我正在尝试在mongodb服务器上进行连接,要进行连接,我必须提供CA证书文件以及tls证书文件。当我使用以下命令时,我没有问题$ mongo --host customhost:port DB --authenticationDatabase=DB -u ACCOUNT -p PWD --tls --tlsCAFile /etc/ca-files/new-mongo.ca.crt --tlsCertificateKeyFile /etc/ca-files/new-mongo-client.pem 但是当我尝试使用mongo连接(并且仅使用tls客户端进行测试)时,我遇到了以下错误:failed to connect: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0如果我使用env变量,一切都很好,但我想知道如何修复它而不必使用它。const CONFIG_DB_CA = "/etc/ca-files/new-mongo.ca.crt"func main() { cer, err := tls.LoadX509KeyPair("mongo-server.crt", "mongo-server.key") if err != nil { log.Println(err) return } roots := x509.NewCertPool() ca, err := ioutil.ReadFile(CONFIG_DB_CA) if err != nil { fmt.Printf("Failed to read or open CA File: %s.\n", CONFIG_DB_CA) return } roots.AppendCertsFromPEM(ca) tlsConfig := &tls.Config{ Certificates: []tls.Certificate{cer}, RootCAs: roots, } conn, err := tls.Dial("tcp", "customhost:port", tlsConfig) if err != nil { fmt.Printf("failed to connect: %v.\n", err) return } err = conn.VerifyHostname("customhost") if err != nil { panic("Hostname doesn't match with certificate: " + err.Error()) } for i, cert := range conn.ConnectionState().PeerCertificates { prefix := fmt.Sprintf("CERT%d::", i+1) fmt.Printf("%sIssuer: %s\n", prefix, cert.Issuer) fmt.Printf("%sExpiry: %v\n", prefix, cert.NotAfter.Format(time.RFC850)) fmt.Printf("%sDNSNames: %v\n\n", prefix, cert.DNSNames) } fmt.Printf("Success!")}我有点卡住了,不知道问题是我的tls代码配置和我加载证书的方式,还是来自SSL证书配置错误,但来自什么证书看起来很好。我觉得加载的证书因任何原因都被忽略了
1 回答
慕容3067478
TA贡献1773条经验 获得超3个赞
您需要在源头解决问题并生成带有字段的证书 - 然后运行时检查将消失。DNSSANGo
这是可以实现的,但很棘手,因为它需要一个配置文件 - 因为SAN字段选项太宽泛,不适合简单的命令行选项。openssl
一般的要点是,创建一个企业社会责任:
openssl req -new \
-subj "${SUBJ_PREFIX}/CN=${DNS}/emailAddress=${EMAIL}" \
-key "${KEY}" \
-addext "subjectAltName = DNS:${DNS}" \
-out "${CSR}"
,然后用您的 :CSRroot CA
openssl ca \
-create_serial \
-cert "${ROOT_CRT}" \
-keyfile "${ROOT_KEY}" \
-days "${CERT_LIFETIME}" \
-in "${CSR}" \
-batch \
-config "${CA_CONF}" \
-out "${CRT}"
CA_CONF上面引用的内容如下所示:
[ ca ]
default_ca = my_ca
[ my_ca ]
dir = ./db
database = $dir/index.txt
serial = $dir/serial
new_certs_dir = $dir/tmp
x509_extensions = my_cert
name_opt = ca_default
cert_opt = ca_default
default_md = default
policy = policy_match
# 'copy_extensions' will copy over SAN ("X509v3 Subject Alternative Name") from CSR
copy_extensions = copy
[ my_cert ]
basicConstraints = CA:FALSE
nsComment = "generated by https://github.com/me/my-pki"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ policy_match ]
# ensure CSR fields match that of delivered Cert
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
正在检查生成的服务器证书:
openssl x509 -in server.crt -noout -text
然后应该有一个部分,如:SAN
X509v3 Subject Alternative Name:
DNS:myserver.com
添加回答
举报
0/150
提交
取消