由于 x509 证书依赖于旧版“公用名”字段,因此无法连接到具有 Golang 的服务器
我正在尝试在mongodb服务器上进行连接,要进行连接,我必须提供CA证书文件以及tls证书文件。
当我使用以下命令时,我没有问题
$ mongo --host customhost:port DB --authenticationDatabase=DB -u ACCOUNT -p PWD --tls --tlsCAFile /etc/ca-files/new-mongo.ca.crt --tlsCertificateKeyFile /etc/ca-files/new-mongo-client.pem
但是当我尝试使用mongo连接(并且仅使用tls客户端进行测试)时,我遇到了以下错误:
failed to connect: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
如果我使用env变量,一切都很好,但我想知道如何修复它而不必使用它。
const CONFIG_DB_CA = "/etc/ca-files/new-mongo.ca.crt"
func main() {
cer, err := tls.LoadX509KeyPair("mongo-server.crt", "mongo-server.key")
if err != nil {
log.Println(err)
return
}
roots := x509.NewCertPool()
ca, err := ioutil.ReadFile(CONFIG_DB_CA)
if err != nil {
fmt.Printf("Failed to read or open CA File: %s.\n", CONFIG_DB_CA)
return
}
roots.AppendCertsFromPEM(ca)
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cer},
RootCAs: roots,
}
conn, err := tls.Dial("tcp", "customhost:port", tlsConfig)
if err != nil {
fmt.Printf("failed to connect: %v.\n", err)
return
}
err = conn.VerifyHostname("customhost")
if err != nil {
panic("Hostname doesn't match with certificate: " + err.Error())
}
for i, cert := range conn.ConnectionState().PeerCertificates {
prefix := fmt.Sprintf("CERT%d::", i+1)
fmt.Printf("%sIssuer: %s\n", prefix, cert.Issuer)
fmt.Printf("%sExpiry: %v\n", prefix, cert.NotAfter.Format(time.RFC850))
fmt.Printf("%sDNSNames: %v\n\n", prefix, cert.DNSNames)
}
fmt.Printf("Success!")
}
我有点卡住了,不知道问题是我的tls代码配置和我加载证书的方式,还是来自SSL证书配置错误,但来自什么证书看起来很好。我觉得加载的证书因任何原因都被忽略了
泛舟湖上清波郎朗1回答
-
慕容3067478
您需要在源头解决问题并生成带有字段的证书 - 然后运行时检查将消失。DNSSANGo这是可以实现的,但很棘手,因为它需要一个配置文件 - 因为SAN字段选项太宽泛,不适合简单的命令行选项。openssl一般的要点是,创建一个企业社会责任:openssl req -new \ -subj "${SUBJ_PREFIX}/CN=${DNS}/emailAddress=${EMAIL}" \ -key "${KEY}" \ -addext "subjectAltName = DNS:${DNS}" \ -out "${CSR}",然后用您的 :CSRroot CAopenssl ca \ -create_serial \ -cert "${ROOT_CRT}" \ -keyfile "${ROOT_KEY}" \ -days "${CERT_LIFETIME}" \ -in "${CSR}" \ -batch \ -config "${CA_CONF}" \ -out "${CRT}"CA_CONF上面引用的内容如下所示:[ ca ]default_ca = my_ca[ my_ca ]dir = ./dbdatabase = $dir/index.txtserial = $dir/serialnew_certs_dir = $dir/tmpx509_extensions = my_certname_opt = ca_defaultcert_opt = ca_defaultdefault_md = defaultpolicy = policy_match# 'copy_extensions' will copy over SAN ("X509v3 Subject Alternative Name") from CSRcopy_extensions = copy[ my_cert ]basicConstraints = CA:FALSEnsComment = "generated by https://github.com/me/my-pki"subjectKeyIdentifier = hashauthorityKeyIdentifier = keyid,issuer[ policy_match ]# ensure CSR fields match that of delivered CertcountryName = matchstateOrProvinceName = matchorganizationName = matchorganizationalUnitName = optionalcommonName = suppliedemailAddress = optional正在检查生成的服务器证书:openssl x509 -in server.crt -noout -text然后应该有一个部分,如:SANX509v3 Subject Alternative Name: DNS:myserver.com
随时随地看视频慕课网APP
相关分类
Java