生成ssl密钥对
[root@aliyun ~]# cd /usr/local/nginx/conf
[root@aliyun conf]# openssl genrsa -des3 -out tmp.key 2048 生成临时私钥文件
Generating RSA private key, 2048 bit long modulus
...............+++
............+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key: 为临时私钥文件输入加密密码
140415873787808:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must
type in 4 to 1023 characters 如果密码小于4位会要求重新输入
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@aliyun conf]# openssl rsa -in tmp.key -out
testprivate.key
转换临时私钥文件为新的私钥文件
Enter pass phrase for tmp.key: 输入刚才的加密密码,即给新的私钥文件脱去密码
writing RSA key
[root@aliyun conf]# ls
fastcgi.conf fastcgi_params htpasswd koi-win mime.types.default nginx.conf.bak scgi_params
tmp.key
uwsgi_params.default win-utf
testprivate.key
fastcgi.conf.default fastcgi_params.default koi-utf mime.types nginx.conf nginx.conf.default scgi_params.default uwsgi_params vhost
[root@aliyun conf]# rm -f tmp.key 删除临时私钥文件
[root@aliyun conf]# openssl req -new -key testprivate.key -out
test.csr 生成证书请求文件
要用这个证书和私钥一起生产公钥文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
填写相关信息
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:TEST
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:test
Email Address []:@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:test123
An optional company name []:test
[root@aliyun conf]#
[
root@aliyun conf]# openssl x509 -req -days 365 -in
test.
csr
-signkey
testprivate.
key
-out
testpublic.
crt
用证书请求文件和私钥 制作公钥,有效期365天
Signature ok
subject=/C=CN/ST=GuangDong/L=ShenZhen/O=TEST/OU=IT/CN=test/emailAddress=test@163.com
Getting Private key
test.csr 证书 testprivate.key 私钥 testpublic.crt 公钥
Nginx配置ssl
1、创建ssl配置脚本
[root@aliyun conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
加入如下内容:
server
{
listen 443;
server_name test.com;
index index.html index.php;
root /data/wwwroot/test.com;
ssl on;
在nginx1.15.0 的版本中这一行会报错
ssl_certificate testpublic.crt;
ssl_certificate_key testprivate.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}
2、测试ssl是否有效:
[root@aliyun conf]# /usr/local/nginx/sbin/nginx -t
nginx:
[emerg] unknown directive "ssl"
in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf
test failed
排错需要重新编译nginx:
[root@aliyun conf]# cd /usr/local/src/nginx-1.14.0
[root@aliyun nginx-1.14.0]# ./configure --prefix=/usr/local/nginx
--with-http_ssl_module
[root@aliyun nginx-1.14.0]# make && make install
[root@aliyun nginx-1.14.0]# echo $?
0
[root@aliyun conf]# service nginx restart
[root@aliyun conf]# /usr/local/nginx/sbin/nginx -t
[root@aliyun conf]# netstat -lntp
查看是否有443端口
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 12839/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1410/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 12839/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 12773/mysqld
[root@aliyun conf]# curl http
s
://www.test.com
在本地测试,需要修改Windows的hosts文件
curl: (60) Peer's certificate issuer has been marked as
not trusted
by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@aliyun vhost]#
测试https已经可以正常工作,只是由于时自己给自己办法的证书,各大浏览器厂商并未认可而已