如何在 nginx 中的同一个文件中使用包含密钥和证书的 PEM 密钥?

如何在 nginx 中的同一个文件中使用包含密钥和证书的 PEM 密钥?

我从客户端获取了一个文件(以及一个匹配的密码),该文件应该用来替换我的 letsencrypt 设置。它看起来像这样:

[domain.pem]

subject=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla==
-----END CERTIFICATE-----

subject=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END CERTIFICATE-----

subject=CN=domain, SERIALNUMBER=11 111 111 111, OID.2.5.4.15=Private Organization, O=Corp, OID.1.3.6.1.4.1.311.60.2.1.3=US, L=CITY, S=STATE, C=US
issuer=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: SOME-LETTERS

-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END RSA PRIVATE KEY-----

我的 nginx 配置如下:

server {
    listen       443 ssl http2;
    listen       [::]:443 ssl http2;
    # [...]

    ssl on;
    ssl_certificate      /etc/path/to/domain.pem; # assuming I need the same file here?
    ssl_certificate_key  /etc/path/to/domain.pem;

    ssl_session_timeout  1d;
    ssl_session_cache    shared:SSL:50m;
    ssl_session_tickets  off;

    ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers  on;
    ssl_dhparam                /etc/nginx/ssl/dhparam.pem;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling         on;
    ssl_stapling_verify  on;

    # [...]
}

现在,当我尝试在测试模式下运行它时,我得到:

$ sudo nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/path/to/domain.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed

我迄今为止尝试过

我尝试通过以下方式从文件创建一个纯文本密钥:

openssl rsa -in domain.pem -out domain-plain.key

并包括它,但是哈希现在不再匹配:

$ openssl x509 -noout -modulus -in domain.pem | openssl md5
206508ae007125edb1b6a26db39213c2

$ openssl rsa -noout -modulus -in domain-plain.key | openssl md5
050b90ff7080b1b1b550ea401b15aaee

问题

也许有办法可以分别提取密钥和证书?

有没有其他方法可以直接在我的 nginx 配置中使用该文件和密码文件ssl_password_file?我似乎不知道该怎么做。

答案1

我会将私钥放在单独的文件中。并确保权限非常严格。

主机证书后面跟着另一个文件中的所有中间证书。您可以为此文件授予更宽松的权限:您可以为所有用户授予读取权限。

不需要证书“subject=CN=Entrust Root Certification Authority”。

ssl_certificate将指向证书文件。ssl_certificate_key应该指向密钥文件。

重要的部分是那些以破折号开头和结尾的部分,包括那些破折号。任何其他文本都只是注释。确保注释与 ASCII 装甲证书和密钥匹配。openssl s_client -text -in file_with_only_one_cert.txt

答案2

只是为了用答案来完成这个问题

正如@dave_thompson_085 指出的那样,密钥的顺序很重要。主密钥必须先于 CA 密钥。 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

只需重新排列按键即可:

subject=CN=domain, SERIALNUMBER=11 111 111 111, OID.2.5.4.15=Private Organization, O=Corp, OID.1.3.6.1.4.1.311.60.2.1.3=US, L=CITY, S=STATE, C=US
issuer=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END CERTIFICATE-----

subject=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END CERTIFICATE-----

subject=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla==
-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: SOME-LETTERS

-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END RSA PRIVATE KEY-----

还要注意的是,正如@Mircea Vutcovici 指出的那样,OpenSSL 会忽略不在-----BEGIN CERTIFICATE-----and内的所有其他文本。-----END CERTIFICATE-----

相关内容