Jul 2, 2021

我放在/etc/ssl/certs这个目录下了,还是同样的问题。设置成tls://后就可以了说明应该是读取到了当前目录下的ca.cert.pem。

你是在192.168.1.10上操作的吗?我猜测需要在出现x509: certificate signed by unknown authority错误的机器上操作。

@victor-infosec
Copy link
Author

victor-infosec commented Jul 2, 2021

我放在/etc/ssl/certs这个目录下了,还是同样的问题。设置成tls://后就可以了说明应该是读取到了当前目录下的ca.cert.pem。

你是在192.168.1.10上操作的吗?我猜测需要在出现x509: certificate signed by unknown authority错误的机器上操作。

我在两台机器上都放到那个目录下了。。。
有时间的话你可以按照这个
https://www.jianshu.com/p/5938432e2130
链接生成下证书,自己测试下?可能是我的姿势不对

@leiless
Copy link
Owner

leiless commented Jul 2, 2021

有时间我试试看,我似乎有点思路了,我猜测是可能发起HTTPS请求的时候,没有override http.Client的TLS config。

@cnclg
Copy link

cnclg commented Aug 30, 2021

确实也遇到了类似的问题

@leiless
Copy link
Owner

leiless commented Aug 30, 2021

确实也遇到了类似的问题

最近有点忙,我找个时间看看吧。我猜测可能就如前述的原因导致的。

你方便描述下你的问题吗?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants