在LNMP环境下安装测试HTTPS及其问题

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了在LNMP环境下安装测试HTTPS及其问题相关的知识,希望对你有一定的参考价值。

由于现在HTTPS网站已经成为主流,所以今天在我的LNMP环境下测试了一下自建的SSL证书的使用。由于是自己建的CA以及密钥,所以一般的浏览器是不会认为安全,想要让主流浏览器认为安全,还是要花钱到认证机构去申请证书。

以下是我的配置步骤以及碰到的一个问题。

HTTPS简介

https就是在http的基础上使用了ssl加密验证,使网络传输更安全。

1.LNMP环境

[[email protected] sslkey]# /application/nginx/sbin/nginx -V

nginx version: nginx/1.6.3

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) 

TLS SNI support enabled

configure arguments: --user=nginx --group=nginx --prefix=/application/nginx1.6.3 --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module

注:由于需要配置https,所以nginx在编译的时候需要加上--with-http_stub_status_module --with-http_ssl_module这两个参数。

--with-http_stub_status_module  启用nginx的NginxStatus 功能,用来监控nginx的当前状态

--with-http_ssl_module  使nginx支持ssl模块

2.安装openssl

openssl是一个可以为我们创建证书和密钥的工具。

[[email protected] ~]# yum install -y openssl openssl-devel

3.生成密钥server.key

#创建一个存放证书和密钥的文件夹sslkey

[[email protected] ~]# mkdir /application/nginx/sslkey

[[email protected] ~]# cd /application/nginx/sslkey/ 

#生成一个供服务器使用的密钥  

[[email protected] nginx]# openssl genrsa -out server.key 

Generating RSA private key, 1024 bit long modulus

.................................++++++

.........................++++++

e is 65537 (0x10001)

[[email protected] sslkey]# ll server.key 

-rw-r--r--. 1 root root 887 Dec 17 11:07 server.key

4.申请一个证书server.crt

#生成证书请求文件server.scr

[[email protected] sslkey]# openssl req -new -key server.key -out server.scr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:cn #国家

State or Province Name (full name) []:sh #省市

Locality Name (eg, city) [Default City]:sh #城市

Organization Name (eg, company) [Default Company Ltd]:sh #组织名称

Organizational Unit Name (eg, section) []:sh #部门名称

Common Name (eg, your name or your server‘s hostname) []:ssl.etiantian.org #域名

Email Address []:[email protected] #邮箱


Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:111111 #密码

An optional company name []:111111 #可选

#生成证书文件server.crt

#[[email protected] sslkey]# openssl rsa -in server.key -out server.nopass.key

#writing RSA key

[[email protected] sslkey]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=cn/ST=sh/L=sh/O=sh/OU=sh/CN=ssl.etiantian.org/[email protected]

Getting Private key

#查看证书文件

[[email protected] sslkey]# ll  

total 16

-rw-r--r--. 1 root root 912 Dec 17 11:38 server.crt #证书

-rw-r--r--. 1 root root 745 Dec 17 11:13 server.csr

-rw-r--r--. 1 root root 887 Dec 17 11:07 server.key #密钥

-rw-r--r--. 1 root root 887 Dec 17 11:35 server.nopass.key

5.配置nginx的主配置文件nginx.conf

#配置一个虚拟主机使用https

    server{

       listen 443;

       server_name ssl.etiantian.org;

       ssl on;

       ssl_certificate /application/nginx1.6.3/sslkey/server.crt;

       ssl_certificate_key /application/nginx1.6.3/sslkey/server.key;

       ssl_session_timeout 5m;

       ssl_protocols SSLv3 TLSv1;

       ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;

       ssl_prefer_server_ciphers on;

       location / {

                root html/ssl;

                index index.html index.htm;

       }

    }

6.重启nginx

[[email protected] sslkey]# /application/nginx/sbin/nginx -t

nginx: the configuration file /application/nginx1.6.3/conf/nginx.conf syntax is ok

nginx: configuration file /application/nginx1.6.3/conf/nginx.conf test is successful

[[email protected] sslkey]# /application/nginx/sbin/nginx -s reload

7.配置hosts文件

192.168.137.220    ssl.etiantian.org

8.测试

#在浏览器中输入https://ssl.etiantian.org

技术分享

9.碰到的问题

配置好后,检查nginx语法的时候报错。

[[email protected] sslkey]# /application/nginx/sbin/nginx -t

nginx: [emerg] PEM_read_bio_X509_AUX("/application/nginx/sslkey/server.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

nginx: configuration file /application/nginx1.6.3/conf/nginx.conf test failed

经过在网络搜索,但是没有解决我的问题。后来参考了一篇博客才解决了。

参考博文:http://blog.sina.com.cn/s/blog_4f925fc30102eucg.html

解决问题:

由于之前生成证书的时候,步骤错误导致的:

[[email protected] sslkey]# openssl req -new -keyserver.key -out server.crt

正确步骤是:

[[email protected] sslkey]# openssl req -new -keyserver.key -out server.csr

[[email protected] sslkey]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

本文出自 “风中追风” 博客,请务必保留此出处http://2660453.blog.51cto.com/2650453/1895583

以上是关于在LNMP环境下安装测试HTTPS及其问题的主要内容,如果未能解决你的问题,请参考以下文章

lnmp1.6 搭建laravel / laravel-admin 过程遇到的问题

LNMP环境下Zabbix3.4安装和配置

lnmp搭建测试

如何彻底卸载安装在lnmp环境下的ssl证书?

LNMP环境搭建之编译安装指南(php-5.3.27.tar.gz)

部署LNMP环境