devbox
我家自动化
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

windows10使用openssl生成ca证书并本地模拟https调试开发环境

作者:我家自动化 | 2024-04-17 10:55:25

windows10使用openssl生成ca证书并本地模拟https调试开发环境

背景:本地python flask项目,python脚本运行manage.py启动server,使用ngrok配置内网穿透无法模拟https地址(报502)

  1. ngrok http -bind-tls=true localhost:443
  2.  
  3. ngrok http https://localhost:443
  4.  
  5. ngrok http 443

现做以下尝试:

 

1. 安装Openssl  (参考地址:https://tecadmin.net/install-openssl-on-windows/ )

下载地址:http://slproweb.com/products/Win32OpenSSL.html  (windows openssl下载地址,下载43M那个)

配置环境变量,bin目录添加到path以方便使用:

  1. set OPENSSL_CONF=C:\Program Files\OpenSSL-Win64\bin\openssl.cfg
  2. set Path=......Other Values here......;C:\Program Files\OpenSSL-Win64\bin

检测是否安装成功

  1. Microsoft Windows [Version 10.0.17134.1069]
  2. (c) 2018 Microsoft Corporation. All rights reserved.
  3.  
  4. C:\Users\jalchu>openssl
  5. OpenSSL> version
  6. OpenSSL 1.1.1d  10 Sep 2019
  7. OpenSSL>

 

2. 创建私钥 (参考:https://zeropointdevelopment.com/how-to-get-https-working-in-windows-10-localhost-dev-environment/ )

  1. PS D:\ssl> openssl genrsa -des3 -out rootSSL.key 2048
  2. Generating RSA private key, 2048 bit long modulus (2 primes)
  3. .........................................................+++++
  4. ...+++++
  5. e is 65537 (0x010001)
  6. Enter pass phrase for rootSSL.key:
  7. Verifying - Enter pass phrase for rootSSL.key:

(注:上面的两个key输入相同的字符串)

 

3. 创建证书 (参考:https://zeropointdevelopment.com/how-to-get-https-working-in-windows-10-localhost-dev-environment/ )

  1. PS D:\ssl> openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
  2. Enter pass phrase for rootSSL.key:
  3. You are about to be asked to enter information that will be incorporated
  4. into your certificate request.
  5. What you are about to enter is what is called a Distinguished Name or a DN.
  6. There are quite a few fields but you can leave some blank
  7. For some fields there will be a default value,
  8. If you enter '.', the field will be left blank.
  9. -----
  10. Country Name (2 letter code) [AU]:AU
  11. State or Province Name (full name) [Some-State]:NSW
  12. Locality Name (eg, city) []:Sydney
  13. Organization Name (eg, company) [Internet Widgits Pty Ltd]:Zero Point Development
  14. Organizational Unit Name (eg, section) []:Development
  15. Common Name (e.g. server FQDN or YOUR name) []:zeropointdevelopment.com
  16. Email Address []:hello@zeropointdevelopment.com
  17. PS D:\ssl> openssl req -new -sha256 -nodes -out client-1.local.csr -newkey rsa:2048 -keyout client-1.local.key -subj "/C
  18. =AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=client-1/emailAddress=hello@client-1.local"
  19. Generating a RSA private key
  20. .............................................................................................+++++
  21. .......................................................................................................+++++
  22. writing new private key to 'client-1.local.key'
  23. -----

 

4. 证书授信 (参考:https://zeropointdevelopment.com/how-to-get-https-working-in-windows-10-localhost-dev-environment/ )

  1. 1)Step 1 – Press the Windows key + R
  2. 2)Step 2Type “MMC” and click “OK”
  3. 3)Step 3Go toFile > Add/Remove Snap-in”
  4. 4)Step 4 – Click “Certificates” andAdd
  5. 5)Step 5Select “Computer Account” and click “Next
  6. 6)Step 6Select “Local Computer” then click “Finish”
  7. 7)Step 7 – Click “OK” to go back to the MMC window
  8. 8)Step 8 – Double-click “Certificates (local computer)” to expand the view
  9. 9)Step 9Select “Trusted Root Certification Authorities”, right-click “Certificates” and selectAll Tasks” then “Import”
  10. 10)Step 10 – Click “Nextthen Browse and locate the “rootSSL.pem” file we created in step 2
  11. 11)Step 11Select “Place all certificates in the following store” and select the “Trusted Root Certification Authorities store”. Click “Nextthen click “Finish” to complete the wizard.

 

5. 映射Domain

修改C:\Windows\System32\drivers\etc\hosts,结尾添加

  1. # For example:
  2. #
  3. #      102.54.94.97     rhino.acme.com          # source server
  4. #       38.25.63.10     x.acme.com              # x client host
  5.  
  6. # localhost name resolution is handled within DNS itself.
  7. #	127.0.0.1       localhost
  8. #	::1             localhost
  9.  
  10. 127.0.0.1 client-1.local

 

6. 给Domain创建私钥

  1. PS D:\ssl> openssl req -new -sha256 -nodes -out client-1.local.csr -newkey rsa:2048 -keyout client-1.local.key -subj "/C
  2. =AU/ST=NSW/L=Sydney/O=Client One/OU=Dev/CN=client-1/emailAddress=hello@client-1.local"
  3. Generating a RSA private key
  4. .............................................................................................+++++
  5. .......................................................................................................+++++
  6. writing new private key to 'client-1.local.key'
  7. -----

 

7. 发布证书

  1. PS D:\ssl> openssl x509 -req -in client-1.local.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out client-1.loc
  2. al.crt -days 500 -sha256 -extensions "authorityKeyIdentifier=keyid,issuer\n basicConstraints=CA:FALSE\n keyUsage = digit
  3. alSignature, nonRepudiation, keyEncipherment, dataEncipherment\n  subjectAltName=DNS:client-1.local"
  4. Signature ok
  5. subject=C = AU, ST = NSW, L = Sydney, O = Client One, OU = Dev, CN = client-1, emailAddress = hello@client-1.local
  6. Getting CA Private Key
  7. Enter pass phrase for rootSSL.key:
  8. PS D:\ssl>

 

8. Nginx配置

  1. 	server {
  2. 		listen       8080;
  3. 		server_name  client-1.local;
  4.  
  5. 		# New Lines below
  6. 		listen 443 ssl;
  7.                 ssl on;
  8. 		ssl_certificate d:/ssl/client-1.local.crt;
  9. 		ssl_certificate_key d:/ssl/client-1.local.key;
  10. 	}

启动/关闭命令

  1. C:\Users\jalchu\Nginx\nginx-1.15.8> .\nginx.exe
  2. C:\Users\jalchu\Nginx\nginx-1.15.8> .\nginx.exe -s stop

 

9. 配置Pycharm启动参数,启动pycharm

runserver --host 127.0.0.1 --port 8080 --threaded

 

10. Nginx启动报错

  1. PS C:\Users\jalchu\Nginx\nginx-1.15.8> .\nginx.exe
  2. nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in C:\Users\jalchu\Nginx\nginx-1.15.8/conf/nginx.conf:128
  3. nginx: [emerg] bind() to 0.0.0.0:443 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions)

第一个:高版本配置ssl时警告,可以移除掉ssl on;那一行

第二个:本地端口冲突,检查如下(也可以用任务管理器关闭该进程)

  1. C:\Users\jalchu>netstat -aon|findstr "443"
  2.   TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       8716
  3.   TCP    10.79.100.111:51627    66.163.36.181:443      ESTABLISHED     14904
  4.   TCP    10.79.100.111:52294    103.116.4.197:443      CLOSE_WAIT      2384
  5.   TCP    10.79.100.111:52313    103.116.4.197:443      CLOSE_WAIT      2384
  6.   TCP    10.79.100.111:52956    13.59.223.131:443      ESTABLISHED     14904
  7.   ... ...
  8. C:\Users\jalchu>tasklist | findstr 8716
  9. vmware-hostd.exe              8716 Services                   0      5,516 K
  10. C:\Users\jalchu>tskill 8716

 

11. 重启,访问页面,公司内网给block了,白忙活一场 :)

SECURITY THREAT DETECTED AND BLOCKED

 

 

 
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/我家自动化/article/detail/439828
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号