XAMPP 中跨 LAN 的 localhost 自签名证书

Posted

技术标签:

【中文标题】XAMPP 中跨 LAN 的 localhost 自签名证书【英文标题】:localhost self-signed certificate across LAN in XAMPP 【发布时间】:2019-08-27 07:43:31 【问题描述】:

我有带 ssl 的 localhost 并且在我的本地电脑上工作正常,但 ssl 不能跨 LAN 工作。因为我使用的是自签名证书,所以我必须在我将打开站点的每台 PC 上安装证书,但它只能在托管网站的 PC 上运行,而不能在 LAN 上的其他 PC 上运行。

我不想在线托管我的网站,因为我处于开发模式。

我的本地电脑:

主机文件:

127.0.0.1 gofashion_chat.test

httpd-xampp.conf

<VirtualHost *:80>
    DocumentRoot "C:/xampp/htdocs/gofashion"
    ServerName gofashion_chat.test
    ServerAlias *.gofashion_chat.test
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "C:/xampp/htdocs/gofashion"
    ServerName gofashion_chat.test
    ServerAlias *.gofashion_chat.test
    SSLEngine on
    SSLCertificateFile "C:/xampp/htdocs/gofashion/cert/gofashion_chat.test/server.crt"
    SSLCertificateKeyFile "C:/xampp/htdocs/gofashion/cert/gofashion_chat.test/server.key"
</VirtualHost>

浏览器中的证书:

局域网上的电脑:

主机文件:

192.168.10.7 gofashion_chat.test

局域网PC浏览器中的证书:

在两台PC上都安装了server.crt

如何解决跨局域网的 ssl 问题?

编辑:

这是我用来生成证书的bat文件

@echo off

set /p domain="Enter Domain without TLD (E.g 'facebook', 'google'): "
set /p com_tld="Enter Domain TLD (E.g 'com', 'test'): "

SET HOSTNAME=%domain%
SET DOT=%com_tld%
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET FULL_DOMAIN=%HOSTNAME%.%DOT%
SET EMAIL=webmaster@%FULL_DOMAIN%

SET OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf

if not exist .\%HOSTNAME%.%DOT% mkdir .\%FULL_DOMAIN%

(
echo [req]
echo default_bits = 2048
echo prompt = no
echo default_md = sha256
echo req_extensions      = v3_req
echo x509_extensions     = x509_ext
echo distinguished_name  = dn
echo:
echo [dn]
echo C = %COUNTRY%
echo ST = %STATE%
echo L = %CITY%
echo O = %ORGANIZATION%
echo OU = %ORGANIZATION_UNIT%
echo emailAddress = %EMAIL%
echo CN = %FULL_DOMAIN%
echo:
echo [v3_req]
echo subjectAltName         = @alt_names
echo subjectKeyIdentifier   = hash
echo authorityKeyIdentifier = keyid:always, issuer:always
echo basicConstraints       = critical, CA:TRUE, pathlen:1
echo keyUsage               = critical, cRLSign, digitalSignature, keyCertSign
echo nsComment              = "OpenSSL Generated Certificate"
echo:
echo [x509_ext]
echo subjectAltName         = @alt_names
echo subjectKeyIdentifier   = hash
echo authorityKeyIdentifier = keyid:always, issuer:always
echo basicConstraints       = critical, CA:TRUE, pathlen:1
echo keyUsage               = critical, cRLSign, digitalSignature, keyCertSign
echo nsComment              = "OpenSSL Generated Certificate"
echo:
echo [alt_names]
echo DNS.1 = *.%FULL_DOMAIN%
echo DNS.2 = %FULL_DOMAIN%
)>%FULL_DOMAIN%\%HOSTNAME%.cnf

C:\xampp\apache\bin\openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %FULL_DOMAIN%\server.key -days 356 -out %FULL_DOMAIN%\server.crt -config %FULL_DOMAIN%\%HOSTNAME%.cnf

echo.
echo -----
echo The certificate was provided.
echo.
pause

这是我用来生成证书的另一个。

@echo off

set /p domain="Enter Domain without TLD (E.g 'facebook', 'google'): "
set /p com_tld="Enter Domain TLD (E.g 'com', 'test'): "

SET HOSTNAME=%domain%
SET DOT=%com_tld%
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET FULL_DOMAIN=%HOSTNAME%.%DOT%
SET EMAIL=webmaster@%FULL_DOMAIN%

SET OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf

if not exist .\%HOSTNAME%.%DOT% mkdir .\%FULL_DOMAIN%

(
echo [ req ]
echo default_bits        = 2048
echo default_keyfile     = server-key.pem
echo distinguished_name  = subject
echo req_extensions      = req_ext
echo x509_extensions     = x509_ext
echo string_mask         = utf8only
echo:
echo [ subject ]
echo countryName                 = Country Name ^(2 letter code^)
echo countryName_default         = %COUNTRY%
echo stateOrProvinceName         = State or Province Name ^(full name^)
echo stateOrProvinceName_default = %STATE%
echo localityName                = Locality Name ^(eg, city^)
echo localityName_default        = %CITY%
echo organizationName            = Organization Name ^(eg, company^)
echo organizationName_default    = %ORGANIZATION%
echo commonName                  = Common Name ^(e.g. server FQDN or YOUR name^)
echo commonName_default          = %HOSTNAME%.%DOT%
echo emailAddress                = Email Address
echo emailAddress_default        = %EMAIL%
echo:
echo [ x509_ext ]
echo subjectKeyIdentifier   = hash
echo authorityKeyIdentifier = keyid,issuer
echo basicConstraints       = CA:FALSE
echo keyUsage               = digitalSignature, keyEncipherment
echo subjectAltName         = @alternate_names
echo nsComment              = "OpenSSL Generated Certificate"
echo:
echo [ req_ext ]
echo subjectKeyIdentifier = hash
echo basicConstraints     = CA:FALSE
echo keyUsage             = digitalSignature, keyEncipherment
echo subjectAltName       = @alternate_names
echo nsComment            = "OpenSSL Generated Certificate"
echo:
echo [ alternate_names ]
echo:
echo DNS.1 = *.%HOSTNAME%.%DOT%
echo DNS.2 = %HOSTNAME%.%DOT%
)>%FULL_DOMAIN%\%HOSTNAME%.cnf

C:\xampp\apache\bin\openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %FULL_DOMAIN%\server.key -days 356 -out %FULL_DOMAIN%\server.crt -config %FULL_DOMAIN%\%HOSTNAME%.cnf

echo.
echo -----
echo The certificate was provided.
echo.
pause

【问题讨论】:

【参考方案1】:

您的屏幕截图显示,使用的证书是允许的

所有发行政策 所有应用程序策略

但您想将其用作 Web 服务器证书,因此该证书需要以下用途:

确保远程计算机的身份

我假设它在您的计算机上工作,因为网络浏览器识别出服务器正在本地网络接口上运行 - 因此它不是“远程计算机”,因此它在证书中不允许此目的的情况下工作。

【讨论】:

我对这些细节一无所知。我是第一次。你能提供一个解决方案吗?我应该怎么做才能从 LAN 上的 PC 中消除此错误? @Faizan 证书签署后,其数据将无法更改。因此,您必须生成并签署新证书 - 参见例如这里***.com/a/10176685/150978 但是您如何使用“确保远程计算机的身份”自签名证书? openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 不会在证书中添加“确保远程计算机的身份” @Faizan 看起来你必须通过配置文件配置keyUsage:superuser.com/questions/738612/openssl-ca-keyusage-extension 我已经在上面添加了我的 bat 文件代码。看看这个。我已经使用了你描述的配置,但仍然无法从局域网或远程计算机获取证书来访问 ssl【参考方案2】:

这可能会晚,但值得一试^_^

不要使用 gofashion_chat.test 指定您的本地主机,只需使用 computername.domain。这将节省您编辑要访问网站的每台计算机的主机的时间。

在 apache 中创建一个文件夹。文件夹名称:crt

创建一个名为 cert-template.conf 的文件,并将其保存在 crt 文件夹中。下面是 cert-template.conf 的命令。

[ req ]

default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]

countryName                 = Country Name (2 letter code)
countryName_default         = TE

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = TEST

localityName                = Locality Name (eg, city)
localityName_default        = TEST

organizationName            = Organization Name (eg, company)
organizationName_default    = TEST

commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = computername.domain

emailAddress                = Email Address
emailAddress_default        = test@example.com

[ x509_ext ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer

basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alternate_names
nsComment              = "OpenSSL Generated Certificate"

[ req_ext ]

subjectKeyIdentifier = hash

basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

[ alternate_names ]

DNS.1       = computername.domain

还要创建此文件:make-cert.bat 并将其保存在 crt 文件夹中。下面是make-cert.bat的命令。

@echo off
set /p domain="Domain Name: "
set OPENSSL_CONF=../conf/openssl.cnf

REM
REM Read the "cert-template.conf" file and replace all DOMAIN placeholders by the entered domain.
REM Write the result into a new file called "cert.conf".
REM
REM @see https://***.com/questions/5273937/how-to-replace-substrings-in-windows-batch-file#20227248
REM
setlocal enabledelayedexpansion
set INTEXTFILE=cert-template.conf
set OUTTEXTFILE=cert.conf
set SEARCHTEXT=DOMAIN
set REPLACETEXT=%domain%

if exist %OUTTEXTFILE% del /F %OUTTEXTFILE%
for /f "tokens=1,* delims=¶" %%A in ( '"findstr /n ^^ %INTEXTFILE%"') do (
   SET string=%%A
   for /f "delims=: tokens=1,*" %%a in ("!string!") do set "string=%%b"
   if  "!string!" == "" (
       echo.>>%OUTTEXTFILE%
   ) else (
      SET modified=!string:%SEARCHTEXT%=%REPLACETEXT%!
      echo !modified! >> %OUTTEXTFILE%
  )
)


REM
REM Create the target directory.
REM
if not exist .\%domain% mkdir .\%domain%


REM
REM Create the certificate and key files.
REM
..\bin\openssl req -config %OUTTEXTFILE% -new -sha256 -newkey rsa:2048 -nodes -keyout %domain%\server.key -x509 -days 365 -out %domain%\server.crt


REM
REM Delete the written file "cert.conf" as this file would only be used to create the certificate.
REM
if exist %OUTTEXTFILE% del /F %OUTTEXTFILE%


echo.
echo -----
echo The certificate was provided.
echo.
pause

运行 make-cert.bat,将显示命令提示符并要求您输入域名。您的域名是您的计算机名.域。之后,您需要回答一些问题,最重要的问题是通用名称。通用名称 = Computername.domain。

安装您在 crt/computername.domain/server.crt 中创建的证书。安装证书>本地机器>将所有证书放在以下存储中>浏览>受信任的根证书颁发机构>下一步>完成。

将此脚本插入到 httpd-xampp.conf 的底部

 <VirtualHost computername.domain:8080>
     DocumentRoot "C:/xampp/htdocs"
 </VirtualHost>

 <VirtualHost computername.domain:4433>
     DocumentRoot "C:/xampp/htdocs"
     SSLEngine on
     SSLCertificateFile "crt/computername.domain/server.crt"
     SSLCertificateKeyFile "crt/computername.domain/server.key"
 </VirtualHost>

重新启动 XAMPP 并尝试使用 https://computername.domain:4433 访问您的本地主机。

就是这样。我希望你能完成所有步骤。

【讨论】:

以上是关于XAMPP 中跨 LAN 的 localhost 自签名证书的主要内容,如果未能解决你的问题,请参考以下文章

XAMPP + WAMP 周末很慢?

在 LAN 上运行 codeigniter 应用程序

如何在 xampp 下使用 apache dns 服务器而不是 LAN 网络中的 ip 地址访问我的本地网站?

XAMPP wordpress LAN,重定向到本地主机

XAMPP Apache 站点根相关链接在本地工作,通过 LAN 上的远程计算机访问开发站点时失败

通过 LAN 查看本地主机站点 [关闭]