实现 nginx-https 访问得步骤过程
自签证书生成脚本如下:
#/bin/bash
#生成3个证书(一个ca证书,两个服务器证书)
. /etc/init.d/functions CERT_INFO=([00]="/O=KeYun/CN=ca.magedu.com" \ [01]="cakey.pem" \ [02]="cacert.pem" \ [03]=2048 \ [04]=3650 \ [05]=0 \ [10]="/C=CN/ST=YunNan/L=Kuming/O=KeYun/CN=www.magedu.org" \ [11]="master.key" \ [12]="master.crt" \ [13]=2048 \ [14]=365 [15]=1 \ [16]="master.csr" \ [20]="/C=CN/ST=YunNan/L=Kuming/O=KeYun/CN=m.magedu.org" \ [21]="slave.key" \ [22]="slave.crt" \ [23]=2048 \ [24]=365 \ [25]=2 \ [26]="slave.csr" ) COLOR="echo -e \\E[1;32m" END="\\E[0m" DIR=/apps/nginx/certs/ cd $DIR for i in {0..2};do if [ $i -eq 0 ] ;then openssl req -x509 -newkey rsa:${CERT_INFO[${i}3]} -subj ${CERT_INFO[${i}0]} \ -set_serial ${CERT_INFO[${i}5]} -keyout ${CERT_INFO[${i}1]} -nodes -days ${CERT_INFO[${i}4]} \ -out ${CERT_INFO[${i}2]} &>/dev/null else openssl req -newkey rsa:${CERT_INFO[${i}3]} -nodes -subj ${CERT_INFO[${i}0]} \ -keyout ${CERT_INFO[${i}1]} -out ${CERT_INFO[${i}6]} &>/dev/null openssl x509 -req -in ${CERT_INFO[${i}6]} -CA ${CERT_INFO[02]} -CAkey ${CERT_INFO[01]} \ -set_serial ${CERT_INFO[${i}5]} -days ${CERT_INFO[${i}4]} -out ${CERT_INFO[${i}2]} &>/dev/null fi $COLOR"**************************************生成证书信息**************************************"$END openssl x509 -in ${CERT_INFO[${i}2]} -noout -subject -dates -serial echo done chmod 600 *.key action "证书生成完成"
nginx配置如下
server { listen 80; listen 443 ssl; ssl_certificate /apps/nginx/certs/magedu.org.crt; ssl_certificate_key /apps/nginx/certs/magedu.org.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; ... }
[root@centos8 certs]#bash /root/certificate.sh **************************************生成证书信息************************************** subject=O = KeYun, CN = ca.magedu.com notBefore=Oct 13 07:07:01 2020 GMT notAfter=Oct 11 07:07:01 2030 GMT serial=00 **************************************生成证书信息************************************** subject=C = CN, ST = YunNan, L = Kuming, O = KeYun, CN = www.magedu.org notBefore=Oct 13 07:07:01 2020 GMT notAfter=Oct 13 07:07:01 2021 GMT serial=01 **************************************生成证书信息************************************** subject=C = CN, ST = YunNan, L = Kuming, O = KeYun, CN = m.magedu.org notBefore=Oct 13 07:07:01 2020 GMT notAfter=Oct 13 07:07:01 2021 GMT serial=02 证书生成完成
[root@centos8 certs]#ll
total 32
-rw-r--r-- 1 root root 1143 Oct 13 15:07 cacert.pem
-rw------- 1 root root 1704 Oct 13 15:07 cakey.pem
-rw-r--r-- 1 root root 1086 Oct 13 15:07 master.crt
-rw-r--r-- 1 root root 985 Oct 13 15:07 master.csr
-rw------- 1 root root 1704 Oct 13 15:07 master.key
-rw-r--r-- 1 root root 1082 Oct 13 15:07 slave.crt
-rw-r--r-- 1 root root 980 Oct 13 15:07 slave.csr
-rw------- 1 root root 1704 Oct 13 15:07 slave.key
#把CA证书和服务器证书合并成一个证书文件
[root@centos8 certs]#cat cacert.pem master.crt > magedu.org.crt
[root@centos8 certs]#mv master.key magedu.org.key
执行报错如下:
后来发现是在证书合并的时候CA证书和服务器证书,顺序不一样导致
修正如下:
[root@centos8 certs]#cat master.crt cacert.pem > magedu.org.crt
[root@centos8 certs]#nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
查看证书
浙公网安备 33010602011771号