x509: 无法验证证书<主机IP>,因为它不包含任何IP SANs。

huangapple go评论82阅读模式
英文:

x509: cannot validate certificate for <host ip> because it doesn't contain any IP SANs

问题

我开发了一个名为NewRequestWithCert的函数,它创建了一个新的soap.client,并使用证书文件中的证书。在调用soap.client.Do之后,它返回了x509: cannot validate certificate for because it doesn't contain any IP SANs的错误。我的代码有什么问题?

func (o *Client) NewRequestWithCert(urlLink string, requestData interface{}, responseData interface{}, certName string, host string) error {
	// 在客户端上保留数据
	o.requestData = &requestData
	o.responseData = &responseData
	o.url = urlLink

	certByte, errCert := ioutil.ReadFile("/app/certificates/" + certName)
	if errCert != nil {
		logrus.Errorf("证书错误: %v", errCert)
		return errCert
	}
	caCertPool := x509.NewCertPool()
	caCertPool.AppendCertsFromPEM(certByte)
	logrus.Debug("certByte : ", certByte)

	tlsConfig := &tls.Config{
		ServerName: host,
		ClientCAs:  caCertPool,
		ClientAuth: tls.RequireAndVerifyClientCert,
	}
	// 新建http客户端
	o.client = &http.Client{
		Timeout:   30 * time.Second,
		Transport: &http.Transport{
			TLSClientConfig: tlsConfig,
		},
	}

	// 创建缓冲区
	var requestDataBuffer bytes.Buffer
	err := xml.NewEncoder(&requestDataBuffer).Encode(requestData)

	logrus.Info("[ProxyRequest] URL: ", urlLink)
	logrus.Info("[ProxyRequest] Data: ", requestDataBuffer.String())

	// 构建一个新的请求,但不执行POST操作
	req, err := http.NewRequest("POST", urlLink, &requestDataBuffer)
	if err != nil {
		return err
	}

	// 在客户端上保留请求
	o.req = req

	// 填充默认头部
	o.fillHeader()

	return nil
}
英文:

I develop a NewRequestWithCert function that create new soap.client and use cert from cert file and after soap.client.Do it returned x509: cannot validate certificate for <host ip> because it doesn't contain any IP SANs. What wrong with my code ?

func (o *Client) NewRequestWithCert(urlLink string, requestData interface{}, responseData interface{}, certName string, host string) error {
// Keep on client
o.requestData = &amp;requestData
o.responseData = &amp;responseData
o.url = urlLink
certByte, errCert := ioutil.ReadFile(&quot;/app/certificates/&quot; + certName)
if errCert != nil {
logrus.Errorf(&quot;cert err: %v&quot;, errCert)
return errCert
}
caCertPool := x509.NewCertPool()
caCertPool.AppendCertsFromPEM(certByte)
logrus.Debug(&quot;certByte : &quot;, certByte)
tlsConfig := &amp;tls.Config{
ServerName: host,
ClientCAs:  caCertPool,
ClientAuth: tls.RequireAndVerifyClientCert,
}
// New http client
o.client = &amp;http.Client{
Timeout:   30 * time.Second,
Transport: &amp;http.Transport{
TLSClientConfig: tlsConfig,
},
}
// Make buffer
var requestDataBuffer bytes.Buffer
err := xml.NewEncoder(&amp;requestDataBuffer).Encode(requestData)
logrus.Info(&quot;[ProxyRequest] URL: &quot;, urlLink)
logrus.Info(&quot;[ProxyRequest] Data: &quot;, requestDataBuffer.String())
// Build a new request, but not doing the POST yet
req, err := http.NewRequest(&quot;POST&quot;, urlLink, &amp;requestDataBuffer)
if err != nil {
return err
}
// Keep on client
o.req = req
// Fill default header
o.fillHeader()
return nil
}

答案1

得分: 2

服务器证书的主题与您在代码中使用的URL不匹配。具体来说,您可能在URL中使用了一个IP地址,而服务器证书不包含此IP地址(或任何其他IP地址)的主题备用名称扩展(SAN),因此“不包含任何IP SANs”。

导致此不匹配的原因是您使用了错误的URL或服务器证书错误。

英文:

The subject(s) of the servers certificate do not match the URL you use in your code. Specifically you likely used an IP address for the URL and the server certificate does not contain a Subject Alternative Names extension (SAN) for this IP address (or any other IP address, hence "doesn't contain any IP SANs")

The cause of this mismatch is that you are using a wrong URL or that the server certificate is wrong.

答案2

得分: 0

在我的情况下,证书已经提供给我,并且在我的mysql(MariaDB)命令行客户端中正常工作。我甚至可以使用它们创建JKS密钥库,成功地通过JDBC进行连接。
然而,我的golang代码抛出了这个错误。我通过谷歌搜索找到了https://github.com/prometheus/prometheus/issues/1654#issuecomment-462433443,它给了我一个解决方法 - 将InsecureSkipVerify设置为true(跳过证书验证)。请参考https://godoc.org/crypto/tls#Config以获取示例用法。

英文:

In my case the certificates were provided to me and worked fine with the myslq (MariaDB) command line client. I was even able to create JKS keystores from them to successfully connect through JDBC.
However, my golang code threw this error. My googling led me to https://github.com/prometheus/prometheus/issues/1654#issuecomment-462433443 which gave me a workaround - setting InsecureSkipVerify to true (to skip verification of certificate). Refer to https://godoc.org/crypto/tls#Config for example usage.

huangapple
  • 本文由 发表于 2022年9月28日 18:36:46
  • 转载请务必保留本文链接:https://go.coder-hub.com/73880030.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定