誰說學美術將來只能賣畫了,我也有自己的夢想。
阿新 • • 發佈:2019-02-02
給官網配置HTTPS證書記錄,第一次
當然要記錄下來, 這是新出爐的官網themis官網
廢話不多說,開始正題
1) 彎路
查閱到配置nginx 根證書,和祕鑰就可以做到https正常訪問
├── CACertificate-INTERMEDIATE-1.cer
├── CACertificate-ROOT-2.cer
├── themis.key
└── ServerCertificate.cer這是老大給我的一竅不通的東西,老大提醒我,要建立證書鏈,還要注意移動裝置訪問證書會提示不安全的情況。
當時我還是很懵逼的。
查閱到如下配置
看看自己的防火牆 終端執行 iptables -L –line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination如上所示沒有任何攔截,主要注意443埠攔截
如下配置nginx
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/sslcer/CACertificate-ROOT-2.cer;
ssl_certificate_key /etc/nginx/sslcer/themis.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH: 終端執行 nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful然後發現移動裝置果然提示了 證書不受信任
終端執行 openssl s_client -connect www.themis.im:443
發現提示了
...
verify error:num=20:unable to get local issuer certificate
verify return:1
...
verify error:num=27:certificate not trusted
verify return:1
...
verify error:num=21:unable to verify the first certificate
verify return:1
...
Certificate chain
0 s:/businessCategory=Private.../CN=www.abc.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G3
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
…
最後的解決方案 生成證書鏈
終端執行 cat ServerCertificate.cer CACertificate-INTERMEDIATE-1.cer CACertificate-ROOT-2.cer > CACertificate-ROOT-1.pem
把 nginx 配置中的 CACertificate-ROOT-2.cer 替換為CACertificate-ROOT-1.pem
然後再次執行 openssl s_client -connect www.themis.im:443
Certificate chain
0 s:/CN=*.themis.im
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
......
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 512F18AE435BD0A126FE08BA6EC3A1D6343C4A2835B1C6F15B01C5E15B0BBFF0
Session-ID-ctx:
Master-Key: F86C0D5F7DF4DC436442CAE41CB6843769089AF5EC025525469ABD0461E612B63F530A55C35AA073EDE9C51BDF97A06D
Key-Arg : None
Start Time: 1522068649
Timeout : 300 (sec)
Verify return code: 0 (ok)over.