SSL 证书不适用于 Ubuntu 16.04 上的 localhost

【问题标题】:SSL certificate doesn't work for localhost on Ubuntu 16.04SSL 证书不适用于 Ubuntu 16.04 上的 localhost
【发布时间】:2019-03-10 06:46:50
【问题描述】:

我正在尝试在 localhost 上为我的 vps 添加证书,以便我可以使用 https://localhost:1337 从我的 vps 访问在端口 1337 上运行的节点服务器。

目前,当我的 vps 上的 Firefox 访问它时,它会给我一个“您的连接不安全”。但是访问https://my-website.example:1337 工作正常。

到目前为止我所做的步骤:

  1. cd /usr/local/share/ca-certificates
  2. openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt
    • 国家名称:空
    • 州或省名称:空
    • 地区名称:空
    • 组织名称:空
    • 组织单位名称:空
    • 通用名:本地主机
    • 电子邮件地址:空
  3. chmod 644 localhost.crt
  4. chmod 644 localhost.key
  5. sudo update-ca-certificates

【问题讨论】:

    标签: ubuntu ssl networking certificate


    【解决方案1】:

    证书还必须添加到浏览器信任存储中,您所做的步骤仅适用于 CURL、WGET 等工具。

    在用于本地开发的 docker 容器中,我使用一组 bash 脚本来设置根证书颁发机构,我将使用它来颁发开发所需的所有域证书。

    浏览器只需要知道根证书颁发机构,您的服务器将需要知道您颁发的所有域证书。

    请按此顺序尝试以下脚本集:

    ./setup-root-certificate.sh "root-ca.key" "root-ca.pem" "RootCertificateAuthority" && \
./create-domain-certificate.sh "localhost" "root-ca.key" "root-ca.pem" && \
./add-certificate-to-browser.sh "root-ca.pem" "RootCertificateAuthority"

    现在只需将域证书添加到您正在使用的 Apache、Nginx 或任何其他服务器中,然后重新启动您的浏览器和服务器。

    此解决方案不需要您在第一次访问本地主机域时添加异常。

    警告:此脚本已在 Docker 容器中使用,我没有直接在主机中测试它们,但应该以相同的方式工作。

    设置根证书:./setup-root-certificate.sh

    #!/bin/bash

set -eu

###
# inspired https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/
###


ROOT_CA_KEY="${1?Missing Name for root certificate KEY file}"
ROOT_CA_PEM="${2?Missing Name for root certificate PEM file}"
ROOT_CA_NAME="${3?Missing Certificate Name}"
CONFIG_FILE="${4:-openssl.cnf}"

if [ ! -f ROOT_CA_PEM ]
    then
        printf "\n>>> CREATING A ROOT CERTIFICATE <<<\n"

        openssl req \
            -new \
            -newkey rsa:4096 \
            -days 3650 \
            -nodes \
            -x509 \
            -extensions v3_ca \
            -subj "/C=US/ST=CA/L=SF/O=${ROOT_CA_NAME}/CN=${ROOT_CA_NAME}" \
            -keyout ${ROOT_CA_KEY} \
            -out ${ROOT_CA_PEM} \
            -config ${CONFIG_FILE}

        printf "\n>>> ADDING ROOT CERTIFICATE TO THE TRUSTED STORE <<<\n"

        # add certificate to the trust store
        cp ${ROOT_CA_PEM} /usr/local/share/ca-certificates/self-signed-root-ca.crt
        update-ca-certificates

        # verifies the certificate
        openssl x509 -in ${ROOT_CA_PEM} -text -noout > "${ROOT_CA_NAME}.txt"

        printf "\n >>> ROOT CERTICATE CREATED SUCCESEFULY<<<\n"

    else
        printf "\n >>> ROOT CERTICATE ALREADY EXISTS <<<\n"
fi

    创建域证书:./create-domain-certificate.sh

        #!/bin/bash

set -eu

###
# inspired https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/
###


DOMAIN="${1:-example.com}"
ROOT_CA_KEY="${2?Missing Name for root certificate KEY file}"
ROOT_CA_PEM="${3?Missing Name for root certificate PEM file}"

DOMAIN_CA_KEY="${DOMAIN}.key"
DOMAIN_CA_CSR="${DOMAIN}.csr"
DOMAIN_CA_CRT="${DOMAIN}.crt"
DOMAIN_CA_TXT="${DOMAIN}.txt"
CONFIG_FILE="${DOMAIN}.cnf" 


printf "\n>>> MERGINGING CONFIGURATION FROM ${DOMAIN_CA_TXT} INTO ${CONFIG_FILE} <<<\n"
cat openssl.cnf ${DOMAIN_CA_TXT} > ${CONFIG_FILE}


printf "\n>>> GENERATING KEY FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_KEY} <<<\n"

# generate the private/public RSA key pair for the domain
openssl genrsa -out ${DOMAIN_CA_KEY} 4096

printf "\n>>> GENERATING CSR FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_CSR} <<<\n"

# create the server certificate signing request:
openssl req \
    -subj "/CN=${DOMAIN}" \
    -extensions v3_req \
    -sha256 \
    -new \
    -key ${DOMAIN_CA_KEY} \
    -out ${DOMAIN_CA_CSR}

printf "\n>>> GENERATING CRT FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_CRT} <<<\n"

# generate the server certificate using the: server signing request, the CA signing key, and CA cert.
openssl x509 \
            -req \
            -extensions v3_req \
            -days 3650 \
            -sha256 \
            -in ${DOMAIN_CA_CSR} \
            -CA ${ROOT_CA_PEM} \
            -CAkey ${ROOT_CA_KEY} \
            -CAcreateserial \
            -out ${DOMAIN_CA_CRT} \
            -extfile ${CONFIG_FILE}

# verifies the certificate
openssl x509 -in ${DOMAIN_CA_CRT} -text -noout > ${DOMAIN}.txt

printf "\n >>> CERTIFICATE CREATED FOR DOMAIN: ${DOMAIN} <<<\n"

    要将根证书添加到浏览器可信证书存储区:./add-certificate-to-browser.sh

    #!/bin/bash

###
# https://thomas-leister.de/en/how-to-import-ca-root-certificate/
###


### Script installs root.cert.pem to certificate trust store of applications using NSS
### (e.g. Firefox, Thunderbird, Chromium)
### Mozilla uses cert8, Chromium and Chrome use cert9

###
### Requirement: apt install libnss3-tools
###


###
### CA file to install (CUSTOMIZE!)
###

CA_PEM="${1?Missing file name for the PEM certificate}"
CA_NAME="${2?Missing Certificate Name}"
BROWSER_CONFIG_DIR="${3:-/home}"

###
### For cert8 (legacy - DBM)
###

for certDB in $(find ${BROWSER_CONFIG_DIR} -name "cert8.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${CA_NAME}" -t "TCu,Cu,Tu" -i ${CA_PEM} -d dbm:${certdir}
done


###
### For cert9 (SQL)
###

for certDB in $(find ${BROWSER_CONFIG_DIR} -name "cert9.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${CA_PEM} -d sql:${certdir}
done

    【讨论】:

      猜你喜欢
      • 2021-04-03
      • 2017-06-10
      • 2021-06-15
      • 2016-10-21
      • 1970-01-01
      • 1970-01-01
      • 2017-01-25
      • 1970-01-01
      • 2013-09-15
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode