我正在设置一个内部测试网络,并希望 FireFox 接受我的自签名证书。具体来说,我正在尝试为 nginx 配置证书,以便我可以使用MyTestNetwork.dev 和 *.MyTestNetwork.dev。
以下是我生成证书的方法:
rm rootCA.* MyTestNetwork.dev.*
# Generate rootCA
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -subj="/C=US/ST=CA/O=MyTestNetwork/CN=MyTestNetwork.dev" -addext 'subjectAltName=DNS:MyTestNetwork.dev,DNS:*.MyTestNetwork.dev' -nodes -key rootCA.key -sha256 -days 365 -out rootCA.crt
# Generate Server Certificates
openssl genrsa -out MyTestNetwork.dev.key 2048
openssl req -new -sha256 -key MyTestNetwork.dev.key -subj="/C=US/ST=CA/O=MyTestNetwork/CN=*.MyTestNetwork.dev" -addext 'subjectAltName=DNS:MyTestNetwork.dev,DNS:*.MyTestNetwork.dev' -out MyTestNetwork.dev.csr
openssl x509 -req -in MyTestNetwork.dev.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out MyTestNetwork.dev.crt -days 365 -sha256
以下是 nginx 中的 SSL 设置:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/MyTestNetwork.dev.crt;
ssl_certificate_key /etc/ssl/certs/MyTestNetwork.dev.key;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/ssl/certs/dhparam;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
# add_header Strict-Transport-Security "max-age=63072000" always;
add_header Strict-Transport-Security "max-age=0;";
# replace with the IP address of your resolver
resolver 127.0.0.1;
location / {
proxy_pass http://$host$request_uri;
}
}
我面临两个具体问题:
- 即使
rootCA.crt通过中的“导入证书”设置将其导入 FireFoxabout:preferences#privacy,我仍然收到错误:
网站通过证书证明其身份。Firefox 不信任此网站,因为它使用的证书对 dns.MyTestNetwork.dev 无效。
错误代码:SSL_ERROR_BAD_CERT_DOMAIN
即使我有该服务器的正确 DNS 记录(该域托管我正在使用的 DNS 服务器的仪表板)。
- 我无法 curl
MyTestNetwork.dev,因为出现此错误:
curl:(60)SSL:证书主题名称“*.MyTestNetwork.dev”与目标主机名“MyTestNetwork.dev”不匹配更多详细信息:https://curl.se/docs/sslcerts.html
curl 无法验证服务器的合法性,因此无法与其建立安全连接。要了解有关此情况的更多信息以及如何修复它,请访问上面提到的网页。
即使我使用多个 SAN 创建了证书。
任何帮助都将不胜感激!
答案1
问题在于,正如 @jabbson 指出的那样,subjectAltName由于我的语法,我的代码无法从 CSR 传播到证书。正确的语法是:
# Generate rootCA
openssl genrsa -out config/CA/rootCA.key 4096
openssl req -new -x509 -days 365 -key config/CA/rootCA.key -subj="/C=RH/ST=RT/O=MyTestNetwork/CN=MyTestNetwork CA" -out config/CA/rootCA.crt
# Generate server certificate
openssl req -newkey rsa:2048 -nodes -keyout config/CA/${DOMAIN}.key -subj="/C=RH/ST=RT/O=MyTestNetwork/CN=*.mytestnetwork.dev" -out config/CA/${DOMAIN}.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:mytestnetwork.dev,DNS:*.mytestnetwork.dev") -days 365 -in config/CA/${DOMAIN}.csr -CA config/CA/rootCA.crt -CAkey config/CA/rootCA.key -CAcreateserial -out config/CA/${DOMAIN}.crt