前提:
1、主機需要先安裝openssl
2、編譯安裝nginx時,要加上--with-http_ssl_module 這個ssl模塊
現在開始配置:(我當時配置時,主機已安裝了openssl,但編譯時沒有加載http_ssl_module模塊,所以后面會報錯,這里詳解說明下)
1、生成自簽字證書
1 [root@localhost /]# openssl req -new -x509 -keyout /root/ca.key -out /root/ca.crt 2 Generating a 2048 bit RSA private key 3 .............................+++ 4 .......................................................................................................................+++ 5 writing new private key to '/root/ca.key' 6 Enter PEM pass phrase: #輸入密鑰保護密碼 7 Verifying - Enter PEM pass phrase: #確認密鑰保護密碼 8 ----- 9 You are about to be asked to enter information that will be incorporated 10 into your certificate request. 11 What you are about to enter is what is called a Distinguished Name or a DN. 12 There are quite a few fields but you can leave some blank 13 For some fields there will be a default value, 14 If you enter '.', the field will be left blank. 15 ----- 16 Country Name (2 letter code) [XX]:CN 17 State or Province Name (full name) []:xian 18 Locality Name (eg, city) [Default City]:xian 19 Organization Name (eg, company) [Default Company Ltd]:learn 20 Organizational Unit Name (eg, section) []:it 21 Common Name (eg, your name or your server's hostname) []:learner 22 Email Address []:ying@126.com
回車結束
2、修改配置文件openssl.cnf (注意:修改前,先備份下)
[root@localhost /]# vi /etc/pki/tls/openssl.cnf #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept #證書的根目錄,要記住這個目錄 certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/ca.crt # The CA certificate # 修改這里,表示簽名時使用的證書 serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file
3、復制證書到證書根目錄/etc/pki/CA下,並在該目錄下創建空文件index.txt和serial,並向serial輸入”01“
1 [root@localhost ~]# cd /etc/pki/CA/ 2 [root@localhost CA]# cp /root/ca.crt . 3 [root@localhost CA]# ls 4 ca.crt certs crl newcerts private 5 [root@localhost CA]# touch index.txt 6 [root@localhost CA]# touch serial 7 [root@localhost CA]# echo "01" >serial
4、生成服務器RSA私鑰/root/server.key
1 [root@localhost ~]# openssl genrsa -des3 -out /root/server.key 1024 2 Generating RSA private key, 1024 bit long modulus 3 .............++++++ 4 .++++++ 5 e is 65537 (0x10001) 6 Enter pass phrase for /root/server.key: #設置此密鑰的保護密碼 7 Verifying - Enter pass phrase for /root/server.key: #確認設置此密鑰的保護密碼
5、為私鑰去除口令---公鑰
1 [root@localhost ~]# openssl rsa -in /root/server.key -out /root/server_nopwd.key 2 Enter pass phrase for /root/server.key: #輸入第4步生成的密鑰的保護密碼 3 writing RSA key
6、生成證書請求文件/root/server.csr
1 [root@localhost ~]# openssl req -new -key /root/server.key -out /root/server.csr 2 Enter pass phrase for /root/server.key: #輸入第4步生成的密鑰的保護密碼 3 You are about to be asked to enter information that will be incorporated 4 into your certificate request. 5 What you are about to enter is what is called a Distinguished Name or a DN. 6 There are quite a few fields but you can leave some blank 7 For some fields there will be a default value, 8 If you enter '.', the field will be left blank. 9 --------下面這部分應該和創建私有證書時填的一樣------------------------ 10 Country Name (2 letter code) [XX]:CN 11 State or Province Name (full name) []:xian 12 Locality Name (eg, city) [Default City]:xian 13 Organization Name (eg, company) [Default Company Ltd]:learn 14 Organizational Unit Name (eg, section) []:it 15 Common Name (eg, your name or your server's hostname) []:learner 16 Email Address []:ying@126.com 17 ---------------------------------------------------------------- 18 Please enter the following 'extra' attributes 19 to be sent with your certificate request 20 A challenge password []:111111 21 An optional company name []:learn
7、用私有證書給證書請求文件/root/server.csr簽名
1 [root@localhost ~]# openssl ca -in /root/server.csr -out /root/server.crt -cert /root/ca.crt -keyfile /root/ca.key -config /etc/pki/tls/openssl.cnf 2 Using configuration from /etc/pki/tls/openssl.cnf 3 Enter pass phrase for /root/ca.key: #輸入第1步生成的密鑰的保護密碼 4 Check that the request matches the signature 5 Signature ok 6 Certificate Details: 7 Serial Number: 1 (0x1) 8 Validity 9 Not Before: Nov 17 07:47:05 2016 GMT 10 Not After : Nov 17 07:47:05 2017 GMT 11 Subject: 12 countryName = CN 13 stateOrProvinceName = xian 14 organizationName = learn 15 organizationalUnitName = it 16 commonName = learner 17 emailAddress = ying@126.com 18 X509v3 extensions: 19 X509v3 Basic Constraints: 20 CA:FALSE 21 Netscape Comment: 22 OpenSSL Generated Certificate 23 X509v3 Subject Key Identifier: 24 8A:70:77:B0:32:42:49:AF:85:AD:79:C3:36:1F:43:A5:C5:01:15:E2 25 X509v3 Authority Key Identifier: 26 keyid:83:10:7A:45:18:47:D2:27:F8:A0:81:C8:FE:A8:53:9A:1E:BC:D3:77 27 28 Certificate is to be certified until Nov 17 07:47:05 2017 GMT (365 days) 29 Sign the certificate? [y/n]:y 30 31 32 1 out of 1 certificate requests certified, commit? [y/n]y 33 Write out database with 1 new entries 34 Data Base Updated
8、編輯nginx配置文件/usr/local/nginx/conf/nginx.conf
1 server { 2 listen 8001 ssl; 3 server_name x.x.x.x:8001; 4 5 ssl on; 6 ssl_certificate /root/server.crt; 7 ssl_certificate_key /root/server_nopwd.key; 8 9 location / { 10 root /var/www/html; 11 index index.html index.htm; 12 } 13 }
9. 重啟服務
1 [root@localhost sbin]# ./nginx -s reload
~~~~完成,在客戶端上輸入https://x.x.x.x:8001/即可訪問成功。
當時由於安裝nginx時,未編譯http_ssl_module模塊,導致nginx重啟失敗------提示:nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/ng.........
所以需要重新編譯nginx來添加需要的模塊。
Nginx重新編譯添加模塊
1. 找到安裝nginx的源碼根目錄(即安裝包存放目錄),如果沒有的話下載新的源碼並解壓
1 [root@localhost /]# cd software 2 [root@localhost software]# ls 3 nginx-1.10.2 nginx-1.10.2.tar.gz
2. 查看nginx版本極其編譯參數
/usr/local/nginx/sbin/nginx -V
3. 進入nginx源碼目錄
1 [root@localhost software]# cd nginx-1.10.2
4.重新編譯的代碼和模塊
[root@localhost nginx-1.10.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
5. make下 (注意:千萬別make install,否則就覆蓋安裝了),make完之后在/software/nginx-1.10.2/objs目錄下就多了個nginx,這個就是新版本的程序了
6. 備份舊的nginx程序
1 [root@localhost ~]# cd /usr/local/nginx/sbin/ 2 [root@localhost sbin]# ls 3 nginx 4 [root@localhost sbin]# cp nginx nginx_back_by_zhang20161117 5 [root@localhost sbin]# ls 6 nginx nginx_back_by_zhang20161117
7. 刪除舊的nginx程序,並把新的nginx程序復制到/usr/local/nginx/sbin/下
1 [root@localhost sbin]# rm nginx 2 rm:是否刪除普通文件 "nginx"?y 3 [root@localhost sbin]# cp /software/nginx-1.10.2/objs/nginx /usr/local/nginx/sbin/
8. 測試新的nginx程序是否正確
1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -t 2 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok 3 nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
9. 平滑啟動服務 (非必須)
1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -s reload
10. 查看模塊是否已安裝 (非必須)
1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -V 2 nginx version: nginx/1.10.2 3 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) 4 built with OpenSSL 1.0.1e-fips 11 Feb 2013 5 TLS SNI support enabled 6 configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
11. 重啟
1 [root@localhost sbin]# ./nginx -s quit 2 [root@localhost sbin]# ./nginx
nginx重新加載模塊完成!
apache配置https 參考: http://ask.apelearn.com/question/1029