问题描述
我正在设置 hawkBit 服务器和 swupdate 并启用 SSL/TLS (HTTPS)。步骤是:
-
生成密钥
# Generate self signed root CA cert: ca.crt and ca.key openssl req -nodes -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 3650 # Input the info with CN is <domain> # Generate server cert to be signed: server.csr and server.key openssl req -nodes -newkey rsa:2048 -keyout server.key -days 1095 -out server.csr # Input the info with CN is <domain> # Sign the server csr: server.crt openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 1095 -out server.crt # Create pkcs12: server.p12 openssl pkcs12 -export -out server.p12 -inkey server.key -in server.crt # Enter Export Password: # Verifying - Enter Export Password: # import pkcs#12 to Java key store keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 \ -destkeystore server.jks -deststoretype pkcs12 \ -alias 1 -deststorepass <pass> -srcstorepass <pass>
-
配置hawkBit
hawkbit.artifact.url.protocols.download-http.protocol=https hawkbit.artifact.url.protocols.download-http.port=<port> security.require-ssl=true server.use-forward-headers=true server.ssl.key-store=/home/huong/software-update-server/hawkbit/hawkbit-runtime/hawkbit-update-server/jks/self_signed.p12 server.ssl.key-store-password=<pass> server.ssl.key-password=<pass> server.ssl.enabled=true server.ssl.protocol=TLS server.ssl.enabled-protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
此时,我可以在浏览器上使用 https 访问 hawkBit。
-
配置swupdate
-
启用:
CONfig_CURL_SSL
、CONfig_DOWNLOAD_SSL
、CONfig_CHANNEL_CURL_SSL
和CONfig_SURICATTA_SSL
-
运行命令:
swupdate -v -k /etc/public.pem -f /suricatta.cfg -u ""
-
带有 suricatta 部分的 suricatta.cfg:
suricatta : { tenant = "DEFAULT"; id = "dev01"; confirm = 0; url = "https://<domain>:<port>"; polldelay = 20; nocheckcert = false; retry = 4; retrywait = 200; loglevel = 10; userid = 1000; groupid = 1000; cafile = "/ca.crt"; sslkey = "/server.key"; sslcert = "/server.crt"; gatewaytoken = "<getway_token>"; /* targettoken = "3bc13b476cb3962a0c63a5c92beacfh7"; */ };
[DEBUG] : SWUPDATE running : [channel_get] : Trying to GET https://<domain>:<port>/DEFAULT/controller/v1/dev01
* Trying <ip_addr>...
* TCP_NODELAY set
* Connected to <domain> (<ip_addr>) port <port> (#0)
* found 1 certificates in /ca.crt
* ALPN,offering http/1.1
* error reading X.509 key or certificate file
* Closing connection 0
[ERROR] : SWUPDATE Failed [0] ERROR corelib/channel_curl.c : channel_get : 1091 : Channel get operation Failed (35): 'SSL connect error'
当通过命令运行swupdate时:swupdate -v -k /etc/public.pem --ca-path="/chain.pem" -u '-t DEFAULT -u https://<domain>:<port> -i dev01 -g <getway_token>'
,其中chain.pem是服务器的公钥(由openssl rsa -in server.key -pubout -out chain.pem
存档),或者chain.pem是ca的公钥或公钥链ca和服务器,日志显示错误:
[DEBUG] : SWUPDATE running : [channel_get] : Trying to GET https://<domain>:<port>/DEFAULT/controller/v1/dev01
* Trying <ip_addr>...
* TCP_NODELAY set
* Connected to <domain> (<ip_addr>) port <port> (#1)
* ALPN,offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification Failed. CAfile: none CRLfile: none
* Closing connection 1
[ERROR] : SWUPDATE Failed [0] ERROR corelib/channel_curl.c : channel_get : 1091 : Channel get operation Failed (60): 'SSL peer certificate or SSH remote key was not OK'
请不要告诉我使用 server.crt 或 server.p12 或 ca.crt 作为 --ca-path
因为它显示错误:
[ERROR] : SWUPDATE Failed [0] ERROR corelib/swupdate_rsa_verify.c : load_pubkey : 52 : unable to load key filename /chain.pem
[ERROR] : SWUPDATE Failed [0] ERROR corelib/verify_signature.c : swupdate_dgst_init : 135 : Error loading pub key from /chain.pem
而且我认为 PEM_read_bio_PUBKEY
无法从证书中获取公钥。
在hawkBit日志中,我没有发现任何奇怪的日志。
所以请指导我配置 swupdate 以在启用 SSL/TLS 的情况下与 hawkBit 一起运行。
- 我必须在 swupdate 端使用哪个证书/密钥?
- 我应该使用配置文件而不是
--ca-path
参数吗?
提前致谢!
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)