自签名证书仅适用于本地主机，不适用于127.0.0.1 [英] Self signed certificate only works with localhost, not 127.0.0.1

问题描述

我正在尝试生成一个自签名证书，以便我的本地开发环境使用HTTPS，但是遇到了一些麻烦.原因是我想通过本地网络(通过本地IP 192.168.1.155)在手机上测试推送通知，并且通知仅在安全上下文中起作用.

I'm trying to generate a self-signed certificate such that my local development environment uses HTTPS, but I'm having some trouble. The reason for this is that I want to test push notifications on my phone through my local network (through my local IP 192.168.1.155) and notifications only work via a secure context.

它似乎仅在我进入localhost:8080时才起作用，并且在导航至127.0.0.1:8080时仍然不安全.当我导航到127.0.0.1:8080时，Chrome的安全页面显示:This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID).

It only seems to work when I go to localhost:8080, and is still insecure when navigating to 127.0.0.1:8080. When I navigate to 127.0.0.1:8080 Chrome's Security Page says: This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID).

这是我用来生成证书的设置:

Here's my setup I use to generate the certificate:

req.cnf:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = 127.0.0.1
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = 192.168.1.155

openssl req -newkey rsa:2048 -x509 -nodes -keyout key.pem -new -out cert.pem -config req.cnf -sha256 -days 3650

我想我的CN或alt_names可能不正确，但是我不确定将其更改为什么，以便站点将始终安全地运行(通过localhost，127.0.0.1或192.168.2) 1.155)

I'd imagine perhaps my CN or alt_names is incorrect, but I'm not sure what to change them to such that the site will always work securely (either via localhost, 127.0.0.1, or 192.168.1.155)

推荐答案

在无法预料的橡皮鸭调试情况下，我似乎终于在发布此问题后立即解决了此问题.这是我所做的:

In an unforseen case of rubber duck debugging, I seem to have finally solved this issue momentarily after posting it. Here's what I did:

req.cnf:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = VA
L = SomeCity
O = MyCompany
OU = MyDivision
CN = localhost
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = DNS:localhost,IP:192.168.1.155,IP:127.0.0.1

命令提示符:

openssl req -newkey rsa:2048 -x509 -nodes -keyout key.pem -new -out cert.pem -config req.cnf -sha256 -days 3650

然后导航到Chrome中的页面，将证书(因为它仍然无效)另存为DER文件，然后使用mmc.exe，将其导入到计算机上的受信任的根证书颁发机构"(假设您是重新使用Windows)

Then navigate to the page in Chrome, save the certificate (as it will still be invalid) as a DER file and then using mmc.exe, import it into the Trusted Root Certification Authorities on your machine (this is assuming you're using Windows)

这篇关于自签名证书仅适用于本地主机，不适用于127.0.0.1的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！