1 首先启动Substrate
./target/release/node-template --dev --tmp
输出如下:
2 其次用polkadot.js.org来看
https://polkadot.js.org/apps/
出现ERR_CERT_AUTHORITY_INVALID和ERR_CERT_COMMON_NAME_INVALID错误
3 原因调查
从上面的截图数据,很容易判断出是Web socket over SSL 链接有问题,即wss协议(wss://47.104.136.172:9900)的配置问题。
所以需要配置针对特定IP的self-signed certificate证书。
4 解决方案
4.1 生成新配置文件
在/etc/ssl/下生成一个新配置文件ssert.cnf:
[req]
default_bits = 4096
default_md = sha256
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 127.0.0.1
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
IP.1 = 127.0.0.1
4.2 生成证书
root@btcpool:/etc/ssl# openssl req -nodes -x509 -days 365 -keyout domain.key -out domain.crt -config sscert.cnf
Generating a RSA private key
...............................................................................................................................................................................................................................................................................................................................................++++
..........................................................................................................................................++++
writing new private key to 'domain.key'
-----
验证一下
root@btcpool:/etc/ssl# ls -al
total 60
drwxr-xr-x 4 root root 4096 Dec 24 10:04 .
drwxr-xr-x 107 root root 4096 Dec 24 00:45 ..
drwxr-xr-x 3 root root 20480 Dec 23 10:54 certs
-rw-r--r-- 1 root root 2013 Dec 24 10:04 domain.crt
-rw------- 1 root root 3268 Dec 24 10:04 domain.key
-rw-r--r-- 1 root root 10998 Nov 13 2019 openssl.cnf
drwx--x--- 2 root ssl-cert 4096 Dec 23 10:51 private
-rw-r--r-- 1 root root 437 Dec 24 09:44 san.cnf
-rw-r--r-- 1 root root 379 Dec 24 10:03 sscert.cnf
可以看到已经生成证书文件:domain.crt和domain.key
4.3 验证一下证书内容
输入下面的命令
root@btcpool:/etc/ssl# openssl x509 -in domain.crt -noout -text
输出如下:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
21:fd:e5:ac:d6:0b:a9:0e:2c:74:3f:6a:49:9a:39:cf:20:7d:49:e1
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, ST = VA, L = SomeCity, O = MyCompany, OU = MyDivision, CN = 47.104.136.172
Validity
Not Before: Dec 24 02:04:15 2020 GMT
Not After : Dec 24 02:04:15 2021 GMT
Subject: C = US, ST = VA, L = SomeCity, O = MyCompany, OU = MyDivision, CN = 47.104.136.172
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:ac:ec:36:fa:56:0d:38:e1:98:c7:33:6f:c6:d1:
79:40:46:2b:68:e5:de:3f:15:c7:f0:33:1b:7a:ca:
7e:8b:f5:d8:79:f0:7d:17:02:d8:ef:fe:5f:db:b4:
6d:22:e8:f4:e3:5b:4d:b5:8e:a7:30:ef:a7:1f:2b:
5a:c4:84:3e:6a:c6:38:b5:ab:69:0b:a1:37:97:82:
e5:15:43:ce:d6:56:cd:91:7a:91:f9:ac:88:fc:8f:
92:6e:02:ce:0b:9b:fe:d7:72:e4:36:8d:88:fc:78:
6d:bc:32:7a:08:47:e6:2a:65:6c:12:a7:eb:23:39:
c7:1e:2b:7a:07:52:6d:60:19:90:b0:50:d5:7e:08:
f6:1d:f9:9e:53:83:2e:dc:4a:fc:1f:b5:60:42:28:
a8:0b:b9:a9:41:ca:dc:e0:83:32:3e:d9:1a:32:4b:
03:96:72:d9:1d:30:8e:29:58:40:35:16:96:d0:92:
6f:5b:44:c8:12:f1:b5:0d:7a:b7:08:6d:f4:29:8e:
8f:ec:69:19:ce:de:64:4d:42:97:45:6d:fd:67:87:
83:7a:1a:13:93:e2:b4:a2:7e:e8:4d:96:a9:0e:2c:
97:d3:39:a2:00:f1:f4:5e:a7:cb:9b:53:5d:34:35:
28:dd:0c:0d:15:06:04:60:af:2e:ae:a4:53:a1:9d:
e5:92:75:1e:07:f1:14:fa:af:63:ad:59:2a:d1:36:
64:40:55:1f:96:11:21:0e:80:26:36:d4:94:c7:f9:
73:0e:d7:37:7f:35:58:a8:18:47:82:b9:06:dd:98:
a2:55:93:ac:a4:03:18:31:dc:fc:ae:34:26:4a:fb:
12:35:9d:3a:50:8b:eb:7c:10:64:11:d2:dc:74:6b:
6b:df:06:27:46:e0:09:6e:75:41:99:c5:e4:be:19:
14:26:27:01:e6:d6:43:b5:46:8b:9d:09:0e:52:4e:
c3:81:85:28:9e:a8:d9:4c:fd:23:dd:0b:65:7b:53:
cf:97:74:58:65:8e:45:7b:3c:78:71:9c:98:c9:76:
b2:ac:10:7c:dc:8c:57:86:01:95:2a:ff:9c:b8:d4:
2e:9a:48:32:49:e8:7a:c3:89:01:99:24:e8:f1:d8:
22:22:60:8a:40:5f:79:0e:ee:12:5a:6a:de:c5:dd:
e7:a1:7d:a3:8b:73:e8:17:e3:22:a0:3c:bd:56:45:
3d:74:9c:1b:a2:27:34:fe:2d:cf:c9:b5:6e:4a:68:
ae:a5:c6:33:8e:12:5e:2c:58:ca:3a:89:29:0c:e7:
f3:f1:b3:09:28:59:bb:7d:25:33:5a:f3:cf:f1:ac:
6f:a3:08:8c:8e:ee:b6:d6:99:34:f4:64:16:21:29:
2c:c7:53
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
9c:3e:95:2a:50:28:a0:cf:26:d4:ef:0b:a0:b3:0a:4a:06:ec:
6f:ab:39:a1:5a:61:d8:7d:c7:19:af:88:4a:bb:da:07:14:e2:
6b:cf:9d:c6:53:8f:3a:20:76:fa:6e:35:b7:e4:df:1b:77:74:
ae:31:2b:c4:fc:99:d7:3b:08:a4:8e:80:13:78:1d:06:78:1d:
03:a8:93:06:95:66:90:69:84:0f:00:37:f3:84:48:d8:57:56:
ec:5c:2b:4d:df:20:10:91:01:93:27:a2:c3:54:56:e0:4f:65:
2a:d3:c9:c5:46:5b:1d:5d:79:37:53:1d:fb:a5:82:48:f2:23:
5b:44:37:70:db:f1:2d:e2:ae:d4:dd:32:d3:9a:92:52:9e:8d:
08:c0:83:2c:dd:43:4a:d9:66:41:ec:d8:cd:56:5e:b1:ce:d6:
91:35:b7:e4:16:75:69:d9:a8:ee:e2:73:2a:aa:52:60:29:a9:
12:63:eb:36:7c:7c:dc:91:69:25:ad:4a:e5:5a:42:64:c2:33:
d6:1e:71:84:92:cc:87:04:14:d3:d2:37:f2:03:3f:85:01:ed:
04:04:16:a8:4c:0e:8b:f5:3f:0a:aa:28:ab:19:91:dc:cf:85:
23:ff:fc:81:0f:70:42:02:70:ee:c9:46:af:60:67:88:0c:05:
e5:b5:9d:5a:f5:bf:0d:61:91:b4:bc:b8:87:fe:8f:db:24:8c:
ac:ff:b5:49:0e:8b:0e:8f:11:08:d3:76:4f:e0:15:60:8a:b3:
f9:c6:e0:cd:23:1c:67:ac:72:8d:cd:10:e4:94:12:eb:1d:7e:
8c:a2:24:56:d1:bf:c5:38:a9:a3:f8:6f:7b:94:75:4b:61:22:
1b:ab:c6:65:1a:4b:68:80:fa:26:9e:be:4e:85:2c:a5:15:15:
6a:bb:cf:0e:c6:93:3a:c0:e9:2f:d3:18:21:60:4f:8f:58:fc:
5e:31:b1:a1:2d:00:78:0d:56:63:d0:dd:c0:57:20:01:41:f5:
5a:5d:bb:3e:aa:87:63:6d:37:fa:67:a6:bf:23:84:ab:14:66:
5f:ca:32:1d:2b:41:42:d6:d4:32:89:14:3d:83:2a:c0:27:a2:
ea:e6:4a:d0:0e:d9:2f:38:b9:62:4a:42:e9:6e:40:f1:31:80:
d8:da:d8:e2:1e:82:f7:cf:01:27:9c:39:5a:2e:e3:cc:2e:2f:
1e:af:ab:f4:e5:4d:2c:d1:4b:95:8a:60:cc:83:5e:76:5d:1f:
7c:05:cf:bd:de:88:b0:46:ee:9f:e4:cf:94:5d:5c:55:fa:92:
9d:c4:20:74:ba:0a:a4:54:2d:82:9a:0a:a1:cb:65:f8:2c:35:
88:e0:68:75:e7:bb:de:52
4.4 给nginx服务器配置证书
在/etc/nginx/conf.d/下创建substrate配置文件:
server {
listen 9900 ssl http2; # 将端口转发为9900
ssl on;
location / {
proxy_pass http://localhost:9944/; # 指向本地服务端口
proxy_http_version 1.1;
proxy_read_timeout 120s;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
ssl_certificate domain.crt;
ssl_certificate_key domain.key;
ssl_session_cache shared:cache_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
}
重启nginx
nginx -s reload
这时候,用Chrome访问,还是会出现ERR_CERT_AUTHORITY_INVALID和ERR_CERT_COMMON_NAME_INVALID错误
4.5 配置Chrome浏览器里的证书
点击上面的“Manage certificate”:
点击“Import",把上面生成的domain.crt导入。
4.6 然后,验证
Hola!!!
5 参考文献
https://blog.ezrabowman.com/self_signed_cert/
chrome://flags/#allow-insecure-localhost
https://downinspector.com/add-security-exception-for-trusted-sites
https://serverfault.com/questions/659967/how-to-generate-a-self-signed-ssl-certificate-bound-to-ip-address