Nginx配置HTTPS证书网站

前提:

    1、主机需要先安装openssl

    2、编译安装nginx时,要加上--with-http_ssl_module  这个ssl模块

现在开始配置:(我当时配置时,主机已安装了openssl,但编译时没有加载http_ssl_module模块,所以后面会报错,这里详解说明下)

1、生成自签字证书

 1 [root@localhost /]# openssl req -new -x509 -keyout /root/ca.key -out /root/ca.crt
 2 Generating a 2048 bit RSA private key
 3 .............................+++
 4 .......................................................................................................................+++
 5 writing new private key to '/root/ca.key'
 6 Enter PEM pass phrase:           #输入密钥保护密码
 7 Verifying - Enter PEM pass phrase:       #确认密钥保护密码
 8 -----
 9 You are about to be asked to enter information that will be incorporated
10 into your certificate request.
11 What you are about to enter is what is called a Distinguished Name or a DN.
12 There are quite a few fields but you can leave some blank
13 For some fields there will be a default value,
14 If you enter '.', the field will be left blank.
15 -----
16 Country Name (2 letter code) [XX]:CN
17 State or Province Name (full name) []:xian
18 Locality Name (eg, city) [Default City]:xian
19 Organization Name (eg, company) [Default Company Ltd]:learn
20 Organizational Unit Name (eg, section) []:it
21 Common Name (eg, your name or your server's hostname) []:learner
22 Email Address []:ying@126.com

回车结束

2、修改配置文件openssl.cnf (注意:修改前,先备份下)

[root@localhost /]# vi /etc/pki/tls/openssl.cnf

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept #证书的根目录,要记住这个目录
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/ca.crt           # The CA certificate  # 修改这里,表示签名时使用的证书 
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

3、复制证书到证书根目录/etc/pki/CA下,并在该目录下创建空文件index.txt和serial,并向serial输入”01“

1 [root@localhost ~]# cd /etc/pki/CA/
2 [root@localhost CA]# cp /root/ca.crt .
3 [root@localhost CA]# ls
4 ca.crt  certs  crl  newcerts  private
5 [root@localhost CA]# touch index.txt
6 [root@localhost CA]# touch serial
7 [root@localhost CA]# echo "01" >serial

4、生成服务器RSA私钥/root/server.key

1 [root@localhost ~]# openssl genrsa -des3 -out /root/server.key 1024
2 Generating RSA private key, 1024 bit long modulus
3 .............++++++
4 .++++++
5 e is 65537 (0x10001)
6 Enter pass phrase for /root/server.key: #设置此密钥的保护密码
7 Verifying - Enter pass phrase for /root/server.key: #确认设置此密钥的保护密码

5、为私钥去除口令---公钥

1 [root@localhost ~]# openssl rsa -in /root/server.key -out /root/server_nopwd.key
2 Enter pass phrase for /root/server.key: #输入第4步生成的密钥的保护密码 
3 writing RSA key

6、生成证书请求文件/root/server.csr

 1 [root@localhost ~]# openssl req -new -key /root/server.key -out /root/server.csr
 2 Enter pass phrase for /root/server.key:  #输入第4步生成的密钥的保护密码 
 3 You are about to be asked to enter information that will be incorporated
 4 into your certificate request.
 5 What you are about to enter is what is called a Distinguished Name or a DN.
 6 There are quite a few fields but you can leave some blank
 7 For some fields there will be a default value,
 8 If you enter '.', the field will be left blank.
 9 --------下面这部分应该和创建私有证书时填的一样------------------------ 
10 Country Name (2 letter code) [XX]:CN
11 State or Province Name (full name) []:xian
12 Locality Name (eg, city) [Default City]:xian
13 Organization Name (eg, company) [Default Company Ltd]:learn
14 Organizational Unit Name (eg, section) []:it
15 Common Name (eg, your name or your server's hostname) []:learner
16 Email Address []:ying@126.com
17 ---------------------------------------------------------------- 
18 Please enter the following 'extra' attributes
19 to be sent with your certificate request
20 A challenge password []:111111
21 An optional company name []:learn

7、用私有证书给证书请求文件/root/server.csr签名

 1 [root@localhost ~]# openssl ca -in /root/server.csr -out /root/server.crt -cert /root/ca.crt -keyfile /root/ca.key -config /etc/pki/tls/openssl.cnf
 2 Using configuration from /etc/pki/tls/openssl.cnf
 3 Enter pass phrase for /root/ca.key: #输入第1步生成的密钥的保护密码
 4 Check that the request matches the signature
 5 Signature ok
 6 Certificate Details:
 7         Serial Number: 1 (0x1)
 8         Validity
 9             Not Before: Nov 17 07:47:05 2016 GMT
10             Not After : Nov 17 07:47:05 2017 GMT
11         Subject:
12             countryName               = CN
13             stateOrProvinceName       = xian
14             organizationName          = learn
15             organizationalUnitName    = it
16             commonName                = learner
17             emailAddress              = ying@126.com
18         X509v3 extensions:
19             X509v3 Basic Constraints:
20                 CA:FALSE
21             Netscape Comment:
22                 OpenSSL Generated Certificate
23             X509v3 Subject Key Identifier:
24                 8A:70:77:B0:32:42:49:AF:85:AD:79:C3:36:1F:43:A5:C5:01:15:E2
25             X509v3 Authority Key Identifier:
26                 keyid:83:10:7A:45:18:47:D2:27:F8:A0:81:C8:FE:A8:53:9A:1E:BC:D3:77
27 
28 Certificate is to be certified until Nov 17 07:47:05 2017 GMT (365 days)
29 Sign the certificate? [y/n]:y
30 
31 
32 1 out of 1 certificate requests certified, commit? [y/n]y
33 Write out database with 1 new entries
34 Data Base Updated

8、编辑nginx配置文件/usr/local/nginx/conf/nginx.conf

 1 server {
 2          listen       8001 ssl;
 3          server_name  x.x.x.x:8001; 
 4 
 5          ssl    on;
 6          ssl_certificate /root/server.crt;
 7          ssl_certificate_key /root/server_nopwd.key;
 8 
 9          location / {
10              root   /var/www/html;
11              index  index.html index.htm;
12          }
13     }

9. 重启服务

1 [root@localhost sbin]# ./nginx -s reload

~~~~完成,在客户端上输入https://x.x.x.x:8001/即可访问成功。

当时由于安装nginx时,未编译http_ssl_module模块,导致nginx重启失败------提示:nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/ng.........

所以需要重新编译nginx来添加需要的模块。

 

Nginx重新编译添加模块

1. 找到安装nginx的源码根目录(即安装包存放目录),如果没有的话下载新的源码并解压

1 [root@localhost /]# cd software
2 [root@localhost software]# ls
3 nginx-1.10.2  nginx-1.10.2.tar.gz

 

2. 查看nginx版本极其编译参数

/usr/local/nginx/sbin/nginx -V

 

3. 进入nginx源码目录

1 [root@localhost software]# cd nginx-1.10.2

 

4.重新编译的代码和模块

[root@localhost nginx-1.10.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module

 

5.  make下 (注意:千万别make install,否则就覆盖安装了),make完之后在/software/nginx-1.10.2/objs目录下就多了个nginx,这个就是新版本的程序了

6. 备份旧的nginx程序

1 [root@localhost ~]# cd /usr/local/nginx/sbin/
2 [root@localhost sbin]# ls
3 nginx
4 [root@localhost sbin]# cp nginx nginx_back_by_zhang20161117
5 [root@localhost sbin]# ls
6 nginx  nginx_back_by_zhang20161117

7. 删除旧的nginx程序,并把新的nginx程序复制到/usr/local/nginx/sbin/下

1 [root@localhost sbin]# rm nginx
2 rm:是否删除普通文件 "nginx"?y
3 [root@localhost sbin]# cp /software/nginx-1.10.2/objs/nginx /usr/local/nginx/sbin/

8. 测试新的nginx程序是否正确

1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -t
2 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
3 nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

9. 平滑启动服务 (非必须)

1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -s reload

10. 查看模块是否已安装 (非必须)

1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -V
2 nginx version: nginx/1.10.2
3 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
4 built with OpenSSL 1.0.1e-fips 11 Feb 2013
5 TLS SNI support enabled
6 configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module

11. 重启 

1 [root@localhost sbin]# ./nginx -s quit
2 [root@localhost sbin]# ./nginx

nginx重新加载模块完成!

 

apache配置https 参考: http://ask.apelearn.com/question/1029

 

转载于:https://www.cnblogs.com/eaglezb/p/6074811.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值