Sysvinit
start-stop-daemon Python 腳本作為使用 SSL 的服務
當我將 LSBInitScript 作為服務啟動時,我收到 SSL 錯誤,因為我的腳本使用 SSL 證書進行操作。證書與腳本本身位於同一目錄中。為什麼我在作為服務啟動時會收到錯誤,但在控制台中呼叫時卻沒有?
啟動服務時出現 SSL 錯誤:
ubuntu@ip-0-0-0-0:/heartbeat/deviceAPI$ sudo service deviceAPIClient.service start * DeviceAPIClient process is not running * Starting the process DeviceAPIClient Traceback (most recent call last): File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 120, in <module> main() File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 90, in main res = register(instanceName) File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 40, in register verify = 'cloud-server-ca-chain.pem' File "/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in post return request('post', url, data=data, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in send raise SSLError(e) requests.exceptions.SSLError: [Errno 185090050] _ssl.c:344: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
在控制台中啟動 python 腳本時沒有錯誤:
ubuntu@ip-0-0-0-0:/heartbeat/deviceAPI$ /heartbeat/deviceAPI/DeviceAPIClient.py Successful registering at cloud with 02-57-49-9c-d4 Using API endpoint https://mydomain Update API endpoint (not used in Demo) https://mydomain.com/device-api Sending Data to Cloud...
更新
正如@mrc02_kr 所建議的,我已將證書
cloud-server-ca-chain.pem
放入文件夾/etc/ssl/certs
中。錯誤更改為私鑰問題``SSL_CTX_use_PrivateKey_file`:ubuntu@ip-0-0-0-0:/heartbeat/deviceAPI$ sudo service deviceAPIClient.service start * DeviceAPIClient process is not running * Starting the process DeviceAPIClient Traceback (most recent call last): File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 120, in <module> main() File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 90, in main res = register(instanceName) File "/heartbeat/deviceAPI/DeviceAPIClient.py", line 40, in register verify = '/etc/ssl/certs/cloud-server-ca-chain.pem' File "/usr/lib/python2.7/dist-packages/requests/api.py", line 88, in post return request('post', url, data=data, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/api.py", line 44, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 455, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 558, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 385, in send raise SSLError(e) requests.exceptions.SSLError: [Errno 336265218] _ssl.c:355: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
您需要知道該腳本使用私鑰來標識自己,並使用雲伺服器的證書來標識伺服器。
我是否也需要將私鑰儲存在特殊文件夾中?
更新 2
我可以安裝的私鑰
/etc/ssl/private
並相應地調整腳本。
服務啟動過程中可能出現錯誤,因為您提供了證書的相對路徑。證書文件應該有絕對路徑。當系統啟動服務時,它不會將 $PWD 更改為腳本位置。
您可以將證書複製到
/etc/ssl/certs
(根據此答案)並更改:verify = 'cloud-server-ca-chain.pem'
到:
verify = '/etc/ssl/certs/cloud-server-ca-chain.pem'
在您的程式碼中(文件“/heartbeat/deviceAPI/DeviceAPIClient.py”,第 40 行)
您還可以修改初始化腳本以將目錄更改為證書的位置,然後啟動 Python 程序。