自签发SSL证书
将ssl证书统一存放在nginx配置目录下的ssl目录
[root@Jumper ~]# cd /etc/nginx/
[root@Jumper nginx]# mkdir ssl
[root@Jumper nginx]# cd ssl/
生成CSR请求文件
[root@Jumper ssl]# openssl genrsa -out sk3-9-ucss1.key 2048
[root@Jumper ssl]# openssl req -new -key sk3-9-ucss1.key -out sk3-9-ucss1.csr
[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-TyxJFSwk-1648530935744)(利用Nginx配置反向代理.assets/image-20220107133615362.png)]
使用CA的key为服务器签发证书
[root@Jumper ssl]# openssl ca -policy policy_anything -days 3650 -cert adca.crt -keyfile adca.key -in sk3-9-ucss1.csr -out sk3-9-ucss1.crt
创建/etc/pki/CA/index.txt
[root@Jumper ssl]# openssl ca -policy policy_anything -days 3650 -cert adca.crt -keyfile adca.key -in sk3-9-ucss1.csr -out sk3-9-ucss1.crt
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140661571356560:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140661571356560:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
用来跟踪已颁发的证书
[root@Jumper ssl]# touch /etc/pki/CA/index.txt
创建/etc/pki/CA/serial文件
[root@Jumper ssl]# openssl ca -policy policy_anything -days 3650 -cert adca.crt -keyfile adca.key -in sk3-9-ucss1.csr -out sk3-9-ucss1.crt
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
139871168038800:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
139871168038800:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
用来跟踪最后一次颁发的证书的序列号
[root@Jumper ssl]# echo "01" > /etc/pki/CA/serial
最后把CA证书的内容粘贴到签发的SSL证书后面。这个比较重要!因为不这样做,可能会有某些浏览器不支持。
关闭SELinux
获取当前的SELinux状态
[root@Jumper ssl]# getenforce
Enforcing
临时关闭SELinux
[root@Jumper ssl]# setenforce 0
永久关闭SELinux,修改为下面
[root@Jumper ssl]# cat /etc/selinux/config | grep -v '^#' | grep -v '^$'
SELINUX=disabled
SELINUXTYPE=targeted
配置Nginx的https的反向代理
新建配置文件
[root@Jumper conf.d]# pwd
/etc/nginx/conf.d # 切换到该目录
[root@Jumper conf.d]# cat sk3-9-ucss1.conf # 在sk3-9-ucss1.conf中配置如下内容
server {listen 443 ssl;server_name sk3-9-ucss1.wlinux.com.cn; # 映射处理的域名ssl_certificate /etc/nginx/ssl/sk3-9-ucss1.crt;ssl_certificate_key /etc/nginx/ssl/adca.key;underscores_in_headers on; # 必须设置该项location / {proxy_pass https://192.168.8.1:8447/; # 指定后端真实服务器的访问链接}
}
重新加载nginx配置:
[root@Jumper ssl]# nginx -t # 检查nginx的配置
[root@Jumper ssl]# nginx -s reload # nginx实现热加载
附录
证书签发问题
1.问题:TXT_DB error number 2
解决:原因是已经生成了同名证书,将 common name 设置成不同,或修改 CA 下的 index.txt.attr,将 unique_subject = yes 改为 unique_subject = no
NET::ERR_CERT_COMMOM_NAME_INVALID
生成证书的时候没有加上备用名称字段,目前的浏览器校验证书都需要这个字段。
[root@Jumper ssl]# cat sk3-9-ucss1.cnf
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = sk3-9-ucss1.wlinux.com.cn
DNS.2 = sk3-9-ucss1
IP.1 = 172.22.80.205
IP.2 = 192.168.8.1
多个域名或IP依次填写即可
重新签发证书:
[root@Jumper ssl]# openssl x509 -req -in sk3-9-ucss1.csr -CA adca.crt -CAkey adca.key -CAcreateserial -out sk3-9-ucss1.crt -days 3650 -sha256 -extfile sk3-9-ucss1.cnf
NET::ERR_CERT_DATE_INVALID
自签证书时间不得大于39个月,建议取3年为好。