博客是我工作的好帮手,遇到困难就来博客找资料
分类: 系统运维
2017-03-13 20:53:29
1.安装openssl
[root@c6 ~]# yum install -y openssl openssl-devel
___________________________________________________________ yum安装方式
#下载openssl
[root@Web_server src]# tar xf openssl-1.0.1s.tar.gz
[root@Web_server src]# cd openssl-1.0.1s
[root@Web_server openssl-1.0.1s]# ./config
[root@Web_server openssl-1.0.1s]# make && make install
------------------------------------源码安装方式
安装apache
[root@Web_server src]# wget
[root@Web_server src]# tar xvf httpd-2.2.31.tar.gz
[root@Web_server src]#cd httpd-2.2.31
[root@Web_server httpd-2.2.31]#./configure --prefix=/usr/local/apache2 --with-included-apr --enable-so --enable-deflate=shared --enable-expires=shared --enable-rewrite=shared --with-pcre --enable-ssl=shared --with-ssl=/usr/local/ssl #此处选择动态模式,--enable-ssl=static --with-ssl=/usr/local/ssl选择静态
------------------------------------添加扩展模块方式
[root@Web_server openssl-1.0.1s]# cd /usr/local/src/httpd-2.2.31/modules/ssl #务必进入httpd源码目录
[root@Web_server ssl]# /usr/local/apache2/bin/apxs -i -c -a -D HAVE_OPENSSL=1 -I
/usr/lib/openssl/engines/lib -lcrypto -lssl -ldl *.c
#
错误一、error "Unrecognized SSL Toolkit!、declaration for parameter 'XXXXXX' but no such parameter
解决:添加-D HAVE_OPENSSL=1
错误二、undefined symbol: ssl_cmd_SSLMutex
解决:apxs编译追加模块成功,但是apache启动失败。出现这个错误后,我把运行apxs时指定mod_ssl.c改成*.c 。和添加mod_deflate不一样,ssl中包含多个源代码文件
错误三、undefined symbol: X509_INFO_free
解决:由于静态连接了 openssl的库造成的(默认),解决办法是添加-lcrypto -lssl -ldl参数
2.创建证书
■ 创建私钥
___________________________________________________________
[root@Web_server modules]# cd /usr/local/ssl/bin/
[root@Web_server bin]# openssl genrsa -out server.key 2048
[root@Web_server bin]# cp server.key /usr/local/apache2/conf/ssl.key
■ 生成证书请求(CSR)文件
___________________________________________________________
[root@Web_server bin]# openssl req -new -key server.key -out certreq.csr
Country Name (2 letter code) [XX]:cn #所在国家的ISO标准代号,中国为CN
State or Province Name (full name) []:zj #单位所在地省/自治区/直辖市
Locality Name (eg, city) [Default City]:zs #单位所在地的市/县/区
Organization Name (eg, company) [Default Company Ltd]:dx #单位/机构/企业合法的名称
Organizational Unit Name (eg, section) []:zwy #部门名称
Common Name (eg, your name or your server's hostname) []:zwy #此项必须与访问提供SSL服务的服务器时所应用的域名完全匹配
Email Address []: #邮件地址,不必输入,直接回车跳过
"extra"attributes #以下信息不必输入,回车跳过直到命令执行完毕
[root@c6 conf]# cp server.key server.key.ori
[root@c6 conf]# openssl rsa -in server.key.ori -out server.key
writing RSA key
[root@c6 conf]# openssl x509 -req -days 365 -in certreq.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=ZJ/L=ZS/O=DX/OU=ZWY/CN=ZWY/emailAddress=szk5043@foxmail.com
Getting Private key
3. Apache配置
___________________________________________________________
[root@Web_server ~]# vim /usr/local/apache2/conf/httpd.conf
Include conf/extra/httpd-ssl.conf
#取消前面注释
[root@Web_server ~]# vim /usr/local/apache2/conf/extra/httpd-vhosts.conf
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/?(.*)$ https://%{SERVER_NAME}/$1 [L,R]
#在需要开启的虚拟主机配置文件中,加上http自动重定向为https
[root@Web_server ~]# mv /usr/local/apache2/conf/extra/httpd-ssl.conf
/usr/local/apache2/conf/extra/httpd-ssl.conf.bak #备份默认配置文件
[root@Web_server ~]# > /usr/local/apache2/conf/extra/httpd-ssl.conf
[root@c6 ~]# vim /usr/local/apache2/conf/extra/httpd-ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLCryptoDevice builtin
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW:!RC4:
DocumentRoot "/data/www"
ServerName
ErrorLog "logs/dummy-host.example.com-error_log"
CustomLog "logs/dummy-host.example.com-access_log" common
SSLEngine on
SSLCertificateFile /usr/local/apache2/conf/server.crt
SSLCertificateKeyFile /usr/local/apache2/conf/server.key
#SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/intermediatebundle.crt
错误:curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
解决:把443的VirtualHost 放到80的VirtualHost 前面;80 部分 NameVirtualHost *443部分NameVirtualHost *:443
1.SSL模块
nginx的https协议需要ssl模块的支持,我们在编译nginx时使用–with-http_ssl_module参数加入SSL模块。还需要服务器私钥,服务器证书,如果是公司对外环境,这个证书需要购买第三方的权威证书,否则用户体验得不到保障
2.检查Nginx的SSL模块是否安装
[root@c6 ~]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.6.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-pcre --with-http_ssl_module --with-http_stub_status_module
3.准备私钥和证书
3.1创建服务器私钥
[root@c6 ~]# cd /usr/local/nginx/conf/
[root@c6 conf]# mkdir key
[root@c6 conf]# cd key
[root@c6 key]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..................++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: ##输入一个密码
Verifying - Enter pass phrase for server.key: #再次输入
3.2签发证书
[root@c6 key]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:YJS
Organizational Unit Name (eg, section) []:SA
Common Name (eg, your name or your server's hostname) []:Web
Email Address []:szk5043@foxmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:root
An optional company name []:root
3.3 删除服务器私钥口令
[root@c6 key]# cp server.key server.key.ori
[root@c6 key]# openssl rsa -in server.key.ori -out server.key
Enter pass phrase for server.key.ori:
writing RSA key
3.4生成使用签名请求证书和私钥生成自签证书
[root@c6 key]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=SH/L=SH/O=YJS/OU=SA/CN=Web/emailAddress=szk5043@foxmail.com
Getting Private key
3.5开启Nginx SSL
[root@c6 ~]# vim /usr/local/nginx/conf/vhosts/szk.conf
server {
server_name
listen 80;
rewrite ^(.*) permanent;
}
server {
listen 443;
server_name
index index.html index.htm index.php;
root /data/www;
ssl on;
ssl_certificate key/server.crt;
ssl_certificate_key key/server.key;
location ~ \.php$ {
include fastcgi_params;
#fastcgi_pass unix:/tmp/php-fcgi.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name;
}
}
#把80端口的访问自动跳转到433端口
[root@c6 ~]# /etc/init.d/nginx restart
Stopping Nginx: [ OK ]
Starting Nginx: [ OK ]
[root@c6 ~]# netstat -tnlup | grep nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1504/nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1504/nginx
4.测试
默认情况下ssl模块并未被安装,如果要使用该模块则需要在编译时指定–with-http_ssl_module参数,安装模块依赖于OpenSSL库和一些引用文件,通常这些文件并不在同一个软件包中。通常这个文件名类似libssl-dev。
可以通过以下步骤生成一个简单的证书:
首先,进入你想创建证书和私钥的目录,例如:
cd /usr/local/nginx/conf
创建服务器私钥,命令会让你输入一个口令:
openssl genrsa -des3 -out server.key 1024
创建签名请求的证书(CSR):
openssl req -new -key server.key -out server.csr
在加载SSL支持的Nginx并使用上述私钥时除去必须的口令:
cp server.key server.key.org
openssl rsa -in server.key.org -out server.key
配置nginx
最后标记证书使用上述私钥和CSR:
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
修改Nginx配置文件,让其包含新标记的证书和私钥:
server {
server_name YOUR_DOMAINNAME_HERE;
listen 443;
ssl on;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
}
重启nginx。
这样就可以通过以下方式访问:
另外还可以加入如下代码实现80端口重定向到443
server {
listen 80;
server_name ww.centos.bz;
rewrite ^(.*) permanent;
}
(1) 生成私钥;
# (umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
(2) 生成自签证书;
# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 365
-new:生成新证书签署请求;
-x509:生成自签格式证书,专用于创建私有CA时;
-key:生成请求时用到的私有文件路径;
-out:生成的请求文件路径;如果自签操作将直接生成签署过的证书;
-days:证书的有效时长,单位是day;
(3) 为CA提供所需的目录及文件;
# mkdir -pv /etc/pki/CA/{certs,crl,newcerts}
# touch /etc/pki/CA/{serial,index.txt}
# echo 01 > /etc/pki/CA/serial
此主机即是一台CA了。
(4)用到证书的主机(httpd主机)生成私钥;
# mkdir /etc/httpd/ssl
# cd /etc/httpd/ssl
# (umask 077; openssl genrsa -out /etc/httpd/ssl/httpd.key 2048)
(5) 生成证书签署请求
# openssl req -new -key /etc/httpd/ssl/httpd.key -out /etc/httpd/ssl/httpd.csr -days 365
(6) 在CA主机上签署证书;
# openssl ca -in /etc/httpd/ssl/httpd.csr -out /etc/pki/CA/certs/httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1(0x2)
Validity
Not Before: Apr 10 15:45:54 2016 GMT
Not After : Apr 10 15:45:54 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = beijing
organizationName = ops
organizationalUnitName = ops
commonName = ops.com
emailAddress = admin@ops.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
08:A3:DD:98:D3:E0:42:58:5E:B7:24:43:6C:3D:B1:D8:02:34:16:46
X509v3 Authority Key Identifier:
keyid:75:63:44:2C:46:80:2F:84:CE:EF:C6:F1:F2:E7:75:2E:EF:17:37:C2
Certificate is to be certified until Apr 10 15:45:54 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(7)查看证书中的信息:
# openssl x509 -in /etc/pki/CA/certs/httpd.crt -noout -serial -subject
