自签发SSL证书

将ssl证书统一存放在nginx配置目录下的ssl目录

[root@Jumper ~]# cd /etc/nginx/
[root@Jumper nginx]# mkdir ssl
[root@Jumper nginx]# cd ssl/

生成CSR请求文件

[root@Jumper ssl]# openssl genrsa -out sk3-9-ucss1.key 2048
[root@Jumper ssl]# openssl req -new -key sk3-9-ucss1.key -out sk3-9-ucss1.csr

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-TyxJFSwk-1648530935744)(利用Nginx配置反向代理.assets/image-20220107133615362.png)]

使用CA的key为服务器签发证书

[root@Jumper ssl]# openssl ca -policy policy_anything -days 3650 -cert adca.crt -keyfile adca.key -in sk3-9-ucss1.csr -out sk3-9-ucss1.crt

创建/etc/pki/CA/index.txt

[root@Jumper ssl]# openssl ca -policy policy_anything -days 3650 -cert adca.crt -keyfile adca.key -in sk3-9-ucss1.csr -out sk3-9-ucss1.crt
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140661571356560:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140661571356560:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

用来跟踪已颁发的证书

[root@Jumper ssl]# touch /etc/pki/CA/index.txt

创建/etc/pki/CA/serial文件

[root@Jumper ssl]# openssl ca -policy policy_anything -days 3650 -cert adca.crt -keyfile adca.key -in sk3-9-ucss1.csr -out sk3-9-ucss1.crt
Using configuration from /etc/pki/tls/openssl.cnf
/etc/pki/CA/serial: No such file or directory
error while loading serial number
139871168038800:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
139871168038800:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

用来跟踪最后一次颁发的证书的序列号

[root@Jumper ssl]# echo "01" > /etc/pki/CA/serial

最后把CA证书的内容粘贴到签发的SSL证书后面。这个比较重要！因为不这样做，可能会有某些浏览器不支持。

关闭SELinux

获取当前的SELinux状态

[root@Jumper ssl]# getenforce 
Enforcing

临时关闭SELinux

[root@Jumper ssl]# setenforce 0

永久关闭SELinux，修改为下面

[root@Jumper ssl]# cat /etc/selinux/config | grep -v '^#' | grep -v '^$'
SELINUX=disabled
SELINUXTYPE=targeted

配置Nginx的https的反向代理

新建配置文件

[root@Jumper conf.d]# pwd
/etc/nginx/conf.d    # 切换到该目录
[root@Jumper conf.d]# cat sk3-9-ucss1.conf  # 在sk3-9-ucss1.conf中配置如下内容
server {listen 443 ssl;server_name sk3-9-ucss1.wlinux.com.cn;   # 映射处理的域名ssl_certificate /etc/nginx/ssl/sk3-9-ucss1.crt;ssl_certificate_key /etc/nginx/ssl/adca.key;underscores_in_headers on;   # 必须设置该项location / {proxy_pass https://192.168.8.1:8447/;   # 指定后端真实服务器的访问链接}
}

重新加载nginx配置：

[root@Jumper ssl]# nginx -t            # 检查nginx的配置
[root@Jumper ssl]# nginx -s reload     # nginx实现热加载

附录

证书签发问题

1.问题：TXT_DB error number 2
解决：原因是已经生成了同名证书，将 common name 设置成不同，或修改 CA 下的 index.txt.attr，将 unique_subject = yes 改为 unique_subject = no

NET::ERR_CERT_COMMOM_NAME_INVALID

生成证书的时候没有加上备用名称字段，目前的浏览器校验证书都需要这个字段。

[root@Jumper ssl]# cat sk3-9-ucss1.cnf 
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = sk3-9-ucss1.wlinux.com.cn
DNS.2 = sk3-9-ucss1
IP.1 = 172.22.80.205
IP.2 = 192.168.8.1

多个域名或IP依次填写即可

重新签发证书：

[root@Jumper ssl]# openssl x509 -req -in sk3-9-ucss1.csr -CA adca.crt -CAkey adca.key -CAcreateserial -out sk3-9-ucss1.crt -days 3650 -sha256 -extfile sk3-9-ucss1.cnf

NET::ERR_CERT_DATE_INVALID

自签证书时间不得大于39个月，建议取3年为好。