一、前言
前文 樹莓派/Debian Apache2 實現 HTTPS(SSL) 服務 提到,Apache2 實現 HTTPS(SSL) 服務有兩種方法以及之間的區別,這里講述如何通過 **OpenSSL 自建 CA ** 來 自簽名證書 和 頒發 SSL 證書 實現 HTTPS(SSL) 服務。
1. 下載 Apache2
sudo apt-get install apache2
2. 停止 Apache2 服務
這一步必做 。
-
以 root 權限執行命令:
sudo /etc/init.d/apache2 stop -
這時應顯示:
[ ok ] Stopping apache2 (via systemctl): apache2.service.
二、自建 CA
1. 創建工作環境
cd /etc/apache2/ && sudo mkdir -p ownSSL/CA && sudo mkdir ownSSL/Server && cd /etc/apache2/
-
在此初始工作環境中,子目錄的重要性及其內容如下:
/etc/apache2/ownSSL/CA : 包含CA私匙、CA 證書請求、CA根證書 /etc/apache2/ownSSL/Server : 包含Server私匙、Server證書請求、Server證書
1. 生成 CA 私匙
sudo openssl genrsa -out CA/CA_private.key 2048
成功顯示:
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
...................................................+++++
e is 65537 (0x010001)
2. 生成 CA 證書請求
sudo openssl req -new -key CA/CA_private.key -out CA/CA_request.csr
過程中,提示需要你輸入該根證書相關信息,自行更改:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Yogile
Organizational Unit Name (eg, section) []:Yogile
Common Name (e.g. server FQDN or YOUR name) []:Yogile
Email Address []:example@mail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:opensslca
An optional company name []:Yogile
3. 生成 CA 根證書
sudo openssl x509 -req -in CA/CA_request.csr -extensions v3_ca -signkey CA/CA_private.key -out CA/CA_root.crt
成功顯示:
Signature ok
subject=C = CN, ST = BeiJing, L = BJ, O = Yogile, OU = Yogile, CN = Yogile, emailAddress = example@mail.com
Getting Private key
三、自建 Server 端證書
1. 生成 Server 私匙
sudo openssl genrsa -out Server/Server_private.key 2048
成功顯示:
Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
.......................+++++
e is 65537 (0x010001)
2. 生成 Server 證書請求
sudo openssl req -new -key Server/Server_private.key -out Server/Server_request.csr
過程中,提示需要你輸入該根證書相關信息,自行更改:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BeiJing
Locality Name (eg, city) []:BJ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Yogile
Organizational Unit Name (eg, section) []:Yogile
Common Name (e.g. server FQDN or YOUR name) []:Yogile
Email Address []:example@mail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:example@mail.com
An optional company name []:Yogile
3. 生成 Server 證書
-
創建配置文件 openssl.cnf
sudo vim openssl.cnf參考如下:
[req] distinguished_name = req_distinguished_name req_extensions = v3_req [req_distinguished_name] countryName = CN countryName_default = CN stateOrProvinceName = BJ stateOrProvinceName_default = BeiJing localityName = BJ localityName_default = BeiJing organizationalUnitName = Yogile organizationalUnitName_default = Domain Control Validated commonName = Internet Widgits Ltd commonName_max = 64 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [alt_names] # 注意這個IP.1的設置,IP地址需要和你的服務器的監聽地址一樣 DNS為server網址 IP.1 = 192.168.0.129 DNS.1 = www.example.com需要將 Server 監聽的地址寫入證書中,如果訪問時地址與證書中地址不一致將不能通過證書認證。
- 在這里我用是虛擬機,沒有公網 IP ,也沒有設置域名解析,IP.1 和 DNS.1 都設為了虛擬機 IP 地址,可行。
-
執行命令生成 Server 證書
sudo openssl x509 -days 365 -req -in Server/Server_request.csr -extensions v3_req -CAkey CA/CA_private.key -CA CA/CA_root.crt -CAcreateserial -out Server/Server_root.crt -extfile openssl.cnf成功顯示:
Signature ok subject=C = CN, ST = BeiJing, L = BJ, O = Yogile, OU = Yogile, CN = Yogile, emailAddress = example@mail.com Getting CA Private Key
四、檢查目錄結構,確定無誤
使用 tree 命令檢查環境良好,配置無誤:
yogile@debyogile:/etc/apache2/ownSSL$ tree
.
├── CA
│ ├── CA_private.key
│ ├── CA_request.csr
│ ├── CA_root.crt
│ └── CA_root.srl
├── openssl.cnf
└── Server
├── Server_private.key
├── Server_request.csr
└── Server_root.crt
2 directories, 8 files
五、Apache2 SSL 證書加載
- 特別注意:必須一步步按照后續步驟來,否則特別容易出錯!
1. 停止 Apache2 服務
這一步必做 。
-
以 root 權限執行命令:
sudo /etc/init.d/apache2 stop -
這時應顯示:
[ ok ] Stopping apache2 (via systemctl): apache2.service.
2. 啟用SSL模塊
-
以 root 權限啟用SSL模塊:
sudo a2enmod ssl如果執行成功顯示:
Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: systemctl restart apache2 -
它最后提醒你執行一條重啟命令:
sudo /etc/init.d/apache2 restart這里要以 root 權限執行這條命令,否則報錯。
注意:這里重啟了 Apache2。
3. 停止 Apache2 服務
這一步必做,和前兩步的 “停止 Apache2 服務” 起到同樣的效果 。
-
以 root 權限執行命令:
sudo /etc/init.d/apache2 stop -
這時應顯示:
[ ok ] Stopping apache2 (via systemctl): apache2.service.
4. 加載 SSL 配置文件 default-ssl.conf
-
以 root 權限執行命令:
sudo a2ensite default-ssl正確返回結果:
yogile@debyogile:/etc/apache2# sudo a2ensite default-ssl a2ensite default-sslEnabling site default-ssl. To activate the new configuration, you need to run: systemctl reload apache2它提醒執行
systemctl reload apache2,先不管它,進行下一步 啟動 Apache2 服務 。 -
這時 啟動 Apache2 服務 :
sudo /etc/init.d/apache2 start啟動成功顯示:
[ ok ] Starting apache2 (via systemctl): apache2.service. -
啟動 Apache2 服務成功后,加載 SSL 配置文件 default-ssl.conf
sudo systemctl reload apache2成功無顯示。
四、Apache2 SSL 證書配置
加載完成了,修改其配置。
1. 添加監聽端口
-
編輯監聽端口配置文件
sudo vim /etc/apache2/ports.conf一般顯示:
# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in # /etc/apache2/sites-enabled/000-default.conf Listen 80 <IfModule ssl_module> Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet -
添加監聽端口 443
將示例中第 5 行
Listen 80修改成Listen 80 443:# If you just change the port or add more ports here, you will likely also # have to change the VirtualHost statement in #/etc/apache2/sites-enabled/000-default.conf Listen 80 443 <IfModule ssl_module> Listen 443 </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet -
:wq保存退出
2. 修改 SSL 配置文件 default-ssl.conf
-
編輯 SSL 配置文件 default-ssl.conf
sudo vim /etc/apache2/sites-enabled/default-ssl.conf如果忽略注釋會顯示:
<IfModule mod_ssl.c> <VirtualHost _default_:443> ServerAdmin webmaster@localhost DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> </VirtualHost> </IfModule> -
添加
ServerName <主機名>,例:ServerAdmin webmaster@localhost ServerName yogile.icu DocumentRoot /var/www/html這里的主機名填寫為: 按 OpenSSL 文檔操作時文件 exampleserver.cnf 中的
DNS.0:[ alt_names ] DNS.0 = yogile.icu DNS.1 = www.yogile.icu -
修改加載 SSL 證書位置,例:
SSLCertificateFile /etc/apache2/ownSSL/Server/Server_root.crt SSLCertificateKeyFile /etc/apache2/ownSSL/Server/Server_private.key -
:wq保存退出
3. 重啟 Apache2 服務
-
輸入命令重啟 Apache2 服務
sudo /etc/init.d/apache2 restart成功會顯示:
[ ok ] Restarting apache2 (via systemctl): apache2.service. -
配benz置成功。
五、網頁登錄測試
1. 在瀏覽器中輸入 https:// +域名、公網 IP 或私網 IP
2. 點擊 “高級” -> 繼續前往(不安全)
3. HTTPS(SSL) 配置成功
六、端口重定向
現在雖然實現了,HTTPS 協議服務,但是 80 端口依然可以訪問 HTTP 協議服務。
可參考下一篇博客 樹莓派/Debian HTTP 到 HTTPS 端口重定向 實現了 80 端口到 443 端口的重定向