SSL证书不适用于Ubuntu 16.04上的localhost [英] SSL certificate doesn't work for localhost on Ubuntu 16.04
问题描述
我正在尝试为localhost上的vps添加证书,因此我可以使用 https:// localhost:1337
从我的vps访问在端口1337上运行的节点服务器。
Im trying to add a certificate for my vps on localhost, so I can access my node server running on port 1337 from my vps using https://localhost:1337
.
当前,当我的vps上被Firefox访问时,它给我一个您的连接不安全的信息。但是访问 https://my-website.example:1337
可以正常工作。
Currently it gives me an "Your connection is not secure" when accessed by Firefox on my vps. However accessing https://my-website.example:1337
works fine.
我到目前为止所做的步骤:
Steps I did so far:
-
cd / usr / local / share / ca-certificates
-
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt
- 国家名称:空
- 州或省名称:空
- 地区名称:空
- 组织名称:空
- 组织单位名称:空
- 公用名:localhost
- 电子邮件地址:空
cd /usr/local/share/ca-certificates
openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt
- Country Name: empty
- State or Province name: empty
- Locality name: empty
- Organization name: empty
- Organizational unit name: empty
- Common Name: localhost
- Email address: empty
推荐答案
还必须添加证书到浏览器信任的存储区,您所做的步骤仅适用于CURL,WGET等工具。
The certificate must be also added to the browser trusted store, the step you made is just for tools like CURL, WGET, etc.
在我的Docker容器中本地开发我使用一组bash脚本来设置一个根证书颁发机构,该证书颁发机构将用于颁发开发所需的所有域证书。
In my docker containers for local development I use a set of bash scripts to setup a Root Certificate Authority that I will use to issue all domain certificates I need for development.
浏览器只需要知道关于根证书颁发机构和您的服务器将需要了解您颁发的所有域证书。
The browser only needs to know about the Root Certificate Authority and your server will need to know about all domain certificates you issue.
请按以下顺序尝试以下脚本集:
Please try the below set of scripts in this order:
./setup-root-certificate.sh "root-ca.key" "root-ca.pem" "RootCertificateAuthority" && \
./create-domain-certificate.sh "localhost" "root-ca.key" "root-ca.pem" && \
./add-certificate-to-browser.sh "root-ca.pem" "RootCertificateAuthority"
现在只需将域证书添加到您的Apache,Nginx或您正在使用的任何其他服务器中,然后重新启动浏览器和服务器。
Now just add the Domain certificate into your Apache, Nginx or any other server you are using and restart your browser and server.
此解决方案不能
ALERT:此脚本已在Docker容器内部使用,我需要在首次访问本地主机域时添加例外。
ALERT: This scripts have been used inside Docker containers and I have not tested them in the host machine directly, but should work in same way.
要设置根证书,请执行以下操作:。 /setup-root-certificate.sh
#!/bin/bash
set -eu
###
# inspired https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/
###
ROOT_CA_KEY="${1?Missing Name for root certificate KEY file}"
ROOT_CA_PEM="${2?Missing Name for root certificate PEM file}"
ROOT_CA_NAME="${3?Missing Certificate Name}"
CONFIG_FILE="${4:-openssl.cnf}"
if [ ! -f ROOT_CA_PEM ]
then
printf "\n>>> CREATING A ROOT CERTIFICATE <<<\n"
openssl req \
-new \
-newkey rsa:4096 \
-days 3650 \
-nodes \
-x509 \
-extensions v3_ca \
-subj "/C=US/ST=CA/L=SF/O=${ROOT_CA_NAME}/CN=${ROOT_CA_NAME}" \
-keyout ${ROOT_CA_KEY} \
-out ${ROOT_CA_PEM} \
-config ${CONFIG_FILE}
printf "\n>>> ADDING ROOT CERTIFICATE TO THE TRUSTED STORE <<<\n"
# add certificate to the trust store
cp ${ROOT_CA_PEM} /usr/local/share/ca-certificates/self-signed-root-ca.crt
update-ca-certificates
# verifies the certificate
openssl x509 -in ${ROOT_CA_PEM} -text -noout > "${ROOT_CA_NAME}.txt"
printf "\n >>> ROOT CERTICATE CREATED SUCCESEFULY<<<\n"
else
printf "\n >>> ROOT CERTICATE ALREADY EXISTS <<<\n"
fi
要创建域证书,请执行以下操作:./create-domain-certificate.sh
#!/bin/bash
set -eu
###
# inspired https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/
###
DOMAIN="${1:-example.com}"
ROOT_CA_KEY="${2?Missing Name for root certificate KEY file}"
ROOT_CA_PEM="${3?Missing Name for root certificate PEM file}"
DOMAIN_CA_KEY="${DOMAIN}.key"
DOMAIN_CA_CSR="${DOMAIN}.csr"
DOMAIN_CA_CRT="${DOMAIN}.crt"
DOMAIN_CA_TXT="${DOMAIN}.txt"
CONFIG_FILE="${DOMAIN}.cnf"
printf "\n>>> MERGINGING CONFIGURATION FROM ${DOMAIN_CA_TXT} INTO ${CONFIG_FILE} <<<\n"
cat openssl.cnf ${DOMAIN_CA_TXT} > ${CONFIG_FILE}
printf "\n>>> GENERATING KEY FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_KEY} <<<\n"
# generate the private/public RSA key pair for the domain
openssl genrsa -out ${DOMAIN_CA_KEY} 4096
printf "\n>>> GENERATING CSR FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_CSR} <<<\n"
# create the server certificate signing request:
openssl req \
-subj "/CN=${DOMAIN}" \
-extensions v3_req \
-sha256 \
-new \
-key ${DOMAIN_CA_KEY} \
-out ${DOMAIN_CA_CSR}
printf "\n>>> GENERATING CRT FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_CRT} <<<\n"
# generate the server certificate using the: server signing request, the CA signing key, and CA cert.
openssl x509 \
-req \
-extensions v3_req \
-days 3650 \
-sha256 \
-in ${DOMAIN_CA_CSR} \
-CA ${ROOT_CA_PEM} \
-CAkey ${ROOT_CA_KEY} \
-CAcreateserial \
-out ${DOMAIN_CA_CRT} \
-extfile ${CONFIG_FILE}
# verifies the certificate
openssl x509 -in ${DOMAIN_CA_CRT} -text -noout > ${DOMAIN}.txt
printf "\n >>> CERTIFICATE CREATED FOR DOMAIN: ${DOMAIN} <<<\n"
要将根证书添加到浏览器受信任证书存储中:./add-certificate-to-browser.sh
#!/bin/bash
###
# https://thomas-leister.de/en/how-to-import-ca-root-certificate/
###
### Script installs root.cert.pem to certificate trust store of applications using NSS
### (e.g. Firefox, Thunderbird, Chromium)
### Mozilla uses cert8, Chromium and Chrome use cert9
###
### Requirement: apt install libnss3-tools
###
###
### CA file to install (CUSTOMIZE!)
###
CA_PEM="${1?Missing file name for the PEM certificate}"
CA_NAME="${2?Missing Certificate Name}"
BROWSER_CONFIG_DIR="${3:-/home}"
###
### For cert8 (legacy - DBM)
###
for certDB in $(find ${BROWSER_CONFIG_DIR} -name "cert8.db")
do
certdir=$(dirname ${certDB});
certutil -A -n "${CA_NAME}" -t "TCu,Cu,Tu" -i ${CA_PEM} -d dbm:${certdir}
done
###
### For cert9 (SQL)
###
for certDB in $(find ${BROWSER_CONFIG_DIR} -name "cert9.db")
do
certdir=$(dirname ${certDB});
certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${CA_PEM} -d sql:${certdir}
done
这篇关于SSL证书不适用于Ubuntu 16.04上的localhost的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!