Mac下url-https连接网页认证失败

Emacs-general
1

起因是因为我想要用 xml-rpc 连接我的 dokuwiki 进行编辑。网站使用 https,自签名的证书,前面做了以下步骤

(require 'gnutls)
(add-to-list 'gnutls-trustfiles "/Users/strong/.doom.d/trust.crt")

(require 'dokuwiki)
(setq dokuwiki-xml-rpc-url "https://my.website")

然后提示 x509 证书不匹配。接着我直接修改了 tls-program

(setq tls-program '("openssl s_client -connect %h:%p -CAfile /Users/strong/.doom.d/trust.crt"))

openssl 在命令行下已经验证通过。 但是我还是连不上,提示

Debugger entered--Lisp error: (error "The x509 certificate does not match \"x.x.x.x\"")
  gnutls-boot(#<process tls> gnutls-x509pki (:complete-negotiation t :priority "SECURE128:+SECURE192:-VERS-ALL:+VERS-TLS1.3:+VERS-TLS1.2" :hostname "x.x.x.x" :loglevel 0 :min-prime-bits 3072 :trustfiles ("/Users/strong/.doom.d/trust.crt" "/etc/ssl/cert.pem") :crlfiles nil :keylist nil :verify-flags nil :verify-error t :callbacks nil))
  gnutls-negotiate(:process #<process tls> :type gnutls-x509pki :hostname "x.x.x.x")
  open-gnutls-stream("tls" #<buffer babel.el> "x.x.x.x" 443 nil)
  (progn (open-gnutls-stream "tls" (current-buffer) "x.x.x.x" 443 nil))
  eval((progn (open-gnutls-stream "tls" (current-buffer) "x.x.x.x" 443 nil)) t)

最后我发现 emacs 可能是用内置的 gnutls 验证的,于是拿 gnutls-cli 测试,在命令行下验证不通过。奇怪的是,我用 github 的证书去验证,同样失败

➜  .doom.d gnutls-cli --x509cafile=github.crt www.github.com -p 443
|<1>| There was a non-CA certificate in the trusted list: C=US,ST=California,L=San Francisco,O=GitHub\, Inc.,CN=github.com.
Processed 1 CA certificate(s).
Resolving 'www.github.com:443'...
Connecting to '192.30.255.112:443'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
 - subject `CN=github.com,O=GitHub\, Inc.,L=San Francisco,ST=California,C=US', issuer `CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x0557c80b282683a17b0a114493296b79, RSA key 2048 bits, signed using RSA-SHA256, activated `2020-05-05 00:00:00 UTC', expires `2022-05-10 12:00:00 UTC', pin-sha256="4PhpWPCTGkqmmjRFussirzvNSi4LjL7WWhUSAVFIXDc="
	Public Key ID:
		sha1:b255b18a964ca1367988026d549ef9ba71493bf3
		sha256:e0f86958f0931a4aa69a3445bacb22af3bcd4a2e0b8cbed65a15120151485c37
	Public Key PIN:
		pin-sha256:4PhpWPCTGkqmmjRFussirzvNSi4LjL7WWhUSAVFIXDc=

- Certificate[1] info:
 - subject `CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US', issuer `CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US', serial 0x04e1e7a4dc5cf2f36dc02b42b85d159f, RSA key 2048 bits, signed using RSA-SHA256, activated `2013-10-22 12:00:00 UTC', expires `2028-10-22 12:00:00 UTC', pin-sha256="k2v657xBsOVe1PQRwOsHsw3bsGT2VzIqz5K+59sNQws="
- Status: The certificate is NOT trusted. The certificate issuer is unknown.
*** PKI verification of server certificate failed...
*** Fatal error: Error in the certificate..
➜  .doom.d echo $?
1
2

你的Emacs版本是多少?27后tls.el被标记为obsolete,tls-program变量不再生效了。

我用gnutls-cli和系统自带证书验证 github.com

image
image1920×611 109 KB

3

我的版本还是 26.3。

我的 gnutls 也验证通过 github 了,我现在才想 gnutls 首先需要通过 CommonName 校验地址,改了 CommonName 重新签名后仍然不行。由于我只有 ip 没有域名,不知道这是否有影响。

4

gnutls 必须验证 CommonName 。我最后是这样解决的,重新生成 CommonName 是 www.sometext.xyz 的证书,然后通过改本地的 /etc/hosts 将域名指向到我的 ip,然后添加的证书就能通过 gnutls 的认证。