Emqx配置ssl双向认证,我自签了几个设备端的根证书,将这些根证书内容合并到cacert.pem中,然后用这几个设备端根证书签出了设备证书,但只有部分根证书签出的设备证书可以连接成功,这是什么原因?

EMQX
, ,
1 
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUdpa25EmysW0pxvc4sYiY2Xdmmf8wDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzExMDEwNjIyMTFaFw0zMzEw
MjkwNjIyMTFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDtJ7clcAds12zEf9t+ht27tFTGngwGxj/Mpu4jawDv
j8T6qGDGuC2vZie6ZfmXWo/DPG7bPcmZg1bXSkADNJVagJyA2Hv3FZfOGHbp/wFG
HYdUUjQArUBoBtbY2mhu8g+nC2RvHtsoUDH0fvP00uaWWs/dTw7mahw5qNxQ3r/1
FS72wAN0X9xUoFTqc2N/GnL11VDHZqSOswfDN7WVMoSMKYIqC98TfIkwvOi8h6Uh
k6SPpbeRHfAwrZPPIL0F/drva3Jok7A2o+vZSI+W4UAgxiGrC48cC6p32PoN8aXW
EbgABMNFRlTcPxdtqt5bH35ENHHBmCHcQik+Vr5BYpsPAgMBAAGjUzBRMB0GA1Ud
DgQWBBSNhHfHuu8uMP5jECrZr5wc039WHzAfBgNVHSMEGDAWgBSNhHfHuu8uMP5j
ECrZr5wc039WHzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC+
cZ4rpA2Rj2y/M7eUDdmusIs/Y8BMJpvTEzUG3cYHGeIWqn72680I4M0fGaBlWN5K
hMgO405rJjxJiQjdRS/R4Ed1Rq4/9x1DaosQf4D2dPu3Xa/NRWL8oc71vPBs2cU7
fVyeewKIuhHeQXLhfS24ZwhW9wM+SxkzYggc4gAmJ8Vv7acn5cGg+oqMSr5agrnV
oI2KVGIqW/0Sp5Ais9u/EpEJAy5iG6tCSRT5rds3K3NQdSxgz+b/p+fODuz8yYyn
ZEWhMKgfN03TWUpwrkte2Oh0gTZnlDAHFDNGPLc2ceHUCznPAyenSVqI66bE2JQn
FKVsPKEvqZIcMSaqfnBl
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUI5toFci1SZem/S0VAssRSOz7Ir0wDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMzExMDEwNTQwMzBaFw0zMzEw
MjkwNTQwMzBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCqqbNERoVIbnynYdk8b2UxtwRvrU5Jnys/ekeoiLmj
ZaRR2SugkZSPKXZThoWuprclrTJrRJOi69PibFSLHebeZs/0vgi6KH3AlzNqqYU4
1w0aOwTJRGMnN7U97rlsUZ4ZSkldD4cXmvW8QdmfiFlMzem2FiUfeHvHFKr4SDaw
ko1M7CDOuCxMPCO6ERWBFbQV3LHKW5CyIJ1QCkuMJXHLaOfxkCiXtlWo0SUuBKzz
VSgBriRjHyrST6aX1x87HVUmqo9i+mTDX98xjzGZ+p3SwDeiTfLeNXZLTIvRactO
Z6NrqKHNLy9zBUaMytD3ROCS+/1RSweZAnMGtrVt2pvjAgMBAAGjUzBRMB0GA1Ud
DgQWBBQpBRWsVKpy4xjNtVfNpAdbmqerEjAfBgNVHSMEGDAWgBQpBRWsVKpy4xjN
tVfNpAdbmqerEjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCN
YJY1c2kTZbbkQnRwKXtuxND24Doer7njM+FZjBuo9Pi7cyRM7vneN2k/qSHXor1G
IrK00HbgaoJ42nn0CZr+JH/3fvChi2gBMkFJyb8jSsUbYIPgXg9ZCTQzEhLQLdm3
y5eFPC165DrEf+BLM+GWL3HKGcXzoDh7wcaDmsMg42dw2BwRmOScDA/wunnnJGpV
sohyIbTyyQvmX70mipTpeLjhQrB66ytp5R00Uj8KxIiXZW0ZB9mWhwg9zJmrCMJV
gsdgGDSwmE11ZLIfzh0ehirbS47sKz+al32BxtWWu/Rkn5qJy4AgpbkXw4uCM1Ba
LSiAqgGmBEOc2WLUgpJ9
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIJAPefB6ZN1vAMMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNV
BAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQwHhcNMjMxMTAxMDUyNjQxWhcNMzMxMDI5MDUyNjQxWjBCMQsw
CQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZh
dWx0IENvbXBhbnkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
0YvYC2eEHFcZrnCNMbMm+wpf94J5Xg+GzoX4MiyqHUBcnyzZHxF6lcKUMt5N0BuC
L5UEdrOGisFt9ER+mowjwldpJ2hSFPTpcKPQ9Wlw6nduZNSKILq9jvncsPcl8rRy
7nSEu+/kKQ5nmVwdz7TOuxuHEmOqM0pMHu6V8pKp75kP+J0X3dxptALDYuu4e4FF
PDHT4Bn5dKQtpnSswxnlA6GR2/gJJY/tSM2s2RRL1uSf3Zhad8vSwDQtaxi6+wHt
ZbZfH5g/R9Y4QrC+FIy/IOSIifjcJhHU4H3Y3gAu4lXEbIVm9bp3oTzyHBURD9ph
rXFOctQO2hsWOVFcjFBK6wIDAQABo1AwTjAdBgNVHQ4EFgQU5kjWGN4YGHj5XRUH
HPiMomrYEEIwHwYDVR0jBBgwFoAU5kjWGN4YGHj5XRUHHPiMomrYEEIwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAaD/Tv5Hl3gxq3H290v0ge04MneZ+
w7VAi3DbWXm4u2zSVUU8Fo39GGAzxYn9ipSnVXdRlbRIhxh79giMrt/1iAZkYpt9
6VCHKqBtDSYAC/5fDGArcT5km2CdoeWRUHFN6sFYZzfvp6a+J4sxriAw1Ydd7yS1
muWciYXbG10YytGLDP4AHnSLp+9JOONe3ybq9veDjw95BfqSTgcy4B59bQSgxYTJ
YfbzYMenTU4THIVv94rgnAxCndgg+sftLdtRoS2GCdGU2DRcLUlR96pvh/iURmcz
VJq8mZaxaSbwaYRvDwxMZOYWbLD2J6qMtIwJGezWCeQ7nKSer6GCMhozZA==
-----END CERTIFICATE-----

是合并客户端根证书的方式不对吗?而且是否会连得上会随着根证书在cacert.pem中的顺序改变而改变,他们都是根证书,应该不会存在顺序问题

2

虽然 cacert.pem 用了多个根证书,但是 EMQX 本身的证书只有一个,问题可能是部分客户端无法校验服务端?需要抓包验证下

3

更新: 目前 EMQX 的依赖库,也不支持使用多个证书

4

合并多个根证书后使用openssl也会有同样的问题,如果根证书subject什么都不填,或者填的一样,使用openssl和合并后的证书去校验他们的子证书只有一个能成功。但对于emqx的校验逻辑是如果多个根证书都填了subject(即使相同)就可以保证每个子证书都校验成功,这是我测试出的结果,那么是不是可以认为,还是支持使用多个根证书的?或者能告诉我emqx证书使用的依赖库是哪个?

5

在 EMQX 的网络库, esockd 中目前应该是不支持的,修改后也不确定是否可以,这个我们会进行下调研