ssl证书配置
1.环境准备
1.1一个空目录,作为证书制作空间,后续所有操作都在该目录下
mkdir new_ssl
chmod -R 777 new_ssl
cd new_ssl
1.2 新建配置文件
touch mySsl.conf
mySsl.conf配置如下
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = cn
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = sc
localityName = Locality Name (eg, city)
localityName_default = cd
organizationName = Organization Name (eg, company)
organizationName_default = my
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = as
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = 10.56.58.180
[ req_ext ]
subjectAltName = @alt_names
# 此段落标题的方括号两边【没有空格】,只有同时配有IP和域名,才能在IP和域名访问时都成功识别。
[alt_names]
IP.1 = 10.56.58.180
DNS.1 = 10.56.58.180
DNS.2 = 10.56.58.180
2.证书生成
2.1 生成密钥
openssl genrsa -out server.key 4096
2.2 生成证书请求文件
openssl req -new -sha256 -out server.csr -key server.key -config mySsl.conf
这里会要求输入一系列参数,可以选择不填直接回车。
2.3 检查证书文件申请内容
openssl req -text -noout -in server.csr
可以看到
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:10.56.58.180, DNS:10.56.58.180, DNS:10.56.58.180
2.4 利用证书请求文件生成证书server.crt文件,执行如下命令
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt -extensions req_ext -extfile mySsl.conf
### 本地生成文件如下
root@localhost new_ssl]# ls
mySsl.conf server.crt server.csr server.key
3.证书本地安装与nginx文件配置
1.1 将server.crt证书安装到受信任的颁发机构
- 将server.crt文件下载到本地
- 在本地双击server.crt文件-> 安装证书-> 下一步-> 勾选并选择存储路径-> 后面点击确定即可
### 1.2 nginx文件配置修改
server {
listen 18080 ssl;
server_name 10.56.58.180;
# 证书文件路径
ssl_certificate /etc/nginx/new_ssl/server.crt;
ssl_certificate_key /etc/nginx/new_ssl/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
1.3 nginx重启
# docker restart [nginx-name]
docker restart https-nginx
1.3 nginx重启
# docker restart [nginx-name]
docker restart https-nginx
注意: 浏览器测试时如果没有生效,可尝试重启浏览器来刷新证书配置