页首Html代码

返回顶部

Nginx 使用自签名 SSL 证书

方法一 使用 snakeoil

使用 apt 安装的 nginx,默认配置文件中会有一行被注释的 include snippets/snakeoil.conf; 解除注释,通过 systemctl reload nginx 重新加载配置即可。

若重新加载失败提示

nginx: [emerg] cannot load certificate "/etc/ssl/certs/ssl-cert-snakeoil.pem": BIO_new_file() failed (SSL: 
error:02001002:system library:fopen:No such file or directory:fopen('/etc/ssl/certs/ssl-cert-snakeoil.pem','r') 
error:2006D080:BIO routines:BIO_new_file:no such file)

则需要使用 apt install ssl-cert 安装依赖,再次重新加载配置即可

方法二 使用 OpenSSL 自签名 (重点)

创建私钥

openssl genrsa -out server.key 2048

创建证书签名请求

openssl req -new -key server.key -out server.csr

此时可以根据自己需要对信息进行填写,需要注意 Common Name 必须为对应网站域名或ip地址

output and input:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:**cn**
State or Province Name (full name) [Some-State]:**localhost**
Locality Name (eg, city) []:**sh**
Organization Name (eg, company) [Internet Widgits Pty Ltd]:****
Organizational Unit Name (eg, section) []:****
Common Name (e.g. server FQDN or YOUR name) []:**localhost**
Email Address []:**admin@localhost**

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:**nopass**
An optional company name []:**cn-ltd**

创建自签名证书

openssl x509 -req -in server.csr -signkey server.key -out server.crt

output:

Certificate request self-signature ok
subject=C = cn, ST = localhost, L = sh, O = Internet Widgits Pty Ltd, CN = localhost, emailAddress = admin@localhost

配置 nginx

server {
      listen              443 ssl;
      ssl_certificate     /path/to/server.crt
      ssl_certificate_key /path/to/server.key
      ....
}

配置完成后使用 systemctl reload nginx 来重载配置

当使用 Chrome 访问自签名证书的网站时,会提示不安全。

解决方法 就是 忽略 或者 添加到本地信任机构证书(貌似没什么卵用)

意义:

起码 你有了SSL证书 用于开发、部署测试。

copy from:

https://jackyu.cn/tech/nginx-selfsign-ssl-cert/

posted @ 2026-02-04 15:08  ayanmw  阅读(11)  评论(0)    收藏  举报

页脚Html代码