测试SSL证书不需要验证域名权限
执行 pip install cryptography
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
import datetime
#pip install cryptography
# Generate RSA key pair
key = rsa.generate_private_key(
public_exponent=65537,
key_size=2048,
)
domain="你的域名"
# Create a self-signed certificate
subject = issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),
x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Company"),
x509.NameAttribute(NameOID.COMMON_NAME, u""+domain+""),
])
cert = x509.CertificateBuilder().subject_name(
subject
).issuer_name(
issuer
).public_key(
key.public_key()
).serial_number(
x509.random_serial_number()
).not_valid_before(
datetime.datetime.utcnow()
).not_valid_after(
datetime.datetime.utcnow() + datetime.timedelta(days=365)
).add_extension(
x509.SubjectAlternativeName([x509.DNSName(u""+domain+"")]),
critical=False,
).sign(key, hashes.SHA256())
# Write the private key and certificate to files
with open("key.pem", "wb") as f:
f.write(key.private_bytes(
encoding=Encoding.PEM,
format=PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=NoEncryption()
))
with open("cert.pem", "wb") as f:
f.write(cert.public_bytes(Encoding.PEM))
生成可信任的SSL证书 需要在域名服务器执行
ubutu sudo apt-get install certbot
centos yum isntall certbot
import subprocess
#sudo apt-get install certbot
#默认生成证书路径 /etc/letsencrypt/live/yourdomain.com/
def generate_ssl_cert(domain, email, webroot_path, cert_path):
try:
command = [
"sudo", "certbot", "certonly",
"--webroot",
"--webroot-path", webroot_path,
"--cert-path", cert_path,
"--non-interactive",
"--agree-tos",
"--email", email,
"-d", domain
]
subprocess.run(command, check=True)
print(f"SSL 证书已为 {domain} 生成,保存在 {cert_path} 中")
except subprocess.CalledProcessError as e:
print(f"生成 SSL 证书时出错: {e}")
# 示例使用
generate_ssl_cert("yourdomain.com", "yourdomain.com@163.com", "域名指向的路径", "证书生成路径/cert.pem")
NGINX配置
server {
listen 80;
listen 443 ssl http2;
server_name example.com www.example.com;
#强制跳转到https
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
#证书配置
ssl_certificate /www/server/cert/example.com/fullchain.pem;
ssl_certificate_key /www/server/cert/example.com/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
add_header Strict-Transport-Security "max-age=31536000";
error_page 497 https://$host$request_uri;
#一键申请SSL证书验证目录相关设置
location ~ \.well-known{
allow all;
}
#禁止在证书验证目录放入敏感文件
if ( $uri ~ "^/\.well-known/.*\.(php|jsp|py|js|css|lua|ts|go|zip|tar\.gz|rar|7z|sql|bak)$" ) {
return 403;
}
access_log /www/wwwlogs/example.log;
error_log /www/wwwlogs/example.error.log;
}