duanmin0941 2019-06-17 13:17
浏览 114

如何将CAFile添加到我们的证书中

We are using a web server in a docker container. At the moment our public private key is working fine. The problem we have is that our CAFile is not being included as an offered certificate when we test our site with https://www.ssllabs.com/. After reviewing solutions, I attempted to add the certification to a caCertPool and added it to the configutation. Even after doing that, SSL Labs still says it does not see it and we still get a B Score. Here is a code snippet of what I am attempting without luck so far. 

certs, err := newStaticCerts(&static.Config{UseStaticFiles: cfg.IsProduction, FallbackToDisk: true, AbsPkgPath: getMessagePath()})
        if err != nil {
            log.WithFields(log.F("error", err)).Fatal("Issue initializing static certs")
        }

        httpKey, err := certs.ReadFile("/certs/website.com.key")
        if err != nil {
            log.WithFields(log.F("error", err)).Fatal("Issue loading tls key")
        }

        httpPem, err := certs.ReadFile("/certs/website.com.pem")
        if err != nil {
            log.WithFields(log.F("error", err)).Fatal("Issue loading tls pem")
        }

        caFilePem, err := certs.ReadFile("/certs/CAFile.pem")
        if log.CheckErr(err, "Issue loading CAFile pem") {
            return
        }

        // Load client cert
        cert, err := tls.X509KeyPair(httpPem, httpKey)
        if err != nil {
            log.Fatal(err)
        }

        caCertPool := x509.NewCertPool()
        caCertPool.AppendCertsFromPEM(caFilePem)

        tlsConfig := &tls.Config{
            MinVersion:               tls.VersionTLS12,
            CurvePreferences:         []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256},
            PreferServerCipherSuites: true,
            CipherSuites: []uint16{
                tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
                tls.TLS_RSA_WITH_AES_256_CBC_SHA,
            },
            Certificates: []tls.Certificate{cert},
            RootCAs:      caCertPool,
        }

        tlsConfig.BuildNameToCertificate()

        //server := &http.Server{Addr: ":" + strconv.Itoa(cfg.AppPort), Handler: p.Serve(), TLSConfig: tlsConfig}
        srv := &http.Server{
            Addr:         ":" + strconv.Itoa(cfg.AppPort),
            Handler:      p.Serve(),
            TLSConfig:    tlsConfig,
            TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler), 0),
        }

        err = kmshttp.RunServer(srv)
        if log.CheckErr(err, "shutting down server") {
            return
        }

The problem is when we check our Certification Paths, our RSA CA is an "Extra download" and not included on our site.

  • 写回答

1条回答 默认 最新

  • dongzouxigu12345 2019-06-17 13:52
    关注

    From the tls.Config documentation:

    Certificates contains one or more certificate chains to present to the other side of the connection.

    [...]

    RootCAs defines the set of root certificate authorities that clients use when verifying server certificates.

    The RootCAs field does nothing for servers. You only need to set the complete certificate chain in the Certificates field (excluding the root CA; that wouldn't technically break anything but waste bandwidth).

    You haven't shown what certs.ReadFile does, but you only need to ensure that it returns the PEM encoded leaf certificate and the intermediate(s) (i.e. the one that's an "extra download"), concatenated in that order. tls.X509KeyPair builds the chain automatically.

    评论

报告相同问题?

悬赏问题

  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 划分vlan后不通了
  • ¥15 GDI处理通道视频时总是带有白色锯齿
  • ¥20 用雷电模拟器安装百达屋apk一直闪退
  • ¥15 算能科技20240506咨询(拒绝大模型回答)
  • ¥15 自适应 AR 模型 参数估计Matlab程序
  • ¥100 角动量包络面如何用MATLAB绘制
  • ¥15 merge函数占用内存过大
  • ¥15 使用EMD去噪处理RML2016数据集时候的原理
  • ¥15 神经网络预测均方误差很小 但是图像上看着差别太大