devbox
2023面试高手
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

nginx配置https证书认证

作者:2023面试高手 | 2024-03-05 18:19:17

it seems that you are using dns

转载请注明文章出处:shiwenyuan.github.io/posts/cjz0o…

网站https

网站https化已是大势所趋,个人blog也都可以把https玩儿起来!

Let's Encrypt

  1. 这个免费、自动化、开放的证书签发服务。它由 ISRG(Internet Security Research Group,互联网安全研究小组)提供服务,而 ISRG 是来自于美国加利福尼亚州的一个公益组织。Let's Encrypt 得到了 Mozilla、Cisco、Akamai、Electronic Frontier Foundation 和 Chrome 等众多公司和机构的支持,发展十分迅猛。
  2. 申请 Let's Encrypt 证书不但免费,还非常简单,虽然每次只有 90 天的有效期,但可以通过脚本定期更新,配好之后一劳永逸。经过一段时间的观望,我也正式启用 Let's Encrypt 证书了,本文记录本站申请过程和遇到的问题。
  3. 我没有使用 Let's Encrypt 官网提供的工具来申请证书,而是用了 [acme.sh](http://https://github.com/Neilpang/acme.sh "acme.sh") 这个更为小巧的开源工具。以下内容基本按照 acme的说明文档写的,省略了一些我不需要的步骤。
  4. 复制代码

配置验证服务

  1. 传统 CA 的验证方式一般是往 admin@youremail.com 发验证邮件,而 Let's Encrypt 是在你的服务器上生成一个随机验证文件,再通过创建 CSR 时指定的域名访问,如果可以访问则表明你对这个域名有控制权。
  2. 复制代码

配置前提

  1. 1. nginx安装了https模块
  2. 复制代码

通过web访问check域名权限

步骤1(建立目录或者nginx访问规则)

CA认证

  1. location ^~ /.well-known/acme-challenge/ {
  2.     # 注:这里的$challenges_dir请替换成你自己的真实目录,如:/home/work/www/challenges/
  3.     alias $challenges_dir;
  4.     try_files $uri =404;
  5. }
  6. 复制代码

or

  1. 在项目根目录添加.well-known/acme-challenge
  2. Let's Encrypt 用来校验网站权限
  3. 复制代码

步骤二 生成证书

  1. ./acme.sh --issue -d diancan.xiaochengxu.phpblog.com.cn --webroot /home/www/xiaochengxu/diancan
  2. 复制代码

步骤三 cp证书到指定位置

  1. acme.sh --installcert -d www.your-app.com \
  2.                --keypath       /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn.key  \
  3.                --fullchainpath /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn.key.pem \
  4.                --reloadcmd     " /usr/local/nginx/sbin/nginx -s reload"
  5. 复制代码

步骤四 配置nginx

  1. server {
  2.         listen       80;
  3.         server_name  diancan.xiaochengxu.phpblog.com.cn;
  4.         location / {
  5.             rewrite ^/(.*)$ https://diancan.xiaochengxu.phpblog.com.cn;
  6. 		}
  7. }
  8. server {
  9.     listen    443 ssl;
  10.     server_name diancan.xiaochengxu.phpblog.com.cn;
  11.     include  /usr/local/nginx/ssl/ssl_params;
  12.     ssl_certificate    /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn/diancan.xiaochengxu.phpblog.com.cn.cer;
  13.     ssl_certificate_key    /usr/local/nginx/ssl/diancan.xiaochengxu.phpblog.com.cn/diancan.xiaochengxu.phpblog.com.cn.key;
  14.     root /home/www/diancan/xiaochengxu; # 该项要修改为你准备存放相关网页的路径
  15.     include /usr/local/nginx/ssl/ssl_headers;
  16.     
  17.    location / {
  18.          try_files $uri $uri/ /index.php?$query_string;
  19.          index  index.php index.html index.htm;
  20.     }
  21.     location ~ \.php$ {
  22.         include /usr/local/nginx/conf/fastcgi.conf;
  23.         fastcgi_intercept_errors on;
  24.         fastcgi_pass  127.0.0.1:9000;
  25.     } 
  26. }
  27. 复制代码
  1. # out  /usr/local/nginx/ssl/ssl_headers
  2. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
  3. # out  /usr/local/nginx/ssl/ssl_params
  4. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  5. ssl_dhparam /usr/local/nginx/ssl/dhparam.pem; # See https://weakdh.org/sysadmin.html for more details
  6. ssl_session_cache shared:SSL:1m;
  7. ssl_session_timeout 5m;
  8. ssl_prefer_server_ciphers   on;
  9. ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA";
  10.  
  11. dhparam.pem这个文件是我之前就生成好的,生成命令
  12. openssl dhparam -out /usr/local/nginx/ssl/dhparam.pem 2048
  13. 复制代码

步骤五 重启nginx查看

https配置成功后web访问界面

证书自动更新

申请下来的证书有效期只有90天

  1. 在crontab 中添加一条命令
  2. 0 0 * * *  /home/work/opbin/ssl/acme.sh-master/acme.sh --cron --home /home/work/opbin/ssl/acme.sh-master/acme.sh
  3. 此处就是每天凌晨检查证书  证书会在60天的时候更新 因为acme会记住之前执行的installcert,所以更新完证书之后他会自动重启一下nginx 如果之前运行installcert的时候没有输入reloadcmd,则需要更新之后自己手动重启(这样就没有自动更新的意义了)
  4. 复制代码

通过dns配置check权限

手动配置

步骤1

  1. [work@iZ25ndyf9bxZ acme.sh-master]$ !1019
  2. ./acme.sh --issue --dns -d *.test.com -d test.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
  3. [Tue Sep 11 21:24:56 CST 2018] Creating domain key
  4. [Tue Sep 11 21:24:56 CST 2018] The domain key is here: /home/work/.acme.sh/*.test.com/*.test.com.key
  5. [Tue Sep 11 21:24:56 CST 2018] Multi domain='DNS:*.test.com,test.com'
  6. [Tue Sep 11 21:24:56 CST 2018] Getting domain auth token for each domain
  7. [Tue Sep 11 21:24:59 CST 2018] Getting webroot for domain='*.test.com'
  8. [Tue Sep 11 21:25:00 CST 2018] Getting webroot for domain='test.com'
  9. [Tue Sep 11 21:25:00 CST 2018] Add the following TXT record:
  10. [Tue Sep 11 21:25:00 CST 2018] Domain: '_acme-challenge.test.com'
  11. [Tue Sep 11 21:25:00 CST 2018] TXT value: 'Oe0iBXj3QvUErZOpROldRLx5jpyXbazsX36lkI46C_Y'
  12. [Tue Sep 11 21:25:00 CST 2018] Please be aware that you prepend _acme-challenge. before your domain
  13. [Tue Sep 11 21:25:00 CST 2018] so the resulting subdomain will be: _acme-challenge.test.com
  14. [Tue Sep 11 21:25:00 CST 2018] Add the following TXT record:
  15. [Tue Sep 11 21:25:00 CST 2018] Domain: '_acme-challenge.test.com'
  16. [Tue Sep 11 21:25:00 CST 2018] TXT value: 'qVFtVzCnBsj1omQcdU1m8180rUBO8V5AHDczFUHqsMY'
  17. [Tue Sep 11 21:25:00 CST 2018] Please be aware that you prepend _acme-challenge. before your domain
  18. [Tue Sep 11 21:25:00 CST 2018] so the resulting subdomain will be: _acme-challenge.test.com
  19. [Tue Sep 11 21:25:00 CST 2018] Please add the TXT records to the domains, and re-run with --renew.
  20. [Tue Sep 11 21:25:00 CST 2018] Please check log file for more details: /home/work/.acme.sh/acme.sh.log
  21. [work@iZ25ndyf9bxZ acme.sh-master]$ ./acme.sh --renew --dns -d *.test.com -d test.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
  22. [Tue Sep 11 21:31:18 CST 2018] Renew: '*.test.com'
  23. [Tue Sep 11 21:31:19 CST 2018] Multi domain='DNS:*.test.com,test.com'
  24. [Tue Sep 11 21:31:19 CST 2018] Getting domain auth token for each domain
  25. [Tue Sep 11 21:31:19 CST 2018] Verifying:*.test.com
  26. [Tue Sep 11 21:31:24 CST 2018] Success
  27. [Tue Sep 11 21:31:24 CST 2018] Verifying:test.com
  28. [Tue Sep 11 21:31:27 CST 2018] Success
  29. [Tue Sep 11 21:31:27 CST 2018] Verify finished, start to sign.
  30. [Tue Sep 11 21:31:30 CST 2018] Cert success.
  31. 这个上面说的是需要在dns中添加
  32. Domain: '_acme-challenge.test.com'
  33. TXT value: 'Oe0iBXj3QvUErZOpROldRLx5jpyXbazsX36lkI46C_Y'
  35.  Domain: '_acme-challenge.test.com'
  36. TXT value: 'qVFtVzCnBsj1omQcdU1m8180rUBO8V5AHDczFUHqsMY'
  37. 复制代码

生效后

  1. [work@iZ25ndyf9bxZ acme.sh-master]$ ./acme.sh --renew --dns -d *.test.com -d test.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
  2. [Tue Sep 11 21:31:18 CST 2018] Renew: '*.test.com'
  3. [Tue Sep 11 21:31:19 CST 2018] Multi domain='DNS:*.test.com,DNS:test.com'
  4. [Tue Sep 11 21:31:19 CST 2018] Getting domain auth token for each domain
  5. [Tue Sep 11 21:31:19 CST 2018] Verifying:*.test.com
  6. [Tue Sep 11 21:31:24 CST 2018] Success
  7. [Tue Sep 11 21:31:24 CST 2018] Verifying:test.com
  8. [Tue Sep 11 21:31:27 CST 2018] Success
  9. [Tue Sep 11 21:31:27 CST 2018] Verify finished, start to sign.
  10. [Tue Sep 11 21:31:30 CST 2018] Cert success.
  11. -----BEGIN CERTIFICATE-----
  12. MIIGGDCCBQCgAwIBAgISA/ZIZ/p9WiVXaWSVytreKZWhMA0GCSqGSIb3DQEBCwUA
  13. MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
  14. ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA5MTExMjMxMjNaFw0x
  15. ODEyMTAxMjMxMjNaMBoxGDAWBgNVBAMMDyoueG1hbmxlZ2FsLmNvbTCCASIwDQYJ
  16. KoZIhvcNAQEBBQADggEPADCCAQoCggEBANnH033ObKrmxX9eLIKqt3kKxcIrcfab
  17. qnLJ0nGnjLRaOXco7B3q865OHx4PTKNT89RSAzfJQ5ZSXBY8QqbZAKv8kAzPA7yE
  18. 0wliJ3rYCesVfAR1CgnOc+jQkTjlZp0q138/GDthgplvaziJUTaGL31Dj338oFU3
  19. xmyMxp2JmzUUjD4KkoHPZql5xkQ3pLzxRInWGMfal7f4oHaZQJr1Xwyu5BR/m9G1
  20. +PBlmqGsTka75n5i8uchjIFPAuH48c9fEJXLB0TSUfvAdi9HDpVxXsglmiw4eL5J
  21. F5ORYIKajAXObt/vl2uNbUHYV5Mr74jr7U/YqAA48X/x9jeHaVNSS/sCAwEAAaOC
  22. AyYwggMiMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
  23. BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUhLPM1+fVbGsgfc1CFAsRyu96
  24. DUMwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
  25. YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
  26. b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
  27. b3JnLzApBgNVHREEIjAggg8qLnhtYW5sZWdhbC5jb22CDXhtYW5sZWdhbC5jb20w
  28. gf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsG
  29. AQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIw
  30. gZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5
  31. IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhl
  32. IENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0
  33. Lm9yZy9yZXBvc2l0b3J5LzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2AMEWSuCn
  34. ctLUOS3ICsEHcNTwxJvemRpIQMH6B1Fk9jNgAAABZcjUVQgAAAQDAEcwRQIhALEw
  35. fEJJ6OS6IiWZNXZEO/ymIAgZGpD812KCt484URUHAiAW6FCC+6rYa1AFUdT/vFcC
  36. 3nc4MC9IGHLPOKyiyC8pEAB2AKRQEmkFWhVUXmIRqze8ED9irlV2pF5LFxRFPhsi
  37. EGolAAABZcjUVQoAAAQDAEcwRQIgETcbXZ/E5QEB/oRR3xr4B3dZELF4TfnTJJgH
  38. 7J8YF9gCIQCKq4jXNwJjCAJDz0K81MaoAZ23CImUYJIHCVJTitzphzANBgkqhkiG
  39. 9w0BAQsFAAOCAQEAPWWEp4v4cvU3c+fgt2a0mQXI5q0gmYQAYaxyXubs3HfxFsFX
  40. zroAPH6wvLk/Cw1EciBInnXtvQ+DDfi4FsyhWn598czJ/YEIGiV7ZCi1Ah8NVniS
  41. T+R3nVIBqhSDCGOpmHdvtfCRCoZErAVFvv0ABsQUSQHkEYmiPwEddhU5srOENzcV
  42. 4qel/9/bzK3hGlPWB8jLvWQ8uHtSHibGAJsnEG0rMYkFs6pqnzM2EFdRNfm3axDK
  43. D8Gai7V5Ezu31iwvgZXjLmhl6xtH3CzkqmPaDarxJtnZLet8SLaEY0inmbhvupOG
  44. LUuO+EnAXlxk40z8V1/GtWuyYMz38OwCWcB5fA==
  45. -----END CERTIFICATE-----
  46. [Tue Sep 11 21:31:30 CST 2018] Your cert is in  /home/work/.acme.sh/*.test.com/*.test.com.cer 
  47. [Tue Sep 11 21:31:30 CST 2018] Your cert key is in  /home/work/.acme.sh/*.test.com/*.test.com.key 
  48. [Tue Sep 11 21:31:30 CST 2018] The intermediate CA cert is in  /home/work/.acme.sh/*.test.com/ca.cer 
  49. [Tue Sep 11 21:31:30 CST 2018] And the full chain certs is there:  /home/work/.acme.sh/*.test.com/fullchain.cer 
  50. [Tue Sep 11 21:31:30 CST 2018] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
  51. [Tue Sep 11 21:31:30 CST 2018] Call hook error.
  52. 复制代码

生成成功后配置

  1. [work@iZ25ndyf9bxZ acme.sh-master]$ ./acme.sh  --installcert  -d *.xmanlegal.com \
  2. > --key-file /mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key \
  3. > --fullchain-file /mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key.cer \
  4. > --reloadcmd "echo "Asdf1234" sudo -S /mnt/usr/sbin/nginx -s reload"
  5. [Tue Sep 11 21:36:31 CST 2018] Installing key to:/mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key
  6. [Tue Sep 11 21:36:31 CST 2018] Installing full chain to:/mnt/usr/ssl/xmanlegal.com/xmanlegal.com.key.cer
  7. [Tue Sep 11 21:36:31 CST 2018] Run reload cmd: echo Asdf1234 sudo -S /mnt/usr/sbin/nginx -s reload
  8. Asdf1234 sudo -S /mnt/usr/sbin/nginx -s reload
  9. [Tue Sep 11 21:36:31 CST 2018] Reload success
  10. 复制代码

末文

证书级别测试 相关技术博客

转载于:https://juejin.im/post/5d4a5bdf6fb9a06b26508106

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/2023面试高手/article/detail/192934
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号