2018-11-11-mosquitto-配置基於CA的SSL-TLS登入
阿新 • • 發佈:2018-12-21
mosquitto
在Mosquitto中配置基於certificate的TLS/SSL
證書
首先要搞個證書,官方文件有,非常好,照敲。
先把官方的過程列下來,後面我的過程也有
建立 ca.key ca.crt
openssl req -new -x509 -days <duration> -extensions v3_ca -keyout ca.key -out ca.crt
#<duration>指的是日期
服務端
# 建立一個服務端Key openssl genrsa -des3 -out server.key 2048 # 建立csr,key openssl req -out server.csr -key server.key -new # 注意,當要求輸入CN(common name)的時候,請輸入你伺服器的域名或者IP # 傳送CSR給CA或者用自己的CA key簽名,哈哈,拙劣的翻譯~ # Send the CSR to the CA, or sign it with your CA key: openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days <duration>
客戶端
# 建立一個客戶端key openssl genrsa -des3 -out client.key 2048 # 建立csr openssl req -out client.csr -key client.key -new # 傳送CSR給CA或者用自己的CA key簽名 # Send the CSR to the CA, or sign it with your CA key: openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days <duration>
我的過程
首先建立ca.key和ca.crt,注意這裡有個坑,倒2行的Common Name,等等服務端和客戶端設定過程中也有這個,ca的Common Name 的值不能和客戶端和服務端的Common Name值一樣,否則無效
-days 我就設定365了,畢竟是測試用。
[email protected]:/etc/mosquitto# mkdir ca [email protected]:/etc/mosquitto# cd ca [email protected]:/etc/mosquitto/ca# openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt Generating a 2048 bit RSA private key ............+++ ...............................................................+++ writing new private key to 'ca.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:cn State or Province Name (full name) [Some-State]:fj Locality Name (eg, city) []:fz Organization Name (eg, company) [Internet Widgits Pty Ltd]:wecon Organizational Unit Name (eg, section) []:r3 # 就是這個,和後面的不能一樣 Common Name (e.g. server FQDN or YOUR name) []:linxingyang Email Address []:.
這步走完生成了兩個檔案
[email protected]:/etc/mosquitto/ca# ll
total 16
drwxr-xr-x 2 root root 4096 Nov 11 17:27 ./
drwxr-xr-x 3 root root 4096 Nov 11 17:26 ../
-rw-r--r-- 1 root root 1285 Nov 11 17:27 ca.crt
-rw-r--r-- 1 root root 1834 Nov 11 17:27 ca.key
服務端
[email protected]:/etc/mosquitto/ca# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.........+++
...................+++
e is 65537 (0x10001)
# 注意,這裡設定的就是服務端的密碼,啟動mosquitto服務要用到
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[email protected]:/etc/mosquitto/ca# openssl req -out server.csr -key server.key -new
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:fj
Locality Name (eg, city) []:fz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:wecon
Organizational Unit Name (eg, section) []:r3
# 這裡設定成主機的ip了,沒試過別的行不行
Common Name (e.g. server FQDN or YOUR name) []:192.168.193.128
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lxy128server
An optional company name []:.
[email protected]:/etc/mosquitto/ca# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
Signature ok
subject=/C=cn/ST=fj/L=fz/O=wecon/OU=r3/CN=192.168.193.128
Getting CA Private Key
Enter pass phrase for ca.key:
這步走完ca目錄下有這些檔案
[email protected]:/etc/mosquitto/ca# ll
total 32
drwxr-xr-x 2 root root 4096 Nov 9 23:13 ./
drwxr-xr-x 4 root root 4096 Nov 9 23:06 ../
-rw-r--r-- 1 root root 1285 Nov 9 23:09 ca.crt
-rw-r--r-- 1 root root 1834 Nov 9 23:09 ca.key
-rw-r--r-- 1 root root 17 Nov 9 23:13 ca.srl
-rw-r--r-- 1 root root 1172 Nov 9 23:13 server.crt
-rw-r--r-- 1 root root 1029 Nov 9 23:12 server.csr
-rw-r--r-- 1 root root 1743 Nov 9 23:11 server.key
客戶端
[email protected]:/etc/mosquitto/ca# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
......+++
......+++
e is 65537 (0x10001)
# 注意,這裡設定的是客戶端sub/pub的時候需要的密碼
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
[email protected]:/etc/mosquitto/ca# openssl req -out client.csr -key client.key -new
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:fj
Locality Name (eg, city) []:fz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:wecon
Organizational Unit Name (eg, section) []:r3
Common Name (e.g. server FQDN or YOUR name) []:192.168.193.128
Email Address []:.
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lxy128client
An optional company name []:.
[email protected]:/etc/mosquitto/ca# openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365
Signature ok
subject=/C=cn/ST=fj/L=fz/O=wecon/OU=r3/CN=192.168.193.128
Getting CA Private Key
Enter pass phrase for ca.key:
打完這一套,就有下面這些個檔案
[email protected]:/etc/mosquitto/ca# ll
total 44
drwxr-xr-x 2 root root 4096 Nov 9 23:15 ./
drwxr-xr-x 4 root root 4096 Nov 9 23:06 ../
-rw-r--r-- 1 root root 1285 Nov 9 23:09 ca.crt
-rw-r--r-- 1 root root 1834 Nov 9 23:09 ca.key
-rw-r--r-- 1 root root 17 Nov 9 23:15 ca.srl
-rw-r--r-- 1 root root 1172 Nov 9 23:15 client.crt
-rw-r--r-- 1 root root 1029 Nov 9 23:14 client.csr
-rw-r--r-- 1 root root 1743 Nov 9 23:13 client.key
-rw-r--r-- 1 root root 1172 Nov 9 23:13 server.crt
-rw-r--r-- 1 root root 1029 Nov 9 23:12 server.csr
-rw-r--r-- 1 root root 1743 Nov 9 23:11 server.key
配置
到mosquitto.conf中進行配置,注意我這裡直接修改預設的listener,然後修改埠為8883
# =================================================================
# Default listener
# =================================================================
port 8883
cafile /etc/mosquitto/ca/ca.crt
keyfile /etc/mosquitto/ca/server.key
certfile /etc/mosquitto/ca/server.crt
tls_version tlsv1
require_certificate true
# 因為我後面有配置密碼檔案,所以需要用賬號密碼登入
# password_file /etc/mosquitto/pwfile.conf
use_identity_as_username false
配置完準備重啟,這裡踩了一個坑~,
該坑如下,極其熟練的加了引數 -d,後臺執行
mosquitto -c /etc/mosquitto/mosquitto.conf -d
然後日誌中報了一個錯
1541833572: mosquitto version 1.5.3 starting
1541833572: Config loaded from /etc/mosquitto/mosquitto.conf.
1541833572: Opening ipv4 listen socket on port 8883.
1541833572: Opening ipv6 listen socket on port 8883.
1541833572: Error: Unable to load server key file "/etc/mosquitto/ca/server.key". Check keyfile.
1541833572: Error: Invalid argument
首先以為是路徑錯了,確認確認再確認,沒問題
找了幾篇文章:
mosquitto作者Roger Light說該bug mosquitto1.4分支已修復。
有人說說是檔案許可權問題,要把ca證書所在的路徑許可權賦給 mosquitto.conf中配置的user(預設是mosquitto),但是我早就改成root了,這個應該沒問題。
還有人說檔案要放在 /etc/mosquitto/certs/ 下才行。試了,也不行。
撓頭中…
忽然想起來,好像哪裡說過不能後臺啟動,把 -d 去了,提示輸入密碼,輸入前面設定的服務端的密碼
[email protected]:/etc/mosquitto/ca# mosquitto -c /etc/mosquitto/mosquitto.conf
Enter PEM pass phrase:
看到日誌沒有報錯,成功了。
1541842331: mosquitto version 1.5.3 starting
1541842331: Config loaded from /etc/mosquitto/mosquitto.conf.
1541842331: Opening ipv4 listen socket on port 8883.
1541842331: Opening ipv6 listen socket on port 8883.
1541842337: Warning: Mosquitto should not be run as root/administrator.
只因為多加了一個 -d ,繞地球一圈找解決方案~
測試
啟動成功,測測
訂閱
[email protected]:/etc/mosquitto/certs# mosquitto_sub -h 192.168.193.128 -p 8883 -t "ssl/topic/#" --tls-version tlsv1 --cafile /etc/mosquitto/ca/ca.crt --cert /etc/mosquitto/ca/client.crt --key /etc/mosquitto/ca/client.key -u lxy128 -P lxy128
Enter PEM pass phrase:
沒想到要打這麼長一段,回車後輸入的是前面設定的證書客戶端的密碼
-h 主機
-p 埠
-t 話題,訂閱 ssl/topic/下的所有話題
--tls-version 因為mosquitto.conf中配置了tlsv1,這裡也要配tlsv1
--cafile 指定ca.crt
--cert 客戶端的client.crt
--key 客戶端的client.key
因為我後臺使用password_file,所以還要帶上使用者名稱密碼,如果
這項 use_identity_as_username設為 true,那就不用了
-u lxy128 賬號
-P lxy128 密碼
後臺日誌
1541842539: New connection from 192.168.193.128 on port 8883.
1541842543: New client connected from 192.168.193.128 as mosqsub|19778-ubuntu (c1, k60, u'lxy128').
釋出,也是老長了
[email protected]:/etc/mosquitto/db# mosquitto_pub -h 192.168.193.128 -p 8883 -t "ssl/topic/128" --tls-version tlsv1 --cafile /etc/mosquitto/ca/ca.crt --cert /etc/mosquitto/ca/client.crt --key /etc/mosquitto/ca/client.key -m "i'm 128, msg to 128, port 8883" -u lxy128 -P lxy128
Enter PEM pass phrase:
配置項基本和訂閱一樣,也是需要密碼
監聽端收到訊息了
[email protected]:/etc/mosquitto/certs# mosquitto_sub -h 192.168.193.128 -p 8883 -t "ssl/topic/#" --tls-version tlsv1 --cafile /etc/mosquitto/ca/ca.crt --cert /etc/mosquitto/ca/client.crt --key /etc/mosquitto/ca/client.key -u lxy128 -P lxy128
Enter PEM pass phrase:
i'm 128, msg to 128, port 8883
截個圖,看看加密後的效果
下一步準備橋接的TLS玩一下