1. 程式人生 > >2018-11-11-mosquitto-配置基於CA的SSL-TLS登入

2018-11-11-mosquitto-配置基於CA的SSL-TLS登入

mosquitto

在Mosquitto中配置基於certificate的TLS/SSL

證書

首先要搞個證書,官方文件有,非常好,照敲。

先把官方的過程列下來,後面我的過程也有

建立 ca.key ca.crt

openssl req -new -x509 -days <duration> -extensions v3_ca -keyout ca.key -out ca.crt

#<duration>指的是日期

服務端

# 建立一個服務端Key
openssl genrsa -des3 -out server.key 2048

# 建立csr,key
openssl req -out server.csr -key server.key -new

# 注意,當要求輸入CN(common name)的時候,請輸入你伺服器的域名或者IP

# 傳送CSR給CA或者用自己的CA key簽名,哈哈,拙劣的翻譯~
# Send the CSR to the CA, or sign it with your CA key:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days <duration>

客戶端

# 建立一個客戶端key
openssl genrsa -des3 -out client.key 2048

# 建立csr
openssl req -out client.csr -key client.key -new

# 傳送CSR給CA或者用自己的CA key簽名
# Send the CSR to the CA, or sign it with your CA key:
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days <duration>

我的過程

首先建立ca.key和ca.crt,注意這裡有個坑,倒2行的Common Name,等等服務端和客戶端設定過程中也有這個,ca的Common Name 的值不能和客戶端和服務端的Common Name值一樣,否則無效

-days 我就設定365了,畢竟是測試用。

[email protected]:/etc/mosquitto# mkdir ca
[email protected]:/etc/mosquitto# cd ca
[email protected]:/etc/mosquitto/ca# openssl req -new -x509 -days 365 -extensions v3_ca -keyout ca.key -out ca.crt
Generating a 2048 bit RSA private key
............+++
...............................................................+++
writing new private key to 'ca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:fj
Locality Name (eg, city) []:fz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:wecon      
Organizational Unit Name (eg, section) []:r3
# 就是這個,和後面的不能一樣
Common Name (e.g. server FQDN or YOUR name) []:linxingyang
Email Address []:.

這步走完生成了兩個檔案

[email protected]:/etc/mosquitto/ca# ll
total 16
drwxr-xr-x 2 root root 4096 Nov 11 17:27 ./
drwxr-xr-x 3 root root 4096 Nov 11 17:26 ../
-rw-r--r-- 1 root root 1285 Nov 11 17:27 ca.crt
-rw-r--r-- 1 root root 1834 Nov 11 17:27 ca.key

服務端


[email protected]:/etc/mosquitto/ca# openssl genrsa -des3 -out server.key 2048         
Generating RSA private key, 2048 bit long modulus
.........+++
...................+++
e is 65537 (0x10001)
# 注意,這裡設定的就是服務端的密碼,啟動mosquitto服務要用到
Enter pass phrase for server.key: 
Verifying - Enter pass phrase for server.key:



[email protected]:/etc/mosquitto/ca# openssl req -out server.csr -key server.key -new
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:fj
Locality Name (eg, city) []:fz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:wecon
Organizational Unit Name (eg, section) []:r3
# 這裡設定成主機的ip了,沒試過別的行不行
Common Name (e.g. server FQDN or YOUR name) []:192.168.193.128
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lxy128server
An optional company name []:.



[email protected]:/etc/mosquitto/ca# openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
Signature ok
subject=/C=cn/ST=fj/L=fz/O=wecon/OU=r3/CN=192.168.193.128
Getting CA Private Key
Enter pass phrase for ca.key:

這步走完ca目錄下有這些檔案


[email protected]:/etc/mosquitto/ca# ll
total 32
drwxr-xr-x 2 root root 4096 Nov  9 23:13 ./
drwxr-xr-x 4 root root 4096 Nov  9 23:06 ../
-rw-r--r-- 1 root root 1285 Nov  9 23:09 ca.crt
-rw-r--r-- 1 root root 1834 Nov  9 23:09 ca.key
-rw-r--r-- 1 root root   17 Nov  9 23:13 ca.srl
-rw-r--r-- 1 root root 1172 Nov  9 23:13 server.crt
-rw-r--r-- 1 root root 1029 Nov  9 23:12 server.csr
-rw-r--r-- 1 root root 1743 Nov  9 23:11 server.key

客戶端

[email protected]:/etc/mosquitto/ca# openssl genrsa -des3 -out client.key 2048
Generating RSA private key, 2048 bit long modulus
......+++
......+++
e is 65537 (0x10001)
# 注意,這裡設定的是客戶端sub/pub的時候需要的密碼
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:


[email protected]:/etc/mosquitto/ca# openssl req -out client.csr -key client.key -new
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:fj
Locality Name (eg, city) []:fz
Organization Name (eg, company) [Internet Widgits Pty Ltd]:wecon
Organizational Unit Name (eg, section) []:r3
Common Name (e.g. server FQDN or YOUR name) []:192.168.193.128
Email Address []:.

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:lxy128client
An optional company name []:.



[email protected]:/etc/mosquitto/ca# openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365
Signature ok
subject=/C=cn/ST=fj/L=fz/O=wecon/OU=r3/CN=192.168.193.128
Getting CA Private Key
Enter pass phrase for ca.key:

打完這一套,就有下面這些個檔案

[email protected]:/etc/mosquitto/ca# ll
total 44
drwxr-xr-x 2 root root 4096 Nov  9 23:15 ./
drwxr-xr-x 4 root root 4096 Nov  9 23:06 ../
-rw-r--r-- 1 root root 1285 Nov  9 23:09 ca.crt
-rw-r--r-- 1 root root 1834 Nov  9 23:09 ca.key
-rw-r--r-- 1 root root   17 Nov  9 23:15 ca.srl
-rw-r--r-- 1 root root 1172 Nov  9 23:15 client.crt
-rw-r--r-- 1 root root 1029 Nov  9 23:14 client.csr
-rw-r--r-- 1 root root 1743 Nov  9 23:13 client.key
-rw-r--r-- 1 root root 1172 Nov  9 23:13 server.crt
-rw-r--r-- 1 root root 1029 Nov  9 23:12 server.csr
-rw-r--r-- 1 root root 1743 Nov  9 23:11 server.key

配置

到mosquitto.conf中進行配置,注意我這裡直接修改預設的listener,然後修改埠為8883


# =================================================================
# Default listener
# =================================================================

port 8883
cafile /etc/mosquitto/ca/ca.crt
keyfile /etc/mosquitto/ca/server.key
certfile /etc/mosquitto/ca/server.crt
tls_version tlsv1
require_certificate true
# 因為我後面有配置密碼檔案,所以需要用賬號密碼登入
# password_file /etc/mosquitto/pwfile.conf
use_identity_as_username false

配置完準備重啟,這裡踩了一個坑~,

該坑如下,極其熟練的加了引數 -d,後臺執行


mosquitto -c /etc/mosquitto/mosquitto.conf -d

然後日誌中報了一個錯


1541833572: mosquitto version 1.5.3 starting
1541833572: Config loaded from /etc/mosquitto/mosquitto.conf.
1541833572: Opening ipv4 listen socket on port 8883.
1541833572: Opening ipv6 listen socket on port 8883.
1541833572: Error: Unable to load server key file "/etc/mosquitto/ca/server.key". Check keyfile.
1541833572: Error: Invalid argument

首先以為是路徑錯了,確認確認再確認,沒問題

找了幾篇文章:

mosquitto作者Roger Light說該bug mosquitto1.4分支已修復。

有人說說是檔案許可權問題,要把ca證書所在的路徑許可權賦給 mosquitto.conf中配置的user(預設是mosquitto),但是我早就改成root了,這個應該沒問題。

還有人說檔案要放在 /etc/mosquitto/certs/ 下才行。試了,也不行。

撓頭中…

忽然想起來,好像哪裡說過不能後臺啟動,把 -d 去了,提示輸入密碼,輸入前面設定的服務端的密碼


[email protected]:/etc/mosquitto/ca# mosquitto -c /etc/mosquitto/mosquitto.conf
Enter PEM pass phrase:

看到日誌沒有報錯,成功了。


1541842331: mosquitto version 1.5.3 starting
1541842331: Config loaded from /etc/mosquitto/mosquitto.conf.
1541842331: Opening ipv4 listen socket on port 8883.
1541842331: Opening ipv6 listen socket on port 8883.
1541842337: Warning: Mosquitto should not be run as root/administrator.

只因為多加了一個 -d ,繞地球一圈找解決方案~

測試

啟動成功,測測

訂閱


[email protected]:/etc/mosquitto/certs# mosquitto_sub -h 192.168.193.128 -p 8883 -t "ssl/topic/#" --tls-version tlsv1 --cafile /etc/mosquitto/ca/ca.crt --cert /etc/mosquitto/ca/client.crt --key /etc/mosquitto/ca/client.key -u lxy128 -P lxy128
Enter PEM pass phrase:


沒想到要打這麼長一段,回車後輸入的是前面設定的證書客戶端的密碼


-h 主機
-p 埠
-t 話題,訂閱 ssl/topic/下的所有話題
--tls-version 因為mosquitto.conf中配置了tlsv1,這裡也要配tlsv1
--cafile 指定ca.crt
--cert 客戶端的client.crt
--key 客戶端的client.key

因為我後臺使用password_file,所以還要帶上使用者名稱密碼,如果
這項 use_identity_as_username設為 true,那就不用了
-u lxy128 賬號
-P lxy128 密碼

後臺日誌

1541842539: New connection from 192.168.193.128 on port 8883.
1541842543: New client connected from 192.168.193.128 as mosqsub|19778-ubuntu (c1, k60, u'lxy128').

釋出,也是老長了

[email protected]:/etc/mosquitto/db# mosquitto_pub -h 192.168.193.128 -p 8883 -t "ssl/topic/128" --tls-version tlsv1 --cafile /etc/mosquitto/ca/ca.crt --cert /etc/mosquitto/ca/client.crt --key /etc/mosquitto/ca/client.key -m "i'm 128, msg to 128, port 8883" -u lxy128 -P lxy128
Enter PEM pass phrase:

配置項基本和訂閱一樣,也是需要密碼

監聽端收到訊息了


[email protected]:/etc/mosquitto/certs# mosquitto_sub -h 192.168.193.128 -p 8883 -t "ssl/topic/#" --tls-version tlsv1 --cafile /etc/mosquitto/ca/ca.crt --cert /etc/mosquitto/ca/client.crt --key /etc/mosquitto/ca/client.key -u lxy128 -P lxy128
Enter PEM pass phrase:
i'm 128, msg to 128, port 8883

截個圖,看看加密後的效果

圖

下一步準備橋接的TLS玩一下