在LNMP环境下安装测试HTTPS及其问题

由于现在HTTPS网站已经成为主流，所以今天在我的LNMP环境下测试了一下自建的SSL证书的使用。由于是自己建的CA以及密钥，所以一般的浏览器是不会认为安全，想要让主流浏览器认为安全，还是要花钱到认证机构去申请证书。

以下是我的配置步骤以及碰到的一个问题。

HTTPS简介

https就是在http的基础上使用了ssl加密验证，使网络传输更安全。

1.LNMP环境

[root@lnmp sslkey]# /application/nginx/sbin/nginx -V

nginx version: nginx/1.6.3

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) 

TLS SNI support enabled

configure arguments: --user=nginx --group=nginx --prefix=/application/nginx1.6.3 --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module

注：由于需要配置https，所以nginx在编译的时候需要加上--with-http_stub_status_module --with-http_ssl_module这两个参数。

--with-http_stub_status_module  启用nginx的NginxStatus 功能,用来监控nginx的当前状态

--with-http_ssl_module  使nginx支持ssl模块

2.安装openssl

openssl是一个可以为我们创建证书和密钥的工具。

[root@lnmp ~]# yum install -y openssl openssl-devel

3.生成密钥server.key

#创建一个存放证书和密钥的文件夹sslkey

[root@lnmp ~]# mkdir /application/nginx/sslkey

[root@lnmp ~]# cd /application/nginx/sslkey/ 

#生成一个供服务器使用的密钥  

[root@lnmp nginx]# openssl genrsa -out server.key 

Generating RSA private key, 1024 bit long modulus

.................................++++++

.........................++++++

e is 65537 (0x10001)

[root@lnmp sslkey]# ll server.key 

-rw-r--r--. 1 root root 887 Dec 17 11:07 server.key

4.申请一个证书server.crt

#生成证书请求文件server.scr

[root@lnmp sslkey]# openssl req -new -key server.key -out server.scr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:cn #国家

State or Province Name (full name) []:sh #省市

Locality Name (eg, city) [Default City]:sh #城市

Organization Name (eg, company) [Default Company Ltd]:sh #组织名称

Organizational Unit Name (eg, section) []:sh #部门名称

Common Name (eg, your name or your server's hostname) []:ssl.etiantian.org #域名

Email Address []:769358362@qq.com #邮箱

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:111111 #密码

An optional company name []:111111 #可选

#生成证书文件server.crt

#[root@lnmp sslkey]# openssl rsa -in server.key -out server.nopass.key

#writing RSA key

[root@lnmp sslkey]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=cn/ST=sh/L=sh/O=sh/OU=sh/CN=ssl.etiantian.org/emailAddress=769358362@qq.com

Getting Private key

#查看证书文件

[root@lnmp sslkey]# ll  

total 16

-rw-r--r--. 1 root root 912 Dec 17 11:38 server.crt #证书

-rw-r--r--. 1 root root 745 Dec 17 11:13 server.csr

-rw-r--r--. 1 root root 887 Dec 17 11:07 server.key #密钥

-rw-r--r--. 1 root root 887 Dec 17 11:35 server.nopass.key

5.配置nginx的主配置文件nginx.conf

#配置一个虚拟主机使用https

    server{

       listen 443;

       server_name ssl.etiantian.org;

       ssl on;

       ssl_certificate /application/nginx1.6.3/sslkey/server.crt;

       ssl_certificate_key /application/nginx1.6.3/sslkey/server.key;

       ssl_session_timeout 5m;

       ssl_protocols SSLv3 TLSv1;

       ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;

       ssl_prefer_server_ciphers on;

       location / {

                root html/ssl;

                index index.html index.htm;

       }

    }

6.重启nginx

[root@lnmp sslkey]# /application/nginx/sbin/nginx -t

nginx: the configuration file /application/nginx1.6.3/conf/nginx.conf syntax is ok

nginx: configuration file /application/nginx1.6.3/conf/nginx.conf test is successful

[root@lnmp sslkey]# /application/nginx/sbin/nginx -s reload

7.配置hosts文件

192.168.137.220    ssl.etiantian.org

8.测试

#在浏览器中输入https://ssl.etiantian.org

9.碰到的问题

配置好后，检查nginx语法的时候报错。

[root@lnmp sslkey]# /application/nginx/sbin/nginx -t

nginx: [emerg] PEM_read_bio_X509_AUX("/application/nginx/sslkey/server.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

nginx: configuration file /application/nginx1.6.3/conf/nginx.conf test failed

经过在网络搜索，但是没有解决我的问题。后来参考了一篇博客才解决了。

参考博文：http://blog.sina.com.cn/s/blog_4f925fc30102eucg.html

解决问题：

由于之前生成证书的时候，步骤错误导致的：

[root@lnmp sslkey]# openssl req -new -keyserver.key -out server.crt

正确步骤是：

[root@lnmp sslkey]# openssl req -new -keyserver.key -out server.csr

[root@lnmp sslkey]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

转载于:https://blog.51cto.com/2660453/1895583