カールを介して自己署名証明書を使用する方法

カールを介して自己署名証明書を使用する方法

次のコマンドを使用してSSL証明書を生成しました。

C=PL
ST=Mazovia
L=Warsaw
O="PHP-HTTP"
CN="192.168.56.10"

openssl req -out ca.pem -new -x509 -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=socket-server" -passout pass:password

openssl genrsa -out server.key
openssl req -key server.key -new -out server.req -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=$CN" -passout pass:password
openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out server.pem -passin pass:password

openssl genrsa -out client.key
openssl req -key client.key -new -out client.req -subj "/C=$C/ST=$ST/L=$L/O=$O/CN=socket-adapter-client" -passout pass:password
openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial file.srl -out client.pem -passin pass:password

dockerdデーモンに適用します。

sudo cp ca.pem /root/.docker/
sudo cp server.key /root/.docker/key.pem
sudo cp server.pem /root/.docker/cert.pem

--tlsverify(Alpine linux)を追加して有効にします。

PHPスクリプトから/ versionエンドポイントに正常に接続されました。

$client = (new CurlHttpClient([
//            'bindto' => '/var/run/docker.sock'
            'cafile' => __DIR__ . '/../../../ssl-test/ca.pem',
            'local_cert' => __DIR__ . '/../../../ssl-test/client.pem',
            'local_pk' => __DIR__ . '/../../../ssl-test/client.key',
//            'verify_host' => false,
        ]));
        $response = $client->request(
            'GET',
            'https://192.168.56.10:2376/version'
        );

通常のコマンドを使用してその接続を確立したいが、どの組み合わせまたはオプションを使用しcurlてもエラーが発生します。動作する接続を作成するには、出力ファイルをどのようにまとめる必要がありますか?--cacert--cert

編集 > システム: WSL2 Ubuntu 22.04.3 LTS

答え1

curl -vv多くの助けになりました。私はそれが証明書の特定の形式を期待していると考えており、1つcurlのファイルに秘密鍵client.key(pkey)と(cert)の両方が必要であることがわかりました。client.pem

[~] cat client.pem >> cert-and-key.pem
[~] cat client.key >> cert-and-key.pem
[~] curl -vv --cacert ca.pem --cert cert-and-key.pem https://192.168.56.10:2376/version

注:または--cacert ca.pem代わりに使用することもできます(推奨されていません)。-k--insecure

出力:

*   Trying 192.168.56.10:2376...
* Connected to 192.168.56.10 (192.168.56.10) port 2376 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: ca.pem
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=PL; ST=Mazovia; L=Warsaw; O=PHP-HTTP; CN=192.168.56.10
*  start date: Dec  2 23:15:27 2023 GMT
*  expire date: Jan  1 23:15:27 2024 GMT
*  common name: 192.168.56.10 (matched)
*  issuer: C=PL; ST=Mazovia; L=Warsaw; O=PHP-HTTP; CN=socket-server
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET /version HTTP/1.1
> Host: 192.168.56.10:2376
> User-Agent: curl/7.81.0
> Accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Api-Version: 1.42
< Content-Type: application/json
< Docker-Experimental: false
< Ostype: linux
< Server: Docker/23.0.6 (linux)
< Date: Sun, 03 Dec 2023 15:23:48 GMT
< Content-Length: 873
<
{"Platform":{"Name":""},"Components":[{"Name":"Engine","Version":"23.0.6","Details":{"ApiVersion":"1.42","Arch":"amd64","BuildTime":"2023-10-12T14:14:03.000000000+00:00","Experimental":"false","GitCommit":"9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff","GoVersion":"go1.20.10","KernelVersion":"6.1.60-0-virt","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"v1.7.2","Details":{"GitCommit":"0cae528dd6cb557f7201036e9f43420650207b58"}},{"Name":"runc","Version":"1.1.7","Details":{"GitCommit":"860f061b76bb4fc671f0f9e900f7d80ff93d4eb7"}},{"Name":"docker-init","Version":"0.19.0","Details":{"GitCommit":""}}],"Version":"23.0.6","ApiVersion":"1.42","MinAPIVersion":"1.12","GitCommit":"9dbdbd4b6d7681bd18c897a6ba0376073c2a72ff","GoVersion":"go1.20.10","Os":"linux","Arch":"amd64","KernelVersion":"6.1.60-0-virt","BuildTime":"2023-10-12T14:14:03.000000000+00:00"}
* Connection #0 to host 192.168.56.10 left intact

関連情報