godaddy之ssl申请

第一步 执行下面命令生成csr和key文件

openssl req -new -newkey rsa:2048 -nodes -keyout trips.com.key -out trips.com.csr

填写下面信息

Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Beijing trips  International Travel Co.,Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:*.trips.com
Email Address []:ops@trips.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:BJbc201712061438

第二步 使用生成的 csr文件去申请公钥

root@BC-BJ-ZW-:/mnt/godaddy-ssl-for-haproxy/# cat trips.com.csr 
-----BEGIN CERTIFICATE REQUEST-----
MIIDHjCCAgYCAQAwgbcxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAw
DgYDVQQHDAdCZWlqaW5nMTcwNQYDVQQKDC5CZWlqaW5nIEJhaWNoZW5nICBJbnRl
cm5hdGlvbmFsIFRyYXZlbCBDby4sTHRkMQswCQYDVQQLDAJJVDEdMBsGA1UEAwwU
c2VydmljZS5iYWljaGVuZy5jb20xHzAdBgkqhkiG9w0BCQEWEG9wc0BiYWljaGVu
Zy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDx9r5Y1lulzLL
sQ/kyuj+kbaXqqlfVIaiWAVaWkKtzJFGvM8vCmwQNeSq6cwTPGDpGgUjQE9oS1K/
5x2IXpgF+yGbhWfI84IbD6YXSn196GrLR9oGqg2dI/dCAfqQ9S1kffhFXk25kmqZ
kCQtINephwTHnfRSB73COszHduNf88e6voLzF/y+MIaot
URM+YOvGnk1zt9HmfZv2iSM8HZvr/PL/BT90t736QCvUMqB/CsEEdNM7Yj9Zb1jcrG8FUHVOHyS+TvO909+sOhQTJrHEBvDwrWyUiIY
LZlq//V1AgMBAAGgITAfBgkqhkiG9w0BCQcxEgwQQkpiYzIwMTcxMjA2MTQzODAN
BgkqhkiG9w0BAQsFAAOCAQEAVcqOposcUsHg6YaBauFCb3gXcvvyZjH9elb5nYZO
y7i1mOK14Vyjop6dssFcZeFijN3lWfTP51PAtE2XsgdXl63jYsbM4EgJyBonXw+R
mltOtegLt6Gp5XcFFTLnNy+iAuFTutGpidh6dHuGLQ8SxfdEATi/G3kh3ziTZWSH
DHWXGGwLJUNbOIyiuAhwhCXcQ8WhzhFol0sNAxDc9Zb4ahGv3AMiwhfqm/TCn0PD
eVA1yABxI4xetkFptnND9QoXHu3LnHlbM5nVSUz76nRW+9l5GL6iOUVqZOHjb3g+
+9218o6zrbnv5J5oWbz+JKllmlaxtUcLzjwLKqVrjR0d1A==
-----END CERTIFICATE REQUEST-----

 

第三步  godaddy会发生邮件给域名所有者（xiewenming@trips.com）进行授权dsz A记录解析码，添加后用域名所有者收到的邮件进行审核批准

第四步 等待godaddy审核（dv审核很快），审核完成会签发证书，可以下载下来2个crt文件如下

fed50e497f67ebb3.crt
gd_bundle-g2-g1.crt

第五步：在haroxy上面利用上面的文件和域名key生产pem文件，命令如下

cat trips.com.key  cafd469e37cef3ca.crt gd_bundle-g2-g1.crt > /etc/ssl/service.trips/trips.com.combined.pem

第六步 添加配置文件

       bind *:443 ssl crt /etc/ssl/service.trips/trips.com.combined.pem 

nginx证书生成如下

 cat cafd469e37cef3ca.crt gd_bundle-g2-g1.crt > trips.com.chained.crt 

nginx配置文件

server {
    listen       80;
    server_name  m.trips.com;
    listen       443 ssl;
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem;
    ssl_certificate     /etc/nginx/conf.d/ssl/trips.com.crt;
    ssl_certificate_key /etc/nginx/conf.d/ssl/trips.com.key;
#    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; 
    access_log  /var/log/nginx/m.trips.log main;

    location / {
        proxy_pass         http://192.168.31.53;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        #include /etc/nginx/conf.d/m123.conf;
        set $domain default;
        }
}

有时候运营商可能需要一个cer格式的文件，生成方式如下：

cat 证书.crt 私钥.key >> /opt/xxx.cer
#公钥在前面 私钥在后面，这里的公钥就是证书crt