nginx 开启https
2017-12-01 本文已影响0人
limbooh
nginx 开启https
一、使用openssl 生成CA
创建用于认证的CA(这里叫做Root CA)
首先要安装opessl ,找到openssl默认的配置文件,复制一份,我本地的openssl 目录位于 /usr/local/etc/openssl,
先准备好用于生成ca的目录,复制一份openssl.cnf 配置文件
fuqiangniandeMacBook-Pro:~ fuqiangnian$ mkdir ca
fuqiangniandeMacBook-Pro:~ fuqiangnian$ pwd
/Users/fuqiangnian
fuqiangniandeMacBook-Pro:~ fuqiangnian$ cd ca
fuqiangniandeMacBook-Pro:ca fuqiangnian$ pwd
/Users/fuqiangnian/ca
fuqiangniandeMacBook-Pro:ca fuqiangnian$ cp /usr/local/etc/openssl/openssl.cnf .
fuqiangniandeMacBook-Pro:ca fuqiangnian$ ls
openssl.cnf
打开 openssl.cnf配置文件,找到
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand
将主目录修改为当前目录
[ CA_default ]
dir = .
private_key = $dir/private/ca.key.pem# The private key
certificate = $dir/certs/ca.cert.pem # The CA certificate
创建必要的文件/文件夹
# cd ~/ca
# mkdir certs crl newcerts private csr
# touch index.txt
# echo 1 >serial
创建 root 的秘钥key,
fuqiangniandeMacBook-Pro:ca fuqiangnian$ cd ~/ca
fuqiangniandeMacBook-Pro:ca fuqiangnian$ openssl genrsa -aes256 -out private/ca.key.pem 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................++
.++
e is 65537 (0x10001)
Enter pass phrase for private/ca.key.pem:123456
Verifying - Enter pass phrase for private/ca.key.pem:123456
此时生成的key是带密码的,为了在nginx 里面好配置,把它变成无密码的key
fuqiangniandeMacBook-Pro:private fuqiangnian$ cd private
fuqiangniandeMacBook-Pro:private fuqiangnian$ pwd
/Users/fuqiangnian/ca/private
fuqiangniandeMacBook-Pro:private fuqiangnian$ openssl rsa -in ca.key.pem -out ca.key.pem
Enter pass phrase for ca.key.pem:123456
writing RSA key
为了方便,修改一下openssl.cnf 文件中的默认配置
找到
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = AU
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Some-State
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
将其改为
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Shanghai
localityName = Locality Name (eg, city)
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Internet Widgits Pty Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default =limbooh@sina.com
创建 root cert
fuqiangniandeMacBook-Pro:ca fuqiangnian$ openssl req -config openssl.cnf \
> -key private/ca.key.pem \
> -new -x509 -days 7300 -sha256 -extensions v3_ca \
> -out certs/ca.cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [Shanghai]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:QiangNian
Organizational Unit Name (eg, section) []:QiangNian Certificate Authority
Common Name (e.g. server FQDN or YOUR name) []:QiangNian Root CA
Email Address [limbooh@sina.com]:
验证证书
fuqiangniandeMacBook-Pro:ca fuqiangnian$ openssl x509 -noout -text -in certs/ca.cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e4:f3:16:75:c6:8f:d8:60
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Shanghai, O=QiangNian, OU=QiangNian Certificate Authority, CN=QiangNian Root CA/emailAddress=limbooh@sina.com
Validity
Not Before: Dec 1 03:20:55 2017 GMT
Not After : Nov 26 03:20:55 2037 GMT
Subject: C=CN, ST=Shanghai, O=QiangNian, OU=QiangNian Certificate Authority, CN=QiangNian Root CA/emailAddress=limbooh@sina.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:db:8e:96:eb:9a:74:21:d6:72:bf:e6:a4:4a:0f:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
33:D6:F0:32:2F:B3:D3:0F:23:5D:97:BF:F3:6B:EB:E8:A1:87:A1:A6
X509v3 Authority Key Identifier:
keyid:33:D6:F0:32:2F:B3:D3:0F:23:5D:97:BF:F3:6B:EB:E8:A1:87:A1:A6
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
...
创建服务器、客户端证书,假设我要为www.fuqiangnian.net的域名创建证书
首先创建私钥key
openssl genrsa -aes256 \
> -out private/www.fuqiangnian.net.key.pem 2048
Generating RSA private key, 2048 bit long modulus
................................................................................................+++
............................................................+++
e is 65537 (0x10001)
Enter pass phrase for private/www.fuqiangnian.net.key.pem:
Verifying - Enter pass phrase for private/www.fuqiangnian.net.key.pem:
将key变成无密码的
fuqiangniandeMacBook-Pro:ca fuqiangnian$ pwd
/Users/fuqiangnian/ca
fuqiangniandeMacBook-Pro:ca fuqiangnian$ cd private/
fuqiangniandeMacBook-Pro:private fuqiangnian$ openssl rsa -in www.fuqiangnian.net.key.pem -out www.fuqiangnian.net.key.pem
Enter pass phrase for www.fuqiangnian.net.key.pem:
writing RSA key
生成证书
openssl req -config openssl.cnf \
-key private/www.fuqiangnian.net.key.pem \
-new -sha256 -out csr/www.fuqiangnian.net.csr.pem
在签名之前 创建一个拓展文件,用来在签名证书的时候加入一些额外的内容,比如域名什么的
fuqiangniandeMacBook-Pro:ca fuqiangnian$ vim www.fuqiangnian.net.ext
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = localhost
DNS.2 = www.fuqiangnian.net
~
签名证书
openssl x509 -req -CA certs/ca.cert.pem -CAkey private/ca.key.pem -in csr/www.fuqiangnian.net.csr.pem -out certs/www.fuqiangnian.net.cert.pem -days 10000 -extfile www.fuqiangnian.net.ext -sha256 -set_serial 0x1111
验证
fuqiangniandeMacBook-Pro:ca fuqiangnian$ openssl s_server -accept 15000 -cert certs/www.fuqiangnian.net.cert.pem -key private/www.fuqiangnian.net.key.pem -CAfile certs/ca.cert.pem -WWW
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
出现 ACCEPT 则说明可用了
二、配置nginx
将 certs/ca.cert.pem 安装到个人电脑的钥匙串访问里面,并在显示简介里面添加信任。
将 certs/www.fuqiangnian.net.cert.pem private/www.fuqiangnian.net.key.pem 配置到nginx
比如我这里的nginx 是在 虚拟机里面启动的nginx 容器,
配置如下:
server {
listen 443 ssl;
server_name www.fuqiangnian.net;
ssl_certificate /etc/nginx/server.crt ;
ssl_certificate_key /etc/nginx/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
容器启动脚本: run.sh
#!/bin/bash
docker run --name my-nginx -v /home/fuqiangnian/docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
-v /home/fuqiangnian/Desktop/Parallels\ Shared\ Folders/Home/ca/private/www.fuqiangnian.net.key.pem:/etc/nginx/server.key \
-v /home/fuqiangnian/Desktop/Parallels\ Shared\ Folders/Home/ca/certs/www.fuqiangnian.net.cert.pem:/etc/nginx/server.crt -p 80:80 -p 443:443 nginx
启动容器,然后用浏览器访问,为了测试 在 hosts文件中加入一个域名映射
$ vim /etc/hosts
10.211.55.5 www.fuqiangnian.net
这里的ip地址是我虚拟机的地址。
然后用浏览器访问,就可以看到绿色的小锁已经出现了。
https.png
参考链接:
Subject Alternative Name Missing & ERR_SSL_VERSION_OR_CIPHER_MISMATCH
