1 首先启动Substrate

./target/release/node-template --dev --tmp

输出如下：

2 其次用polkadot.js.org来看

 https://polkadot.js.org/apps/ 

出现ERR_CERT_AUTHORITY_INVALID和ERR_CERT_COMMON_NAME_INVALID错误

3 原因调查

从上面的截图数据，很容易判断出是Web socket over SSL 链接有问题，即wss协议（wss://47.104.136.172:9900）的配置问题。

所以需要配置针对特定IP的self-signed certificate证书。

4 解决方案

4.1 生成新配置文件

在/etc/ssl/下生成一个新配置文件ssert.cnf：

[req]

default_bits = 4096

default_md = sha256

distinguished_name = req_distinguished_name

x509_extensions = v3_req

prompt = no

[req_distinguished_name]

C = US

ST = VA

L = SomeCity

O = MyCompany

OU = MyDivision

CN = 127.0.0.1

[v3_req]

keyUsage = keyEncipherment, dataEncipherment

extendedKeyUsage = serverAuth

subjectAltName = @alt_names

[alt_names]

IP.1 = 127.0.0.1

4.2 生成证书

root@btcpool:/etc/ssl#  openssl req -nodes -x509 -days 365 -keyout domain.key -out domain.crt -config sscert.cnf

Generating a RSA private key

...............................................................................................................................................................................................................................................................................................................................................++++

..........................................................................................................................................++++

writing new private key to 'domain.key'

-----

验证一下

root@btcpool:/etc/ssl# ls -al

total 60

drwxr-xr-x   4 root root      4096 Dec 24 10:04 .

drwxr-xr-x 107 root root      4096 Dec 24 00:45 ..

drwxr-xr-x   3 root root     20480 Dec 23 10:54 certs

-rw-r--r--   1 root root      2013 Dec 24 10:04 domain.crt

-rw-------   1 root root      3268 Dec 24 10:04 domain.key

-rw-r--r--   1 root root     10998 Nov 13  2019 openssl.cnf

drwx--x---   2 root ssl-cert  4096 Dec 23 10:51 private

-rw-r--r--   1 root root       437 Dec 24 09:44 san.cnf

-rw-r--r--   1 root root       379 Dec 24 10:03 sscert.cnf

可以看到已经生成证书文件：domain.crt和domain.key

4.3 验证一下证书内容

输入下面的命令

root@btcpool:/etc/ssl#  openssl x509 -in domain.crt -noout -text

输出如下： 

Certificate:

Data:

Version: 3 (0x2)

Serial Number:

21:fd:e5:ac:d6:0b:a9:0e:2c:74:3f:6a:49:9a:39:cf:20:7d:49:e1

Signature Algorithm: sha256WithRSAEncryption

Issuer: C = US, ST = VA, L = SomeCity, O = MyCompany, OU = MyDivision, CN = 47.104.136.172

Validity

Not Before: Dec 24 02:04:15 2020 GMT

Not After : Dec 24 02:04:15 2021 GMT

Subject: C = US, ST = VA, L = SomeCity, O = MyCompany, OU = MyDivision, CN = 47.104.136.172

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public-Key: (4096 bit)

Modulus:

00:ac:ec:36:fa:56:0d:38:e1:98:c7:33:6f:c6:d1:

79:40:46:2b:68:e5:de:3f:15:c7:f0:33:1b:7a:ca:

7e:8b:f5:d8:79:f0:7d:17:02:d8:ef:fe:5f:db:b4:

6d:22:e8:f4:e3:5b:4d:b5:8e:a7:30:ef:a7:1f:2b:

5a:c4:84:3e:6a:c6:38:b5:ab:69:0b:a1:37:97:82:

e5:15:43:ce:d6:56:cd:91:7a:91:f9:ac:88:fc:8f:

92:6e:02:ce:0b:9b:fe:d7:72:e4:36:8d:88:fc:78:

6d:bc:32:7a:08:47:e6:2a:65:6c:12:a7:eb:23:39:

c7:1e:2b:7a:07:52:6d:60:19:90:b0:50:d5:7e:08:

f6:1d:f9:9e:53:83:2e:dc:4a:fc:1f:b5:60:42:28:

a8:0b:b9:a9:41:ca:dc:e0:83:32:3e:d9:1a:32:4b:

03:96:72:d9:1d:30:8e:29:58:40:35:16:96:d0:92:

6f:5b:44:c8:12:f1:b5:0d:7a:b7:08:6d:f4:29:8e:

8f:ec:69:19:ce:de:64:4d:42:97:45:6d:fd:67:87:

83:7a:1a:13:93:e2:b4:a2:7e:e8:4d:96:a9:0e:2c:

97:d3:39:a2:00:f1:f4:5e:a7:cb:9b:53:5d:34:35:

28:dd:0c:0d:15:06:04:60:af:2e:ae:a4:53:a1:9d:

e5:92:75:1e:07:f1:14:fa:af:63:ad:59:2a:d1:36:

64:40:55:1f:96:11:21:0e:80:26:36:d4:94:c7:f9:

73:0e:d7:37:7f:35:58:a8:18:47:82:b9:06:dd:98:

a2:55:93:ac:a4:03:18:31:dc:fc:ae:34:26:4a:fb:

12:35:9d:3a:50:8b:eb:7c:10:64:11:d2:dc:74:6b:

6b:df:06:27:46:e0:09:6e:75:41:99:c5:e4:be:19:

14:26:27:01:e6:d6:43:b5:46:8b:9d:09:0e:52:4e:

c3:81:85:28:9e:a8:d9:4c:fd:23:dd:0b:65:7b:53:

cf:97:74:58:65:8e:45:7b:3c:78:71:9c:98:c9:76:

b2:ac:10:7c:dc:8c:57:86:01:95:2a:ff:9c:b8:d4:

2e:9a:48:32:49:e8:7a:c3:89:01:99:24:e8:f1:d8:

22:22:60:8a:40:5f:79:0e:ee:12:5a:6a:de:c5:dd:

e7:a1:7d:a3:8b:73:e8:17:e3:22:a0:3c:bd:56:45:

3d:74:9c:1b:a2:27:34:fe:2d:cf:c9:b5:6e:4a:68:

ae:a5:c6:33:8e:12:5e:2c:58:ca:3a:89:29:0c:e7:

f3:f1:b3:09:28:59:bb:7d:25:33:5a:f3:cf:f1:ac:

6f:a3:08:8c:8e:ee:b6:d6:99:34:f4:64:16:21:29:

2c:c7:53

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Key Usage:

Key Encipherment, Data Encipherment

X509v3 Extended Key Usage:

TLS Web Server Authentication

X509v3 Subject Alternative Name:

IP Address:127.0.0.1

Signature Algorithm: sha256WithRSAEncryption

9c:3e:95:2a:50:28:a0:cf:26:d4:ef:0b:a0:b3:0a:4a:06:ec:

6f:ab:39:a1:5a:61:d8:7d:c7:19:af:88:4a:bb:da:07:14:e2:

6b:cf:9d:c6:53:8f:3a:20:76:fa:6e:35:b7:e4:df:1b:77:74:

ae:31:2b:c4:fc:99:d7:3b:08:a4:8e:80:13:78:1d:06:78:1d:

03:a8:93:06:95:66:90:69:84:0f:00:37:f3:84:48:d8:57:56:

ec:5c:2b:4d:df:20:10:91:01:93:27:a2:c3:54:56:e0:4f:65:

2a:d3:c9:c5:46:5b:1d:5d:79:37:53:1d:fb:a5:82:48:f2:23:

5b:44:37:70:db:f1:2d:e2:ae:d4:dd:32:d3:9a:92:52:9e:8d:

08:c0:83:2c:dd:43:4a:d9:66:41:ec:d8:cd:56:5e:b1:ce:d6:

91:35:b7:e4:16:75:69:d9:a8:ee:e2:73:2a:aa:52:60:29:a9:

12:63:eb:36:7c:7c:dc:91:69:25:ad:4a:e5:5a:42:64:c2:33:

d6:1e:71:84:92:cc:87:04:14:d3:d2:37:f2:03:3f:85:01:ed:

04:04:16:a8:4c:0e:8b:f5:3f:0a:aa:28:ab:19:91:dc:cf:85:

23:ff:fc:81:0f:70:42:02:70:ee:c9:46:af:60:67:88:0c:05:

e5:b5:9d:5a:f5:bf:0d:61:91:b4:bc:b8:87:fe:8f:db:24:8c:

ac:ff:b5:49:0e:8b:0e:8f:11:08:d3:76:4f:e0:15:60:8a:b3:

f9:c6:e0:cd:23:1c:67:ac:72:8d:cd:10:e4:94:12:eb:1d:7e:

8c:a2:24:56:d1:bf:c5:38:a9:a3:f8:6f:7b:94:75:4b:61:22:

1b:ab:c6:65:1a:4b:68:80:fa:26:9e:be:4e:85:2c:a5:15:15:

6a:bb:cf:0e:c6:93:3a:c0:e9:2f:d3:18:21:60:4f:8f:58:fc:

5e:31:b1:a1:2d:00:78:0d:56:63:d0:dd:c0:57:20:01:41:f5:

5a:5d:bb:3e:aa:87:63:6d:37:fa:67:a6:bf:23:84:ab:14:66:

5f:ca:32:1d:2b:41:42:d6:d4:32:89:14:3d:83:2a:c0:27:a2:

ea:e6:4a:d0:0e:d9:2f:38:b9:62:4a:42:e9:6e:40:f1:31:80:

d8:da:d8:e2:1e:82:f7:cf:01:27:9c:39:5a:2e:e3:cc:2e:2f:

1e:af:ab:f4:e5:4d:2c:d1:4b:95:8a:60:cc:83:5e:76:5d:1f:

7c:05:cf:bd:de:88:b0:46:ee:9f:e4:cf:94:5d:5c:55:fa:92:

9d:c4:20:74:ba:0a:a4:54:2d:82:9a:0a:a1:cb:65:f8:2c:35:

88:e0:68:75:e7:bb:de:52

4.4 给nginx服务器配置证书

在/etc/nginx/conf.d/下创建substrate配置文件：

server {

    listen       9900 ssl http2; # 将端口转发为9900

    ssl          on;

location / {

    proxy_pass http://localhost:9944/; # 指向本地服务端口

proxy_http_version 1.1;

proxy_read_timeout 120s;

proxy_redirect off;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

proxy_set_header Host $host:$server_port;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header REMOTE-HOST $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

ssl_certificate domain.crt;

ssl_certificate_key domain.key;

ssl_session_cache shared:cache_nginx_SSL:1m;

ssl_session_timeout 1440m;

    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE

ssl_prefer_server_ciphers on;

}

重启nginx

nginx -s reload

这时候，用Chrome访问，还是会出现ERR_CERT_AUTHORITY_INVALID和ERR_CERT_COMMON_NAME_INVALID错误

4.5 配置Chrome浏览器里的证书

点击上面的“Manage certificate”：

点击“Import"，把上面生成的domain.crt导入。

4.6 然后，验证

Hola！！！

5 参考文献

https://blog.ezrabowman.com/self_signed_cert/

chrome://flags/#allow-insecure-localhost

https://downinspector.com/add-security-exception-for-trusted-sites

https://serverfault.com/questions/659967/how-to-generate-a-self-signed-ssl-certificate-bound-to-ip-address