ngrok服务端显示tls: bad certificate

因为开发亚马逊的SP-API,所以准备自己搭建一个ngrok准备调试,查看网上的教程,搭建完成后客户端总是链接不上服务端,服务端日志显示:Failed to read message: remote error: tls: bad certificate

[13:47:47 CST 2021/06/11] [DEBG] (ngrok/log.(*PrefixLogger).Debug:79) [tun:b2940de] Waiting to read message
[13:47:47 CST 2021/06/11] [WARN] (ngrok/log.(*PrefixLogger).Warn:87) [tun:b2940de] Failed to read message: remote error: tls: bad certificate
[13:47:47 CST 2021/06/11] [DEBG] (ngrok/log.(*PrefixLogger).Debug:79) [tun:b2940de] Closing

很明显是因为证书的问题,网上的脚本一般都是这样的

openssl genrsa -out rootCA.key 2048  
openssl req -x509 -new -nodes -key rootCA.key -subj "/CN=$NGROK_DOMAIN" -days 5000 -out rootCA.pem 
openssl genrsa -out device.key 2048 
openssl req -new -key device.key -subj "/CN=$NGROK_DOMAIN" -out device.csr 
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 5000 
cp rootCA.pem assets/client/tls/ngrokroot.crt
cp  device.crt assets/server/tls/snakeoil.crt 
cp  device.key assets/server/tls/snakeoil.key

查看ngrok源码assets/client/tls/目录发现有ngrokroot.crt和snakeoilca.crt两个文件,随根据关键字snakeoilca.crt查找资料发现缺少了一个客户端的证书文件,正确的shell应该如下:

openssl genrsa -out rootCA.key 2048  
openssl req -x509 -new -nodes -key rootCA.key -subj "/CN=$NGROK_DOMAIN" -days 5000 -out rootCA.pem 
openssl genrsa -out device.key 2048 
openssl req -new -key device.key -subj "/CN=$NGROK_DOMAIN" -out device.csr 
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 5000 
cp rootCA.pem assets/client/tls/ngrokroot.crt
cp device.crt assets/client/tls/snakeoilca.crt
cp device.crt assets/server/tls/snakeoil.crt 
cp device.key assets/server/tls/snakeoil.key

顺便记录下其他shell

#执行如下命令编译Windows 64位客户端
GOOS=windows GOARCH=amd64 make release-client

nohup bin/ngrokd  -domain="$NGROK_DOMAIN" -httpAddr=":80" -httpsAddr=":443"  -tunnelAddr=":4443" > /var/log/ngrok.log 2>&1 &

过来补个坑

今天起床后发现在服务器上直接客户端连服务端是正常的,但是本地的windows客户端又不正常,还是熟悉的味道:tls: bad certificate

诡异的是直接通过make生成的客户端可以连接,但是先make release-server、make release-client分开执行生成的客户端却无法连接,真是怪异

最后发现是go的版本的问题,我采用的go版本是1.15,下载g组件,切换版本到1.7,重新编译的解决了

[root@VM-4-17-centos bin]# g ls
* 1.7
[root@VM-4-17-centos bin]# go version
go version go1.7 linux/amd64

You May Also Like

About the Author: Linv2

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注