前提:
1、主机需要先安装openssl
2、编译安装nginx时,要加上--with-http_ssl_module 这个ssl模块
现在开始配置:(我当时配置时,主机已安装了openssl,但编译时没有加载http_ssl_module模块,所以后面会报错,这里详解说明下)
1、生成自签字证书
1 [root@localhost /]# openssl req -new -x509 -keyout /root/ca.key -out /root/ca.crt 2 Generating a 2048 bit RSA private key 3 .............................+++ 4 .......................................................................................................................+++ 5 writing new private key to '/root/ca.key' 6 Enter PEM pass phrase: #输入密钥保护密码 7 Verifying - Enter PEM pass phrase: #确认密钥保护密码 8 ----- 9 You are about to be asked to enter information that will be incorporated 10 into your certificate request. 11 What you are about to enter is what is called a Distinguished Name or a DN. 12 There are quite a few fields but you can leave some blank 13 For some fields there will be a default value, 14 If you enter '.', the field will be left blank. 15 ----- 16 Country Name (2 letter code) [XX]:CN 17 State or Province Name (full name) []:xian 18 Locality Name (eg, city) [Default City]:xian 19 Organization Name (eg, company) [Default Company Ltd]:learn 20 Organizational Unit Name (eg, section) []:it 21 Common Name (eg, your name or your server's hostname) []:learner 22 Email Address []:ying@126.com
回车结束
2、修改配置文件openssl.cnf (注意:修改前,先备份下)
[root@localhost /]# vi /etc/pki/tls/openssl.cnf #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = /etc/pki/CA # Where everything is kept #证书的根目录,要记住这个目录 certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/ca.crt # The CA certificate # 修改这里,表示签名时使用的证书 serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file
3、复制证书到证书根目录/etc/pki/CA下,并在该目录下创建空文件index.txt和serial,并向serial输入”01“
1 [root@localhost ~]# cd /etc/pki/CA/ 2 [root@localhost CA]# cp /root/ca.crt . 3 [root@localhost CA]# ls 4 ca.crt certs crl newcerts private 5 [root@localhost CA]# touch index.txt 6 [root@localhost CA]# touch serial 7 [root@localhost CA]# echo "01" >serial
4、生成服务器RSA私钥/root/server.key
1 [root@localhost ~]# openssl genrsa -des3 -out /root/server.key 1024 2 Generating RSA private key, 1024 bit long modulus 3 .............++++++ 4 .++++++ 5 e is 65537 (0x10001) 6 Enter pass phrase for /root/server.key: #设置此密钥的保护密码 7 Verifying - Enter pass phrase for /root/server.key: #确认设置此密钥的保护密码
5、为私钥去除口令---公钥
1 [root@localhost ~]# openssl rsa -in /root/server.key -out /root/server_nopwd.key 2 Enter pass phrase for /root/server.key: #输入第4步生成的密钥的保护密码 3 writing RSA key
6、生成证书请求文件/root/server.csr
1 [root@localhost ~]# openssl req -new -key /root/server.key -out /root/server.csr 2 Enter pass phrase for /root/server.key: #输入第4步生成的密钥的保护密码 3 You are about to be asked to enter information that will be incorporated 4 into your certificate request. 5 What you are about to enter is what is called a Distinguished Name or a DN. 6 There are quite a few fields but you can leave some blank 7 For some fields there will be a default value, 8 If you enter '.', the field will be left blank. 9 --------下面这部分应该和创建私有证书时填的一样------------------------ 10 Country Name (2 letter code) [XX]:CN 11 State or Province Name (full name) []:xian 12 Locality Name (eg, city) [Default City]:xian 13 Organization Name (eg, company) [Default Company Ltd]:learn 14 Organizational Unit Name (eg, section) []:it 15 Common Name (eg, your name or your server's hostname) []:learner 16 Email Address []:ying@126.com 17 ---------------------------------------------------------------- 18 Please enter the following 'extra' attributes 19 to be sent with your certificate request 20 A challenge password []:111111 21 An optional company name []:learn
7、用私有证书给证书请求文件/root/server.csr签名
1 [root@localhost ~]# openssl ca -in /root/server.csr -out /root/server.crt -cert /root/ca.crt -keyfile /root/ca.key -config /etc/pki/tls/openssl.cnf 2 Using configuration from /etc/pki/tls/openssl.cnf 3 Enter pass phrase for /root/ca.key: #输入第1步生成的密钥的保护密码 4 Check that the request matches the signature 5 Signature ok 6 Certificate Details: 7 Serial Number: 1 (0x1) 8 Validity 9 Not Before: Nov 17 07:47:05 2016 GMT 10 Not After : Nov 17 07:47:05 2017 GMT 11 Subject: 12 countryName = CN 13 stateOrProvinceName = xian 14 organizationName = learn 15 organizationalUnitName = it 16 commonName = learner 17 emailAddress = ying@126.com 18 X509v3 extensions: 19 X509v3 Basic Constraints: 20 CA:FALSE 21 Netscape Comment: 22 OpenSSL Generated Certificate 23 X509v3 Subject Key Identifier: 24 8A:70:77:B0:32:42:49:AF:85:AD:79:C3:36:1F:43:A5:C5:01:15:E2 25 X509v3 Authority Key Identifier: 26 keyid:83:10:7A:45:18:47:D2:27:F8:A0:81:C8:FE:A8:53:9A:1E:BC:D3:77 27 28 Certificate is to be certified until Nov 17 07:47:05 2017 GMT (365 days) 29 Sign the certificate? [y/n]:y 30 31 32 1 out of 1 certificate requests certified, commit? [y/n]y 33 Write out database with 1 new entries 34 Data Base Updated
8、编辑nginx配置文件/usr/local/nginx/conf/nginx.conf
1 server { 2 listen 8001 ssl; 3 server_name x.x.x.x:8001; 4 5 ssl on; 6 ssl_certificate /root/server.crt; 7 ssl_certificate_key /root/server_nopwd.key; 8 9 location / { 10 root /var/www/html; 11 index index.html index.htm; 12 } 13 }
9. 重启服务
1 [root@localhost sbin]# ./nginx -s reload
~~~~完成,在客户端上输入https://x.x.x.x:8001/即可访问成功。
当时由于安装nginx时,未编译http_ssl_module模块,导致nginx重启失败------提示:nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/ng.........
所以需要重新编译nginx来添加需要的模块。
Nginx重新编译添加模块
1. 找到安装nginx的源码根目录(即安装包存放目录),如果没有的话下载新的源码并解压
1 [root@localhost /]# cd software 2 [root@localhost software]# ls 3 nginx-1.10.2 nginx-1.10.2.tar.gz
2. 查看nginx版本极其编译参数
/usr/local/nginx/sbin/nginx -V
3. 进入nginx源码目录
1 [root@localhost software]# cd nginx-1.10.2
4.重新编译的代码和模块
[root@localhost nginx-1.10.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
5. make下 (注意:千万别make install,否则就覆盖安装了),make完之后在/software/nginx-1.10.2/objs目录下就多了个nginx,这个就是新版本的程序了
6. 备份旧的nginx程序
1 [root@localhost ~]# cd /usr/local/nginx/sbin/ 2 [root@localhost sbin]# ls 3 nginx 4 [root@localhost sbin]# cp nginx nginx_back_by_zhang20161117 5 [root@localhost sbin]# ls 6 nginx nginx_back_by_zhang20161117
7. 删除旧的nginx程序,并把新的nginx程序复制到/usr/local/nginx/sbin/下
1 [root@localhost sbin]# rm nginx 2 rm:是否删除普通文件 "nginx"?y 3 [root@localhost sbin]# cp /software/nginx-1.10.2/objs/nginx /usr/local/nginx/sbin/
8. 测试新的nginx程序是否正确
1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -t 2 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok 3 nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
9. 平滑启动服务 (非必须)
1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -s reload
10. 查看模块是否已安装 (非必须)
1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -V 2 nginx version: nginx/1.10.2 3 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) 4 built with OpenSSL 1.0.1e-fips 11 Feb 2013 5 TLS SNI support enabled 6 configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
11. 重启
1 [root@localhost sbin]# ./nginx -s quit 2 [root@localhost sbin]# ./nginx
nginx重新加载模块完成!
apache配置https 参考: http://ask.apelearn.com/question/1029