# Created by Dave on 1Feb.2025
原因:
手机浏览器不能解析 NAS 主机名,如果用 DNS 就要变得太复杂。改回用 IP 方式来打开 Navigator 主页上面这些在 docker 上面运行的 20来个 web apps 应该是最优解。
觉得证书,还会再生成的,就写了这个脚本 script: certificate-generator.sh
功能:
- openssl 安装包会自动检测,有跳过,没有会安装。
- 有简单 UI :选择 IP, 域名
- 在证书内容输入时:提示也有默认值
- 在执行脚本目录下生成 2 个证书文件:
- server.key (private key) 私钥
- server.crt (certificate) 证书
- 自动删除配置文件 (如果需要保留,注释倒数第二行)
界面:
SCRIPT: certificate-generator.sh
#!/bin/bash
# Created by Dave on 1Feb.2025
# History
# Version 0.1 created batch script
# Version 0.2 used cat EOF
# Version 0.3 Added UI
# Version 0.4 Improved UI and validate functions for IP/Domain Name
# Version 0.5 Added OpenSSL check and installation
#
## Check if OpenSSL is installed
if ! command -v openssl &> /dev/null; thenecho "OpenSSL is not installed. Installing now..."sudo apt updatesudo apt install -y openssl# Check if installation was successfulif ! command -v openssl &> /dev/null; thenecho "Failed to install OpenSSL. Please install it manually."exit 1fiecho "OpenSSL has been successfully installed."
fivalidate_ip() {local ip=$1if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; thenreturn 0elsereturn 1fi
}validate_domain() {local domain=$1if [[ $domain =~ ^[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(\.[a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$ ]]; thenreturn 0elsereturn 1fi
}clear
echo "=== SSL Certificate Generation Tool ==="
echo "Please select certificate type:"
echo "1) IP Address"
echo "2) Domain Name"
read -p "Enter your choice (1 or 2): " cert_typecase $cert_type in1)while true; doread -p "Enter IP address: " addressif validate_ip "$address"; thenbreakelseecho "Invalid IP address format, please try again"fidonetype="IP";;2)while true; doread -p "Enter domain name: " addressif validate_domain "$address"; thenbreakelseecho "Invalid domain name format, please try again"fidonetype="DNS";;*)echo "Invalid option"exit 1;;
esacread -p "Enter country code (e.g., CN): " country
read -p "Enter state/province (Beijing): " state
read -p "Enter city (Beijing): " city
read -p "Enter organization name (Freedom China): " org
read -p "Enter department name (Personal): " unit
read -p "Enter certificate validity (days 365): " dayscountry=${country:-CN}
state=${state:-Beijing}
city=${city:-Beijing}
org=${org:-Freedom China}
unit=${unit:-Personal}
days=${days:-365}cat > openssl.cnf <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
x509_extensions = v3_req[dn]
C = $country
ST = $state
L = $city
O = $org
OU = $unit
CN = $address[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names[alt_names]
$type.1 = $address
EOFecho "Generating private key..."
openssl genrsa -out server.key 2048echo "Generating certificate signing request..."
openssl req -new -key server.key -out server.csr -config openssl.cnfecho "Generating self-signed certificate..."
openssl x509 -req -days $days -in server.csr -signkey server.key -out server.crt \-extensions v3_req -extfile openssl.cnfecho "Verifying certificate..."
openssl x509 -in server.crt -text -nooutecho "
Certificate generation completed! Generated files:
- server.key (private key)
- server.crt (certificate)
- server.csr (certificate signing request)"
echo
#rm -f ./openssl.cnf 2> /dev/null echo "The file openssl.cnf (configuration file) has been removed."
rm -f openssl.cnf server.csr 2>/dev/null && echo "Removed configuration and CSR files."
echo "END"注意事项:
这个脚本是使用执行 openssl 返回值,来检测 openssl 软件安装,如果路径不对也会报错。
脚本使用 app 来安装 openssl,不同安装命令也会报错,比如:CentOS/RHEL 用的是:“sudo yum install openssl” 。
运行脚本,要先给文件执行权: chmod +x certificate-generator.sh
脚本生成的是“自签名证书”,非互联网使用的。
server.csr 实际上是一个中间文件,正规的 CA 机构使用这个 CSR 文件生成正式的证书给你/你的组织,结束前会删除。
99.99% 能上自签名证书的主儿,都用不到 server.csr 这个文件。 如果你是那 0.001% ,可以移除脚本中的倒数第二行注释。
