配置HTTPS证书记录分享
程序员文章站
2022-03-29 12:34:29
给官网配置HTTPS证书记录,第一次
当然要记录下来, 这是新出炉的官网themis官网
废话不多说,开始正题
1) 弯路
查阅到配置nginx 根证书,和秘钥就可以做到https正常...
给官网配置HTTPS证书记录,第一次
当然要记录下来, 这是新出炉的官网themis官网
废话不多说,开始正题
1) 弯路
查阅到配置nginx 根证书,和秘钥就可以做到https正常访问
├── CACertificate-INTERMEDIATE-1.cer ├── CACertificate-ROOT-2.cer ├── themis.key └── ServerCertificate.cer
这是老大给我的一窍不通的东西,老大提醒我,要建立证书链,还要注意移动设备访问证书会提示不安全的情况。
当时我还是很懵逼的。
查阅到如下配置
看看自己的防火墙 终端执行 iptables -L –line-numbers
Chain INPUT (policy ACCEPT) num target prot opt source destination Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
如上所示没有任何拦截,主要注意443端口拦截
如下配置nginx
server { listen 443; server_name localhost; ssl on; ssl_certificate /etc/nginx/sslcer/CACertificate-ROOT-2.cer; ssl_certificate_key /etc/nginx/sslcer/themis.key; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1; ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM; ssl_prefer_server_ciphers on; location / { root /data/www/themiswww; index index.html index.htm; } }
终端执行 nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
这样是秘钥和服务器证书搭配正确
访问 https://themis.im https正常
然后发现移动设备果然提示了 证书不受信任
终端执行 openssl s_client -connect www.themis.im:443
发现提示了
... verify error:num=20:unable to get local issuer certificate verify return:1 ... verify error:num=27:certificate not trusted verify return:1 ... verify error:num=21:unable to verify the first certificate verify return:1 ... Certificate chain 0 s:/businessCategory=Private.../CN=www.abc.com i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G3 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2 i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign …
最后的解决方案 生成证书链
终端执行 cat ServerCertificate.cer CACertificate-INTERMEDIATE-1.cer CACertificate-ROOT-2.cer > CACertificate-ROOT-1.pem
把 nginx 配置中的 CACertificate-ROOT-2.cer 替换为CACertificate-ROOT-1.pem
然后再次执行 openssl s_client -connect www.themis.im:443
Certificate chain 0 s:/CN=*.themis.im i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA --- ...... SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 512F18AE435BD0A126FE08BA6EC3A1D6343C4A2835B1C6F15B01C5E15B0BBFF0 Session-ID-ctx: Master-Key: F86C0D5F7DF4DC436442CAE41CB6843769089AF5EC025525469ABD0461E612B63F530A55C35AA073EDE9C51BDF97A06D Key-Arg : None Start Time: 1522068649 Timeout : 300 (sec) Verify return code: 0 (ok)
over.
推荐阅读
-
tomcat配置ssl证书ip访问(tomcat配置https协议)
-
tomcat配置ssl证书ip访问(tomcat配置https协议)
-
nginx配置ssl证书实现https访问的示例
-
Nginx配置SSL证书部署HTTPS网站的方法(颁发证书)
-
https证书配置安装及优势和劣势(亲身体验看完绝对不后悔)
-
PHP Curl https跳过ssl证书认证报错记录及解决
-
详解在Ubuntu上的Apache配置SSL(https证书)的正确姿势
-
springboot下https证书配置
-
Nginx 配置SSL证书 HTTP/HTTPS都能访问
-
【转载】网站配置Https证书系列(一):腾讯云申请免费的SSL证书的流程步骤(即https安全连接使用的证书)