我制作了一个生成 CA 文件和由 CA 签名的 SSL 的脚本:
#/usr/bin/env bash
# Absolute path to this script, e.g. /home/user/bin/foo.sh
SCRIPT=$(readlink -f "${BASH_SOURCE}")
# Absolute path this script is in, thus /home/user/bin
BASEDIR=$(dirname ${SCRIPT})
FINAL_CERTPATH=${BASEDIR}
CA_CERT=${BASEDIR}/ca.cert
CA_KEY=${BASEDIR}/ca.key
if [[ ! -f ${CA_CERT} ]] || [[ ! -f ${CA_KEY} ]]; then
echo "GENERATING CA CERTIFICATE"
openssl genrsa -out ${CA_KEY} 2048
openssl req -x509 -new -nodes \
-key ${CA_KEY} -subj "/C=GR/L=ATTICA" \
-days 1825 -out ${CA_CERT}
echo "DONE"
ls -l
echo "#####################################################"
fi
CERT_BASENAME="www"
CERTIFICATE_PATH=${BASEDIR}/${CERT_BASENAME}.crt
KEY_PATH=${BASEDIR}/${CERT_BASENAME}.key
SIGNING_REQUEST=${BASEDIR}/${CERT_BASENAME}.csr
echo "CREATING CERTIFICATE"
openssl req -new -sha512 -keyout ${KEY_PATH} -nodes -out ${SIGNING_REQUEST} -config ${BASEDIR}/ssl_config
echo "SIGNING CERTIFICATE using CA"
ls -l ${SIGNING_REQUEST}
openssl x509 -req -days 9000 -startdate -sha512 -in ${SIGNING_REQUEST} -CAkey ${CA_KEY} -CA ${CA_CERT} -CAcreateserial -extfile ${BASEDIR}/v3.sign -out ${CERTIFICATE_PATH}
rm -rf ${SIGNING_REQUEST}
echo "#######################################"
echo "IMPORT these cert into your system as CA cert:"
echo ${CA_CERT}
签名的配置是:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
# Local hosts
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = ::1
# List your domain names here
DNS.4 = 172.21.0.6
DNS.5 = example.local
DNS.6 = example2.local
对于证书:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt=no
[ req_distinguished_name ]
countryName = GR
stateOrProvinceName = Attica
localityName = Echarnes
organizationName = PC_MAGAS
commonName = example.local
我确实将CA导入到firefox中。我鞭打了 2 个 nginx 虚拟主机:
events {
worker_connections 768;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset utf-8;
gzip on;
gzip_disable "msie6";
client_max_body_size 10000M;
server_tokens off;
error_log /dev/stdout debug;
#misc
server {
listen 80 default;
server_name _;
return 308 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/www.crt;
ssl_certificate_key /etc/nginx/www.key;
server_name example.local;
root /usr/share/nginx/html/example.local;
index index.html;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/www.crt;
ssl_certificate_key /etc/nginx/www.key;
server_name example2.local;
root /usr/share/nginx/html/example2.local;
index index.html;
}
}
我将其修改/ets/hosts
为 docker nginx 静态托管:
# TEST
172.21.0.6 example.local
172.21.0.6 example2.local
version: "3"
services:
nginx:
image: nginx
volumes:
- .:/usr/share/nginx/html
- "./nginx.conf:/etc/nginx/nginx.conf:ro"
- "./certs/www.crt:/etc/nginx/www.crt:ro"
- "./certs/www.key:/etc/nginx/www.key:ro"
networks:
frontend:
ipv4_address: 172.21.0.6
networks:
frontend:
ipam:
config:
- subnet: 172.21.0.0/24
但是firefox显示这个问题:
知道为什么吗?
编辑1
我将歌唱配置修改为:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
# Local hosts
DNS.1 = localhost
DNS.3 = ::1
# List your domain names here
DNS.5 = example.local
DNS.6 = example2.local
# Custom IPS
IP.1 = 127.0.0.1
IP.2 = 172.21.0.6
问题仍然出现
答案1
问题是在签名配置中您应该使用:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
# Local hosts
DNS.1 = localhost
# List your domain names here
DNS.2 = example.local
DNS.3 = example2.local
# Custom IPS
IP.1 = 127.0.0.1
IP.2 = 172.21.0.6
IP.3 = ::1
::1
是 localhost 域的 ipv6 另外,DNS 列表也应相应编号。你的DNS.5
和DNS.6
应该是DNS.2
和DNS.3