由于现在HTTPS网站已经成为主流,所以今天在我的LNMP环境下测试了一下自建的SSL证书的使用。由于是自己建的CA以及密钥,所以一般的浏览器是不会认为安全,想要让主流浏览器认为安全,还是要花钱到认证机构去申请证书。
以下是我的配置步骤以及碰到的一个问题。
HTTPS简介
https就是在http的基础上使用了ssl加密验证,使网络传输更安全。
1.LNMP环境
[[email protected] sslkey]# /application/nginx/sbin/nginx -V
nginx version: nginx/1.6.3
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --prefix=/application/nginx1.6.3 --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module
注:由于需要配置https,所以nginx在编译的时候需要加上--with-http_stub_status_module --with-http_ssl_module这两个参数。
--with-http_stub_status_module 启用nginx的NginxStatus 功能,用来监控nginx的当前状态
--with-http_ssl_module 使nginx支持ssl模块
2.安装openssl
openssl是一个可以为我们创建证书和密钥的工具。
[[email protected] ~]# yum install -y openssl openssl-devel
3.生成密钥server.key
#创建一个存放证书和密钥的文件夹sslkey
[[email protected] ~]# mkdir /application/nginx/sslkey
[[email protected] ~]# cd /application/nginx/sslkey/
#生成一个供服务器使用的密钥
[[email protected] nginx]# openssl genrsa -out server.key
Generating RSA private key, 1024 bit long modulus
.................................++++++
.........................++++++
e is 65537 (0x10001)
[[email protected] sslkey]# ll server.key
-rw-r--r--. 1 root root 887 Dec 17 11:07 server.key
4.申请一个证书server.crt
#生成证书请求文件server.scr
[[email protected] sslkey]# openssl req -new -key server.key -out server.scr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn #国家
State or Province Name (full name) []:sh #省市
Locality Name (eg, city) [Default City]:sh #城市
Organization Name (eg, company) [Default Company Ltd]:sh #组织名称
Organizational Unit Name (eg, section) []:sh #部门名称
Common Name (eg, your name or your server‘s hostname) []:ssl.etiantian.org #域名
Email Address []:[email protected] #邮箱
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:111111 #密码
An optional company name []:111111 #可选
#生成证书文件server.crt
#[[email protected] sslkey]# openssl rsa -in server.key -out server.nopass.key
#writing RSA key
[[email protected] sslkey]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=sh/L=sh/O=sh/OU=sh/CN=ssl.etiantian.org/[email protected]
Getting Private key
#查看证书文件
[[email protected] sslkey]# ll
total 16
-rw-r--r--. 1 root root 912 Dec 17 11:38 server.crt #证书
-rw-r--r--. 1 root root 745 Dec 17 11:13 server.csr
-rw-r--r--. 1 root root 887 Dec 17 11:07 server.key #密钥
-rw-r--r--. 1 root root 887 Dec 17 11:35 server.nopass.key
5.配置nginx的主配置文件nginx.conf
#配置一个虚拟主机使用https
server{
listen 443;
server_name ssl.etiantian.org;
ssl on;
ssl_certificate /application/nginx1.6.3/sslkey/server.crt;
ssl_certificate_key /application/nginx1.6.3/sslkey/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;
ssl_prefer_server_ciphers on;
location / {
root html/ssl;
index index.html index.htm;
}
}
6.重启nginx
[[email protected] sslkey]# /application/nginx/sbin/nginx -t
nginx: the configuration file /application/nginx1.6.3/conf/nginx.conf syntax is ok
nginx: configuration file /application/nginx1.6.3/conf/nginx.conf test is successful
[[email protected] sslkey]# /application/nginx/sbin/nginx -s reload
7.配置hosts文件
192.168.137.220 ssl.etiantian.org
8.测试
#在浏览器中输入https://ssl.etiantian.org
9.碰到的问题
配置好后,检查nginx语法的时候报错。
[[email protected] sslkey]# /application/nginx/sbin/nginx -t
nginx: [emerg] PEM_read_bio_X509_AUX("/application/nginx/sslkey/server.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /application/nginx1.6.3/conf/nginx.conf test failed
经过在网络搜索,但是没有解决我的问题。后来参考了一篇博客才解决了。
参考博文:http://blog.sina.com.cn/s/blog_4f925fc30102eucg.html
解决问题:
由于之前生成证书的时候,步骤错误导致的:
[[email protected] sslkey]# openssl req -new -keyserver.key -out server.crt
正确步骤是:
[[email protected] sslkey]# openssl req -new -keyserver.key -out server.csr
[[email protected] sslkey]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt