我从客户端获取了一个文件(以及一个匹配的密码),该文件应该用来替换我的 letsencrypt 设置。它看起来像这样:
[domain.pem]
subject=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla==
-----END CERTIFICATE-----
subject=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END CERTIFICATE-----
subject=CN=domain, SERIALNUMBER=11 111 111 111, OID.2.5.4.15=Private Organization, O=Corp, OID.1.3.6.1.4.1.311.60.2.1.3=US, L=CITY, S=STATE, C=US
issuer=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: SOME-LETTERS
-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END RSA PRIVATE KEY-----
我的 nginx 配置如下:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# [...]
ssl on;
ssl_certificate /etc/path/to/domain.pem; # assuming I need the same file here?
ssl_certificate_key /etc/path/to/domain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
# [...]
}
现在,当我尝试在测试模式下运行它时,我得到:
$ sudo nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/path/to/domain.pem") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
nginx: configuration file /etc/nginx/nginx.conf test failed
我迄今为止尝试过
我尝试通过以下方式从文件创建一个纯文本密钥:
openssl rsa -in domain.pem -out domain-plain.key
并包括它,但是哈希现在不再匹配:
$ openssl x509 -noout -modulus -in domain.pem | openssl md5
206508ae007125edb1b6a26db39213c2
$ openssl rsa -noout -modulus -in domain-plain.key | openssl md5
050b90ff7080b1b1b550ea401b15aaee
问题
也许有办法可以分别提取密钥和证书?
有没有其他方法可以直接在我的 nginx 配置中使用该文件和密码文件ssl_password_file
?我似乎不知道该怎么做。
答案1
我会将私钥放在单独的文件中。并确保权限非常严格。
主机证书后面跟着另一个文件中的所有中间证书。您可以为此文件授予更宽松的权限:您可以为所有用户授予读取权限。
不需要证书“subject=CN=Entrust Root Certification Authority”。
ssl_certificate
将指向证书文件。ssl_certificate_key
应该指向密钥文件。
重要的部分是那些以破折号开头和结尾的部分,包括那些破折号。任何其他文本都只是注释。确保注释与 ASCII 装甲证书和密钥匹配。openssl s_client -text -in file_with_only_one_cert.txt
答案2
只是为了用答案来完成这个问题
正如@dave_thompson_085 指出的那样,密钥的顺序很重要。主密钥必须先于 CA 密钥。 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
只需重新排列按键即可:
subject=CN=domain, SERIALNUMBER=11 111 111 111, OID.2.5.4.15=Private Organization, O=Corp, OID.1.3.6.1.4.1.311.60.2.1.3=US, L=CITY, S=STATE, C=US
issuer=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END CERTIFICATE-----
subject=CN=Entrust Certification Authority - L1M, OU="(c) 2014 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END CERTIFICATE-----
subject=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
issuer=CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
-----BEGIN CERTIFICATE-----
bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: SOME-LETTERS
-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla-bla
-----END RSA PRIVATE KEY-----
还要注意的是,正如@Mircea Vutcovici 指出的那样,OpenSSL 会忽略不在-----BEGIN CERTIFICATE-----
and内的所有其他文本。-----END CERTIFICATE-----