search

openresty / lua-resty-core

New FFI-based API for lua-nginx-module
801 stars 272 forks source link

SSL error:1417A179:SSL routines:tls_post_process_client_hello:cert #350

Closed HadiAbbasi closed 3 years ago

HadiAbbasi commented 3 years ago

Hello I'm using opnresty /1.19.3.1 I've installed it using:

add-apt-repository -y "deb http://openresty.org/package/debian $(lsb_release -sc) openresty"
apt update
apt -y install openresty

now I wanna try to load ssl TLSv1.3 crt,key! some of valid TLSv1.3 crt,key files can be loaded successfully so the site is loading successfully. but some of valid TLSv1.3 crt,key files have error!

I can check and trust all of crt,key files using:

openssl x509 –noout –modulus –in /usr/local/openresty/crt_keys/mysite.com.crt | openssl md5

openssl rsa –noout –modulus –in /usr/local/openresty/crt_keys/mysite.com.key | openssl md5

here is my code:

ssl_certificate_by_lua_block {
      local ssl         = require "ngx.ssl"
      local str           = require "resty.string"
      local utils           = require "my.utils"

      local sni_name, err = ssl.server_name()
      local tlsv = utils.getTrimmedAndLowerVal(ssl.get_tls1_version_str());
      ngx.log(ngx.DEBUG,"========--------> " .. tlsv);   --========--------> tlsv1.3

      local ok, err = ssl.clear_certs()
      if not ok then
          ngx.log(ngx.ERR, "failed to clear existing (fallback) certificates")
          return ngx.exit(ngx.ERROR)
      end

      local file_dir = "/usr/local/openresty/crt_keys/mysite.com."

      local crt_content = utils.readFileContent(file_dir .. "crt");

      local der_cert_chain, err = ssl.cert_pem_to_der(crt_content)
      if not der_cert_chain then
          ngx.log(ngx.ERR, "failed to convert certificate chain ", "from PEM to DER: ", err)
          return ngx.exit(ngx.ERROR)
      end

      local ok, err = ssl.set_der_cert(der_cert_chain)
      if not ok then
          ngx.log(ngx.ERR, "failed to set DER cert: ", err)
          return ngx.exit(ngx.ERROR)
      end

      local pem_pkey = utils.readFileContent(file_dir .. "key");

      local der_pkey, err = ssl.priv_key_pem_to_der(pem_pkey)
      if not der_pkey then
          ngx.log(ngx.ERR, "failed to convert private key ", "from PEM to DER: ", err)
          return ngx.exit(ngx.ERROR)
      end

      local ok, err = ssl.set_der_priv_key(der_pkey)
                --error is here
                -- failed to convert private key from PEM to DER: PEM_read_bio_PrivateKey() failed, context: ssl_certificate_by_lua*, client: 
                 --my ip, server: 0.0.0.0:443
                  -- SSL_read_early_data() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL 
                  -- handshaking, client: my ip, server: 0.0.0.0:443

      if not ok then
          ngx.log(ngx.ERR, "failed to set DER private key: ", err)
          return ngx.exit(ngx.ERROR)
      end
}

actually ssl.set_der_priv_key causes the error! (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert) what I have to do? I think it can be a bug!

because some of valid certificates are ok and some of others have error!

HadiAbbasi commented 3 years ago

The error & problem source was generated crt ,key files... so my problem is solved and I'm closing this issue!