为什么我的证书会导入失败?
证书用https://discuss.openubmc.cn/t/topic/215中生成的rootca.pfx可以吗
这里导入的是SSL证书
openssl pkcs12 -export -out rootca.pfx -in rootca.pem -inkey rootca_pri.pem生成的不是ssl证书吗
排查了几个可能都不是:
1.时间问题,目前已通过date设置了时间,排除
2.密码不对,目前通过openssl pkcs12 -in /tmp/rootca.pfx -info -nodes -passin pass:123456命令可以显示证书内容,排除
3.文件权限,文件权限修改为644后仍无法导入,排除
看一下导入时运行日志打印了什么内容
请问怎么看运行日志?
怀疑可能有问题的点:证书时效太长了
root登录tail -f /var/log/app.log,或者执行导入后一键收集日志,查看app.log
这是log内的内容,我现在登录不上web,只能通过ssh操作,所以无法一键收集日志
~ # tail -n 20 /var/log/app.log
2025-06-19 20:00:58.693544 cli WARNING: init.lua(97): nil:46 > nil:-1 > common.lua:34: The value ****** of the property path does not contain the file name or does not exist in the tmp directory.
2025-06-19 20:00:58.696801 cli WARNING: init.lua(97): nil:46 > nil:-1 > common.lua:35: Import weak password dictionary failed.
2025-06-19 20:00:58.784137 security ERROR: comm_utils.c(250): [certificate] dal_check_cert_basic_constraints : check basic constraints(0xff) failed.
2025-06-19 20:00:58.784239 security ERROR: comm_utils.c(1231): [certificate] check_p12_valid : check certificate basic constraints failed.
2025-06-19 20:00:58.784366 security ERROR: cert_handler.c(423): [certificate] get_current_cert_pwd_and_verify:check p12 cert failed, ret_code: -1
2025-06-19 20:00:58.784792 certificate ERROR: certificate_collection_ssl.lua(151): get cert info failed! ret code: -1!
2025-06-19 20:00:58.785293 certificate WARNING: init.lua(97): certificate_collection_ssl.lua:202 > certificate_collection_base.lua:312 > certificate_collection_ssl.lua:157: Failed to import the encrypted certificate.
2025-06-19 20:00:58.785641 certificate ERROR: operation_logger.lua(85): ImportCertWithKey: EncryptedCertImportFailed
2025-06-19 20:05:20.264819 storage NOTICE: bus_monitor_service.lua(105): [init] old power state is , new is [repeated 301 times in 301s from 2025-06-19 20:00:19.203126 to 2025-06-19 20:05:20.264819]
2025-06-19 20:10:21.337034 storage NOTICE: bus_monitor_service.lua(105): [init] old power state is , new is [repeated 301 times in 301s from 2025-06-19 20:05:20.264819 to 2025-06-19 20:10:21.337034]
2025-06-19 20:11:12.778080 cli WARNING: init.lua(97): nil:46 > nil:-1 > common.lua:32: Failed to import the public key.
2025-06-19 20:11:12.779214 cli WARNING: init.lua(97): nil:46 > nil:-1 > common.lua:33: Failed to import the certificate.
2025-06-19 20:11:12.780171 cli WARNING: init.lua(97): nil:46 > nil:-1 > common.lua:34: The value ****** of the property path does not contain the file name or does not exist in the tmp directory.
2025-06-19 20:11:12.781076 cli WARNING: init.lua(97): nil:46 > nil:-1 > common.lua:35: Import weak password dictionary failed.
2025-06-19 20:11:12.878696 security ERROR: comm_utils.c(250): [certificate] dal_check_cert_basic_constraints : check basic constraints(0xff) failed.
2025-06-19 20:11:12.878819 security ERROR: comm_utils.c(1231): [certificate] check_p12_valid : check certificate basic constraints failed.
2025-06-19 20:11:12.878952 security ERROR: cert_handler.c(423): [certificate] get_current_cert_pwd_and_verify:check p12 cert failed, ret_code: -1
2025-06-19 20:11:12.879481 certificate ERROR: certificate_collection_ssl.lua(151): get cert info failed! ret code: -1!
2025-06-19 20:11:12.879973 certificate WARNING: init.lua(97): certificate_collection_ssl.lua:202 > certificate_collection_base.lua:312 > certificate_collection_ssl.lua:157: Failed to import the encrypted certificate.
2025-06-19 20:11:12.880364 certificate ERROR: operation_logger.lua(85): ImportCertWithKey: EncryptedCertImportFailed
根据日志结果看,这里是导入的ssl证书需要满足Basic Constraints为End Entity,而导入的证书为CA证书
这里的证书是bmc验签用的ca证书,不能直接用来导入ssl证书
好的,我换成ssl证书试一下
换成ssl证书之后解决了,感谢您的指导!