本地主机或 127.0.0.1 的第三方签名 SSL 证书? [英] Third-Party Signed SSL Certificate for localhost or 127.0.0.1?

问题描述

在不透露太多信息的情况下，我需要设置一个网络服务器系统，供互联网上的最终用户使用.

Without divulging TOO much information, I need to setup a web server system that is intended to be used by end users all over the internet.

用例是这样的:

• 在连接到系统时，最终用户(通常)在本地防火墙后面的家中.
• 系统由我们托管的远程服务器组成，严格通过 https(使用 SSL)
• 授权机制要求在远程服务器上自行创建用户帐户，在成功创建帐户后，需要将一个软件下载并安装到最终用户的计算机上.该软件除其他外还包含一个本地网络服务器.
• 这个本地"网络服务器还必须只允许 https 连接到用户的浏览器.

由于分布式软件将成为每个用户计算机上唯一的 Web 服务器，因此我不确定如何或是否有可能获得第三方签名的 SSL 证书，该证书在用户使用时不会导致可信度错误通过网络浏览器连接到它.当然，它可以使用自签名 SSL 证书，但其想法是避免浏览器警告，以便最终用户隐式地信任"来自通过 SSL 运行其网络服务器的应用程序的数据.

Since the distributed software will be a unique web server on every individual users' machine, I'm unsure how or even if it is possible, to get a THIRD PARTY SIGNED SSL certificate that won't cause trustworthiness errors when the user connects to it via the web browser. Of course it can use self-signed SSL certs but the idea is to avoid the browser warnings so that the end users will implicitly "trust" data coming from their own application running its webserver over SSL.

这可能吗?

推荐答案

localhost

您永远不会获得本地主机的正确 https 证书.这是严格禁止.因为原因.

简而言之:

• 错误配置的设备实际上存在，在野外等待查找，然后从 /etc/hosts
解析本地主机
• 如果路由器定义了localhost.foo.local，它可能会导致localhost 解析错误(您之前可能已经见过此类错误)

• Misconfigured devices actually exist, in the wild, that wait for lookups before resolving localhost from /etc/hosts
• If a router defines localhost.foo.local it may cause localhost to resolve incorrectly (you've probably seen this class of error before)

您可以创建一个根证书，然后然后创建一个所谓的自签名"证书，由您创建的根 ca 签名.你仍然会看到丑陋的警告屏幕，但它会起作用.

You can create a root certificate and then create a so-called "self-signed" certificate, signed by the root ca you created. You'll still get the ugly warning screen, but it'll work.

• 参见 https://coolaj86.com/articles/how-to-create-a-csr-for-https-tls-ssl-rsa-pems/

代替实际的 localhost 证书，我按照 Eugene 的建议去做 - 在公共域上创建 127.0.0.1 记录.

In lieu of actual localhost certs, I do what Eugene suggests - create a 127.0.0.1 record on a public domain.

您可以通过 Let's Encrypt 通过 https://获得 localhost.YOURSITE.com 的免费 HTTPS 证书greenlock.domains.只需选择 DNS 选项而不是 HTTP 文件上传选项

You can get free HTTPS certificates for localhost.YOURSITE.com via Let's Encrypt via https://greenlock.domains. Just choose the DNS option instead of the HTTP File Upload option

• 购买一个 *.localhost.example.com 证书并为每个安装颁发一个秘密的 xyz.localhost.example.com(并将其包含在公共后缀列表中防止对 example.com 的攻击)
• 使用启用 greenlock 的应用即时生成此类证书(通过https://letsencrypt.org)直接在客户端(或将它们传递给客户端)

• Purchase a *.localhost.example.com cert and issue each installation a secret xyz.localhost.example.com (and include it in the public suffix list to prevent attacks on example.com)
• Use a greenlock-enabled app to generate such certificates on the fly (through https://letsencrypt.org) directly on the client (or pass them to the client)

如果您未包含在 PSL 中，请注意:

If you do not get included in the PSL note that:

• 会话、localstorage、indexeddb 等由域共享
• 更改端口不会改变它们的共享性

更新:像greenlock使用 ACME/Let's Encrypt 的，这不再特别相关.

Update: with things like greenlock that use ACME / Let's Encrypt, this is no longer particularly relevant.

这可能是一个非常糟糕的主意，因为我们不希望用户习惯于安装根 CA(而且我们知道 原来适用于联想)，但对于企业/克隆机器来说，这可能是一个合理的低预算选择.

This is probably a really bad idea because we don't want users becoming accustomed to installing Root CAs willy nilly (and we know how that turned out for Lenovo), but for corporate / cloned machines it may be a reasonable low-budget option.

这篇关于本地主机或 127.0.0.1 的第三方签名 SSL 证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！