HTTPS（一）自签名https

1、准备一个空白的CentOS

查看系统版本

$ su

# cat /etc/redhat-release

CentOS Linux release 7.4.1708 (Core) 

2、安装RoR环境

参照《CentOS 7 快速安装RoR环境 》

安装结果：

$ ruby -v
ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]

$ rails -v

Rails 5.1.5

3、安装Nginx和Passenger

参照《Passenger + Nginx 部署Rails》

4、创建RoR工程

rails new test_https

创建一个controller，测试get/post

cd test_https/

rails g controller test_params

修改./config/routes.rb

Rails.application.routes.draw do
  # For details on the DSL available within this file, see http://guides.rubyonrails.org/routing.html
	get  'test_params/do_get_test'
	post 'test_params/do_post_test'
end

修改./app/controllers/test_params_controller.rb

class TestParamsController < ApplicationController
	skip_before_action :verify_authenticity_token
	def do_get_test
		render :json => "hello this is get_test-->" + request.GET["key"]
		return
	end
	def do_post_test
		render :json => "hello this is get_post-->" + request.POST["key"]
		return
	end
end

用开发模式部署

rails s -b 0.0.0.0 -p 3333

get测试

post测试（使用火狐浏览器）

按下F12，点击“Network”选项卡

刷新一下界面，点击刚刚完成的GET网络请求，点击“Edit and Resent”

修改：1-请求类型改为POST；2-请求路径；3-增加请求内容描述”Content-Type:"application/json;chatset=UTF-8"“；4-增加请求参数；5-点击重发

查看结果

5、用Passenger + Nginx部署RoR工程

参照《Passenger + Nginx 部署Rails》

6、自创CA

6.1 创建CA的加密私钥

openssl genrsa -des3 -out ca.key 2048 #创建RSA 2048位私钥，并用des3加密算法对这把私钥加密，然后输出到ca.key

6.2 用私钥生成CA证书

openssl req -new -x509 -days 356 -key ca.key -out ca.crt #根据ca.key里面包含的私钥生成对应的自签名证书。证书=公钥+有效期+附加信息。-x509表示输出证书，-days 365 为有效期

7、用自创CA为网站颁发证书

7.1 创建服务器端加密私钥

openssl genrsa -des3 -out com.thinking.test.pem 2048

7.2 将加密私钥解密，生成非加密私钥，此非加密私钥将用于服务器端解密数据

openssl rsa -in com.thinking.test.pem -out com.thinking.test.key

7.3 用服务端私钥创建服务端证书

openssl req -new -key com.thinking.test.pem -out com.thinking.test.csr

7.4 用CA的私钥签名7.3服务端证书（公钥）。签名之后生成的这个证书将会被客户端下载，作为公钥加密客户端数据。

openssl ca -policy policy_anything -days 365 -cert ca.crt -keyfile ca.key -in com.thinking.test.csr -out com.thinking.test.crt

* 附上CA公钥（ca.crt）的目的是为了告诉校验方（客户端）这个证书（com.thinking.test.crt）是由谁签发的。这样的话，校验方拿到这个加密证书（com.thinking.test.crt）就在自己的公钥列表（预装证书列表）里面查找，如果查到了这个公钥就说明这个CA是受信的，否则不受信。即使不受信，校验方还是可以用这个附加的CA公钥解密出服务端证书（com.thinking.test.csr，即公钥）从而完成与不受信服务端的通信，只是此时大多数浏览器会报警。

出现错误：

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
I am unable to access the /etc/pki/CA/newcerts directory
/etc/pki/CA/newcerts: Permission denied

解决：

用sudo执行这个命令

sudo openssl ca -policy policy_anything -days 365 -cert ca.crt -keyfile ca.key -in com.thinking.test.csr -out com.thinking.test.crt

出现错误：

 

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
140396375230368:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
140396375230368:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

解决：

执行sudo touch /etc/pki/CA/index.txt

出现错误：

Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
/etc/pki/CA/serial: No such file or directory
error while loading serial number
140459065653152:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/serial','r')
140459065653152:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

解决：

执行# echo 01 > /etc/pki/CA/serial

完成之后配置nginx

    server {
        listen       4444 ssl;
        server_name  127.0.0.1;
        root         /home/thinking/Desktop/test-proj/test_https/public;
        passenger_enabled on;
        rails_env production; 


        ssl_certificate      /home/thinking/Desktop/test-proj/https/com.thinking.test.crt;
        ssl_certificate_key  /home/thinking/Desktop/test-proj/https/com.thinking.test.key;


        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;


        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;


    }

完整的nginx.conf

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    passenger_root /home/thinking/.rvm/gems/ruby-2.4.1/gems/passenger-5.2.1;
    passenger_ruby /home/thinking/.rvm/gems/ruby-2.4.1/wrappers/ruby;

    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       3333;
        server_name  127.0.0.1;
        root         /home/thinking/Desktop/test-proj/test_https/public;
        passenger_enabled on;
        rails_env production; 
    }

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

    server {
        listen       4444 ssl;
        server_name  127.0.0.1;
        root         /home/thinking/Desktop/test-proj/test_https/public;
        passenger_enabled on;
        rails_env production; 


        ssl_certificate      /home/thinking/Desktop/test-proj/https/com.thinking.test.crt;
        ssl_certificate_key  /home/thinking/Desktop/test-proj/https/com.thinking.test.key;


        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;


        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;


    }

    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}

重启nginx使之生效

8、测试GET/POST

用火狐浏览器打开出现如下警告

添加信任

点击Advanced-->Add Exception-->Confirm Security Exception，再打开：

 

用另一台windows主机上面的chrome测试

说明SSL加密已经生效了，只是连接不受信任。

看清楚证书信息“View certificate”，发现CA也不受信

9、在Windows系统上使连接受信

这其实分两个步骤：

1、使CA可信

2、CA证明站点可信

9.1 在windows系统上安装CA证书，使CA可信

把6.2生成的CA证书ca.crt拷贝到windows系统，双击安装。注意，必须安装到“受信任的根证书颁发机构”存储区。

（后续如果需要卸载，控制面板里面搜索“证书”即可找到证书管理工具，然后进去移除即可）

这样之后，

查看证书信息“View certificate”

9.2 使站点受信

可以看到证书是颁发给yong的，不是192.168.0.64，所以要做host

以管理员身份运行notepad++，打开文件C:\Windows\System32\drivers\etc\hosts

添加192.168.0.64 yong

然后重试

完美！