在LNMP环境下安装测试HTTPS及其问题

原创

叶海丰 2017-02-07 12:31:09 ©著作权

文章标签 https openssl nginx 文章分类 Nginx 服务器

©著作权归作者所有：来自51CTO博客作者叶海丰的原创作品，请联系作者获取转载授权，否则将追究法律责任

由于现在HTTPS网站已经成为主流，所以今天在我的LNMP环境下测试了一下自建的SSL证书的使用。由于是自己建的CA以及密钥，所以一般的浏览器是不会认为安全，想要让主流浏览器认为安全，还是要花钱到认证机构去申请证书。

以下是我的配置步骤以及碰到的一个问题。

HTTPS简介

https就是在http的基础上使用了ssl加密验证，使网络传输更安全。

1.LNMP环境

[root@lnmp sslkey]# /application/nginx/sbin/nginx -V

nginx version: nginx/1.6.3

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)

TLS SNI support enabled

configure arguments: --user=nginx --group=nginx --prefix=/application/nginx1.6.3 --with-http_stub_status_module --with-http_ssl_module --with-http_realip_module

注：由于需要配置https，所以nginx在编译的时候需要加上--with-http_stub_status_module --with-http_ssl_module这两个参数。

--with-http_stub_status_module 启用nginx的NginxStatus 功能,用来监控nginx的当前状态

--with-http_ssl_module 使nginx支持ssl模块

2.安装openssl

openssl是一个可以为我们创建证书和密钥的工具。

[root@lnmp ~]# yum install -y openssl openssl-devel

3.生成密钥server.key

#创建一个存放证书和密钥的文件夹sslkey

[root@lnmp ~]# mkdir /application/nginx/sslkey

[root@lnmp ~]# cd /application/nginx/sslkey/

#生成一个供服务器使用的密钥

[root@lnmp nginx]# openssl genrsa -out server.key

Generating RSA private key, 1024 bit long modulus

.................................++++++

.........................++++++

e is 65537 (0x10001)

[root@lnmp sslkey]# ll server.key

-rw-r--r--. 1 root root 887 Dec 17 11:07 server.key

4.申请一个证书server.crt

#生成证书请求文件server.scr

[root@lnmp sslkey]# openssl req -new -key server.key -out server.scr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:cn #国家

State or Province Name (full name) []:sh #省市

Locality Name (eg, city) [Default City]:sh #城市

Organization Name (eg, company) [Default Company Ltd]:sh #组织名称

Organizational Unit Name (eg, section) []:sh #部门名称

Common Name (eg, your name or your server's hostname) []:ssl.etiantian.org #域名

Email Address []:769358362@qq.com #邮箱

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:111111 #密码

An optional company name []:111111 #可选

#生成证书文件server.crt

#[root@lnmp sslkey]# openssl rsa -in server.key -out server.nopass.key

#writing RSA key

[root@lnmp sslkey]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=cn/ST=sh/L=sh/O=sh/OU=sh/CN=ssl.etiantian.org/emailAddress=769358362@qq.com

Getting Private key

#查看证书文件

[root@lnmp sslkey]# ll

total 16

-rw-r--r--. 1 root root 912 Dec 17 11:38 server.crt #证书

-rw-r--r--. 1 root root 745 Dec 17 11:13 server.csr

-rw-r--r--. 1 root root 887 Dec 17 11:07 server.key #密钥

-rw-r--r--. 1 root root 887 Dec 17 11:35 server.nopass.key

5.配置nginx的主配置文件nginx.conf

#配置一个虚拟主机使用https

server{

listen 443;

server_name ssl.etiantian.org;

ssl on;

ssl_certificate /application/nginx1.6.3/sslkey/server.crt;

ssl_certificate_key /application/nginx1.6.3/sslkey/server.key;

ssl_session_timeout 5m;

ssl_protocols SSLv3 TLSv1;

ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;

ssl_prefer_server_ciphers on;

location / {

root html/ssl;

index index.html index.htm;

}

6.重启nginx

[root@lnmp sslkey]# /application/nginx/sbin/nginx -t

nginx: the configuration file /application/nginx1.6.3/conf/nginx.conf syntax is ok

nginx: configuration file /application/nginx1.6.3/conf/nginx.conf test is successful

[root@lnmp sslkey]# /application/nginx/sbin/nginx -s reload

7.配置hosts文件

192.168.137.220 ssl.etiantian.org

8.测试

#在浏览器中输入https://ssl.etiantian.org

9.碰到的问题

配置好后，检查nginx语法的时候报错。

[root@lnmp sslkey]# /application/nginx/sbin/nginx -t

nginx: [emerg] PEM_read_bio_X509_AUX("/application/nginx/sslkey/server.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

nginx: configuration file /application/nginx1.6.3/conf/nginx.conf test failed

经过在网络搜索，但是没有解决我的问题。后来参考了一篇博客才解决了。

参考博文：http://blog.sina.com.cn/s/blog_4f925fc30102eucg.html

解决问题：

由于之前生成证书的时候，步骤错误导致的：

[root@lnmp sslkey]# openssl req -new -keyserver.key -out server.crt

正确步骤是：

[root@lnmp sslkey]# openssl req -new -keyserver.key -out server.csr

[root@lnmp sslkey]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt