我想在我的服务器和多个客户端上使用 mTLS 功能。因此，服务器将使用其证书验证每个客户端。每个客户端将他的证书发送到服务器，服务器对其进行验证，然后他们就可以进行通信了。

因此，我使用 OpenSSL 创建了一个 CA 一个 Server Certificate 和两个 Client Certficates。我已经设置了实时服务器并设置了 DNS 并使用 CA 在其上应用了该服务器证书。我在我的本地机器上设置了两个虚拟主机，它们用他们的客户端证书代理我的实时服务器。因此，当我调用那些本地虚拟主机时，它们会返回 502 Bad Gateway 错误。

这是我的服务器 Nginx 配置

server {
  listen *:443;
  ssl on;
  server_name ssl2way.cowlar.com;

  ssl_certificate        /etc/Nginx/ssl2way/server.crt;
  ssl_certificate_key    /etc/Nginx/ssl2way/server.key;
  ssl_client_certificate /etc/Nginx/ssl2way/ca.crt;
  ssl_verify_client      on;
  ssl_crl                /etc/Nginx/ssl2way/crl.pem;

  proxy_ssl_server_name on;
  ssl_verify_depth 2;

  ssl_prefer_server_ciphers on;

  keepalive_timeout 10;
  ssl_session_timeout 5m;

  location / {
    root /usr/share/Nginx/html;
      index index.html index.htm;
  }
}

这是我的本地虚拟主机客户端配置

Client1

server {
  listen 80;
  listen [::]:80;

  server_name cowlarc1.local;

  location / {
          proxy_pass https://ssl2way.cowlar.com/;
          proxy_ssl_certificate         /etc/Nginx/certs/client.crt;
          proxy_ssl_certificate_key     /etc/Nginx/certs/client.key;

          proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
          proxy_ssl_trusted_certificate /etc/Nginx/certs/ca.crt;

          proxy_ssl_verify        on;
          proxy_ssl_verify_depth  2;
          proxy_ssl_session_reuse on;

          try_files $uri $uri/ =404;
  }
}

Client2

server {
  listen 80;
  listen [::]:80;

  server_name cowlarc2.local;

  location / {
          proxy_pass https://ssl2way.cowlar.com/;
          proxy_ssl_certificate         /etc/Nginx/certs/client2.crt;
          proxy_ssl_certificate_key     /etc/Nginx/certs/client2.key;

          proxy_ssl_protocols           TLSv1 TLSv1.1 TLSv1.2;
          proxy_ssl_trusted_certificate /etc/Nginx/certs/ca.crt;

          proxy_ssl_verify        on;
          proxy_ssl_verify_depth  2;
          proxy_ssl_session_reuse on;

          try_files $uri $uri/ =404;
  }
}

通过此链接，我正在创建我的证书 https://www.integralist.co.uk/posts/client-cert-authentication/

这是我的 OpenSSL 配置文件

#
# OpenSSL configuration file.
#

# Establish working directory.
dir            = .

[ ca ]
default_ca     = CA_default

[ CA_default ]
serial           = $dir/serial
database         = $dir/certindex.txt
new_certs_dir    = $dir/
certificate      = $dir/ca.crt
private_key      = $dir/ca.key
default_days     = 365
default_md       = sha256
default_crl_days = 30
preserve         = no
email_in_dn      = yes
nameopt          = default_ca
certopt          = default_ca
policy           = policy_match
crl_dir          = $dir/
crlnumber        = $crl_dir/crlnumber
crl_extensions   = crl_ext
x509_extensions  = usr_cert
copy_extensions  = copy

[ policy_match ]
countryName            = match    # Must be the same as the CA
stateOrProvinceName    = optional # not required
organizationName       = optional # not required
organizationalUnitName = optional # not required
commonName             = supplied # must be there,whatever it is
emailAddress           = supplied # must be there,whatever it is

[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always

[ usr_cert ]
basicConstraints       = CA:FALSE
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
#crldistributionPoints  = URI:http://ssl2way.com/ca/crl.pem # this should be updated to be unique to the CA

[ req ]
default_bits       = 4096    # Size of keys
default_keyfile    = key.pem # name of generated keys
default_md         = sha256     # message digest algorithm
string_mask        = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions     = v3_req

[ req_distinguished_name ]
# Variable name             Prompt string
#-------------------------    ----------------------------------
0.organizationName     = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department,division)
emailAddress           = Email Address
emailAddress_max       = 40
localityName           = Locality Name (city,district)
stateOrProvinceName    = State or Province Name (full name)
countryName            = Country Name (2 letter code)
countryName_min        = 2
countryName_max        = 2
commonName             = Common Name (hostname,IP,or your name)
commonName_max         = 64

# Default values for the above,for consistency and less typing.
# Variable name             Value
#------------------------     ------------------------------
0.organizationName_default  = Cowlar
localityName_default        = My Town
stateOrProvinceName_default = State or Providence
countryName_default         = PK

[ v3_ca ]
basicConstraints            = CA:TRUE
subjectKeyIdentifier        = hash
authorityKeyIdentifier      = keyid:always,issuer:always

[ v3_req ]
basicConstraints            = CA:FALSE
subjectKeyIdentifier        = hash

任何帮助将不胜感激，将不胜感激。

解决方法

暂无找到可以解决该程序问题的有效方法，小编努力寻找整理中！

如果你已经找到好的解决方法，欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@）