前提:
1、主机需要先安装openssl
2、编译安装nginx时,要加上--with-http_ssl_module 这个ssl模块
现在开始配置:(我当时配置时,主机已安装了openssl,但编译时没有加载http_ssl_module模块,所以后面会报错,这里详解说明下)
1、生成自签字证书
[root@localhost /]# openssl req -new -x509 -keyout /root/ca.key -out /root/ca.crt
Generating a bit RSA private key
.............................+++
.......................................................................................................................+++
writing new private key to '/root/ca.key'
Enter PEM pass phrase: #输入密钥保护密码
Verifying - Enter PEM pass phrase: #确认密钥保护密码
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:xian
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:learn
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:learner
Email Address []:ying@126.com
回车结束
2、修改配置文件openssl.cnf (注意:修改前,先备份下)
[root@localhost /]# vi /etc/pki/tls/openssl.cnf ####################################################################
[ ca ]
default_ca = CA_default # The default ca section ####################################################################
[ CA_default ] dir = /etc/pki/CA # Where everything is kept #证书的根目录,要记住这个目录
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/ca.crt # The CA certificate # 修改这里,表示签名时使用的证书
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
3、复制证书到证书根目录/etc/pki/CA下,并在该目录下创建空文件index.txt和serial,并向serial输入”01“
[root@localhost ~]# cd /etc/pki/CA/
[root@localhost CA]# cp /root/ca.crt .
[root@localhost CA]# ls
ca.crt certs crl newcerts private
[root@localhost CA]# touch index.txt
[root@localhost CA]# touch serial
[root@localhost CA]# echo "" >serial
4、生成服务器RSA私钥/root/server.key
[root@localhost ~]# openssl genrsa -des3 -out /root/server.key 1024
Generating RSA private key, bit long modulus
.............++++++
.++++++
e is (0x10001)
Enter pass phrase for /root/server.key: #设置此密钥的保护密码
Verifying - Enter pass phrase for /root/server.key: #确认设置此密钥的保护密码
5、为私钥去除口令---公钥
[root@localhost ~]# openssl rsa -in /root/server.key -out /root/server_nopwd.key
Enter pass phrase for /root/server.key: #输入第4步生成的密钥的保护密码
writing RSA key
6、生成证书请求文件/root/server.csr
[root@localhost ~]# openssl req -new -key /root/server.key -out /root/server.csr
Enter pass phrase for /root/server.key: #输入第4步生成的密钥的保护密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--------下面这部分应该和创建私有证书时填的一样------------------------
Country Name ( letter code) [XX]:CN
State or Province Name (full name) []:xian
Locality Name (eg, city) [Default City]:xian
Organization Name (eg, company) [Default Company Ltd]:learn
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:learner
Email Address []:ying@.com
----------------------------------------------------------------
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:learn
7、用私有证书给证书请求文件/root/server.csr签名
[root@localhost ~]# openssl ca -in /root/server.csr -out /root/server.crt -cert /root/ca.crt -keyfile /root/ca.key -config /etc/pki/tls/openssl.cnf
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /root/ca.key: #输入第1步生成的密钥的保护密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: (0x1)
Validity
Not Before: Nov :: GMT
Not After : Nov :: GMT
Subject:
countryName = CN
stateOrProvinceName = xian
organizationName = learn
organizationalUnitName = it
commonName = learner
emailAddress = ying@.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
8A:::B0::::AF::AD::C3::1F::A5:C5:::E2
X509v3 Authority Key Identifier:
keyid:::7A::::D2::F8:A0::C8:FE:A8::9A:1E:BC:D3: Certificate is to be certified until Nov :: GMT ( days)
Sign the certificate? [y/n]:y out of certificate requests certified, commit? [y/n]y
Write out database with new entries
Data Base Updated
8、编辑nginx配置文件/usr/local/nginx/conf/nginx.conf
server {
listen ssl;
server_name x.x.x.x:;
ssl on;
ssl_certificate /root/server.crt;
ssl_certificate_key /root/server_nopwd.key;
location / {
root /var/www/html;
index index.html index.htm;
}
}
9. 重启服务
[root@localhost sbin]# ./nginx -s reload
~~~~完成,在客户端上输入https://x.x.x.x:8001/即可访问成功。
当时由于安装nginx时,未编译http_ssl_module模块,导致nginx重启失败------提示:nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/ng.........
所以需要重新编译nginx来添加需要的模块。
Nginx重新编译添加模块
1. 找到安装nginx的源码根目录(即安装包存放目录),如果没有的话下载新的源码并解压
[root@localhost /]# cd software
[root@localhost software]# ls
nginx-1.10. nginx-1.10..tar.gz
2. 查看nginx版本极其编译参数
/usr/local/nginx/sbin/nginx -V
3. 进入nginx源码目录
[root@localhost software]# cd nginx-1.10.
4.重新编译的代码和模块
[root@localhost nginx-1.10.]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
5. make下 (注意:千万别make install,否则就覆盖安装了),make完之后在/software/nginx-1.10.2/objs目录下就多了个nginx,这个就是新版本的程序了
6. 备份旧的nginx程序
[root@localhost ~]# cd /usr/local/nginx/sbin/
[root@localhost sbin]# ls
nginx
[root@localhost sbin]# cp nginx nginx_back_by_zhang20161117
[root@localhost sbin]# ls
nginx nginx_back_by_zhang20161117
7. 删除旧的nginx程序,并把新的nginx程序复制到/usr/local/nginx/sbin/下
[root@localhost sbin]# rm nginx
rm:是否删除普通文件 "nginx"?y
3 [root@localhost sbin]# cp /software/nginx-1.10./objs/nginx /usr/local/nginx/sbin/
8. 测试新的nginx程序是否正确
[root@localhost sbin]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
9. 平滑启动服务 (非必须)
[root@localhost sbin]# /usr/local/nginx/sbin/nginx -s reload
10. 查看模块是否已安装 (非必须)
[root@localhost sbin]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.10.
built by gcc 4.8. (Red Hat 4.8.-) (GCC)
built with OpenSSL 1.0.1e-fips Feb
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
11. 重启
[root@localhost sbin]# ./nginx -s quit
[root@localhost sbin]# ./nginx
nginx重新加载模块完成!
apache配置https 参考: http://ask.apelearn.com/question/1029