我已经从 sslforfree.com 为我的网站创建了 SSL 证书
我尝试在我的 NGINX 服务器上启用 SSL,如下所示,不幸的是,我收到了一条错误消息,如您在底部看到的:
/etc/nginx/sites-available/default
server {
listen 80;
server_name myserver.com;
listen 443;
ssl on;
ssl_certificate /home/tolga/SSLcerts/ca_bundle.crt;
ssl_certificate_key /home/tolga/SSLcerts/private.key;
错误信息:
tail -f /var/log/nginx/error.log
2017/10/06 11:29:55 [emerg] 13813#13813: SSL_CTX_use_PrivateKey_file("/home/tolga/SSLcerts/private.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
可能存在什么问题?
答案1
您的配置中的错误在于您只有一个服务器段落。服务器会告诉您单个连接需要知道的所有信息。当您需要 SSL 时,您需要将其放在单独的服务器段落中。如果我错了,请纠正我,但据我所知(并且使用 NginX 已有 3 年了),单个服务器段落无法监听两个不同的端口。
因此,如果您还希望将所有 HTTP 重定向到 HTTPS,您的正确配置应如下所示:
server {
listen 80;
server_name myserver.com;
return 301 https://myserver.com$request_uri;
}
server {
listen 443 ssl;
server_name myserver.com.hu;
ssl_certificate /home/tolga/SSLcerts/ca_bundle.crt;
ssl_certificate_key /home/tolga/SSLcerts/private.key;
root /var/www/html/com.myserver/public;
error_log /var/log/nginx/com.myserver/error.log;
access_log /var/log/nginx/com.myserver/access.log;
index index.php;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
gzip_disable "MSIE [1-6]\.";
location..............
location..............
location..............
location..............
}
还有一些对未来的建议:
将您的 crt 和密钥文件放入
/etc/nginx/ssl/com.myserver.crt
并/etc/nginx/ssl/com.myserver.key
(因为这样组织起来更好)在 ssl_ccertificate 之后和根之前使用以下代码增强您的安全性:
ssl_协议 TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers开启;
ssl_ciphers“EECDH + AESGCM:EDH + AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256 +EECDH:DHE-RSA-AES128-GCM-SHA256:AES256 + EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE- RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES25 6-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256- GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!预锁相环:!RC4";
add_header 严格传输安全“max-age=63072000; includeSubdomains; 预加载”;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
使用以下命令创建 dhparam.pem 文件:
openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 4096
答案2
我从 sslforfree.com 下载了 2 个 CRT 文件
在 nginx 配置中,当我将证书从 ca_bundle.crt 更改为 certificate.crt 时,问题就解决了。