我正在运行 SSL 错误 (HTTPSConnectionPool(host='ec2-aa-aaa-aaa-aa.eu-central-1.compute.amazonaws.com', port=8080): Max retries exceeded with url: /v1/ getinfo(由 SSLError(CertificateError(“主机名‘ec2-aa-aaa-aa-aa.eu-central-1.compute.amazonaws.com’与‘ip-bbb-bb-bb-bb’中的任何一个都不匹配”引起, 'localhost', 'unix'...) 并且我自己也找不到解决方案。 其实找不到的ip中提到的ip-bbb-bb-bb-bb是我EC”实例的私有ip,和ec2-aa-aaa-aaa-aa.eu-central-1.compute.amazonaws .com' 是公开的。
关于我的 EC2 实例的一些细节。我在那里运行比特币和 LND 节点,它们工作正常。但是,当我尝试从本地运行的 API 访问它们时,出现此错误。
这是我的实例的安全规则(我知道可能不是最安全的,但我试图查看可能导致错误的原因)
– sgr-0b6e4646f963ac348 All All 0.0.0.0/0
– sgr-0c9433a6bdbc5c986 8333 TCP ::/0
– sgr-0ab3df01e90304321 8333 TCP 0.0.0.0/0
– sgr-002bc487360643667 443 TCP 0.0.0.0/0
– sgr-08bad3cd41c9d3365 80 TCP 0.0.0.0/0
– sgr-005fa2007f73f3466 28333 TCP 0.0.0.0/0
– sgr-0fba32539580d3071 0 - 65535 TCP 0.0.0.0/0
– sgr-092c6691e0dbdf9d3 All ICMP 0.0.0.0/0
– sgr-000bdb5bee77e7314 8000 TCP 0.0.0.0/0
– sgr-0112ef3fdd16c2b75 22 TCP 0.0.0.0/0
我正在通过 ssh 从我的 django API 连接到实例。我正在发布以下代码:
import boto3
import paramiko
import os
import base64, codecs
# Define the instance's ID and the key pair name
instance_id = "<i-blahblahblah>"
key_name = "<some_keyname>"
# Create a session using your AWS credentials
session = boto3.Session(
aws_access_key_id="<some_access_key_is>",
aws_secret_access_key="<some_aws_secret_access_key>",
region_name="eu-central-1",
)
# Use the session to create an EC2 client
ec2 = session.client("ec2")
# Retrieve the IP address of the instance
instance = ec2.describe_instances(InstanceIds=[instance_id])["Reservations"][0][
"Instances"
][0]
ip_address = instance["PublicIpAddress"]
print(ip_address)
# Use the session to create a SSM client
ssm = session.client("ssm")
# Start a session to the instance using SSM
response = ssm.start_session(Target=instance_id)
# Use paramiko to SSH into the instance
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
key_name = "<path_to_key>"
ssh.connect(ip_address, username="ubuntu", key_filename=f"{key_name}.pem")
# Execute the command to retrieve the environment variable
stdin, stdout, stderr = ssh.exec_command("echo $VARNAME")
my_variable = stdout.read().strip().decode()
# Read the output of the command
sftp_client = ssh.open_sftp()
remote_path = "/home/ubuntu/.lnd/data/chain/bitcoin/mainnet/admin.macaroon"
remote_file = sftp_client.open(remote_path, "r")
# Read contents of file
file_contents = remote_file.read()
encoded_hex = codecs.encode(file_contents, "hex")
encoded_string = encoded_hex.decode("utf-8")
# Now you can use the decoded string in your API
print(encoded_string)
# Get the path to the certificate file on the EC2 instance
remote_cert_file = "/home/ubuntu/.lnd/tls.cert"
# Transfer the certificate file from the EC2 instance to the local machine
local_cert_file = "tls.cert"
sftp = ssh.open_sftp()
sftp.get(remote_cert_file, local_cert_file)
# Specify the path to the local certificate file for SSL verification
cert_file_path = os.path.abspath(local_cert_file)
print(cert_file_path)
sftp.close()
# Close file and SFTP client
remote_file.close()
stdin.close()
# Close the SSH connection and SSM session
ssh.close()
ssm.terminate_session(SessionId=response["SessionId"])
response = {"file_contents": file_contents}
我真的很感激任何帮助。我已经努力了将近一个星期的尝试,但没有任何效果。
我找到了解决方案。我需要为我的 lnd 节点生成一个指向本地主机和 aws 端点的新 tls.cert。我使用了以下命令:
openssl req -x509 -newkey rsa:4096 -keyout /home/ec2-user/.lnd/tls.key -out /home/ec2-user/.lnd/tls.cert -days 365 -nodes -subj '/CN=127.0.0.1' -extensions SAN -config <(cat /etc/pki/tls/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost,DNS:unix,DNS:unixpacket,DNS:bufconn,IP:127.0.0.1,IP:<aws_private_ip>,IP:<aws_public_ip>,DNS:ec2-a-aaa-aa-aa.eu-central-1.compute.amazonaws.com"))
并将 .cert 文件转换为 .pem 文件
openssl x509 -in tls.cert -out tls.pem -outform PEM
然后复制我的ca-certification目录下的tls.pem然后运行:
sudo update-ca-trust
瞧,它有效