如何在本地 Laravel Homestead 站点上获取 https 证书 [英] How to get https certificate working on local Laravel Homestead site
问题描述
我遇到了这个问题:
我在 Windows 10 Chrome 版本 65.0.3325.181(官方构建)(64 位)中看到的错误是:
<块引用>您的连接不是私密的
攻击者可能试图窃取您的来自 ((mysite)) 的信息(例如,密码、信息或信用卡).了解更多 NET::ERR_CERT_AUTHORITY_INVALID
此页面不安全(HTTPS 损坏).
证书 - 丢失
这个站点缺少有效的、受信任的证书(net::ERR_CERT_AUTHORITY_INVALID).
Firefox Quantum 59.0.2(64 位)说:
<块引用>您的连接不安全
((mysite)) 的所有者已经配置了他们的网站不当.为了保护您的信息不被窃取,Firefox 已没有连接到这个网站.
连接不安全
无法验证此证书,因为发行人未知.
我已经尝试过::本地计算机和当前用户证书存储.使用本地机器证书存储毫无意义,因为我们让它只为我们当前的用户工作.然后,有子商店.其中两个预定义是最受关注的:受信任的根证书颁发机构和中间证书颁发机构存储.在命令行中通常称为 root和 CA.
您可以通过 chrome://settings/?search=Manage%20certificates 访问 Chrome 的证书管理器,然后点击管理证书.最受关注的是受信任的根证书颁发机构和中间证书颁发机构选项卡.
管理证书的一种方法是通过 命令行:
>rem 列表当前用户>受信任的根证书颁发机构存储>certutil.exe -store -user root>rem 列表本地机器 >中级认证机构商店>certutil.exe -store -enterprise CA>rem GUI 版本的 -store 命令>certutil.exe -viewstore -user CA>rem 将证书添加到当前用户 >受信任的根证书颁发机构存储>certutil.exe -addstore -用户根路径 ofile.crt>rem 删除当前用户的证书 >受信任的根证书颁发机构按序列号存储>certutil.exe -delstore -user root 03259fa1>rem GUI 版本的 -delstore 命令>certutil.exe -viewdelstore -user CA结果如下(本地机器和当前用户证书存储):
根宅基地.test.crt错误ca.homestead.homestead.crt出现在受信任的根证书颁发机构选项卡中加州宅基地.test.crt不起作用,出现在其他人"选项卡中ca.homestead.homestead.crt不起作用,出现在中间证书颁发机构选项卡中其他选项包括在资源管理器中双击证书、从 Chrome 的证书管理器导入证书、使用证书 MMC 管理单元(运行 certmgr.msc)或使用 CertMgr.exe.
对于那些安装了grep的人,这里是快速检查证书在哪里的方法:
>certutil.exe -store -user root |grep 宅基地|^root|^CA"^&certutil.exe -store -user CA |grep 宅基地|^root|^CA"^&certutil.exe -store -enterprise root |grep 宅基地|^root|^CA"^&certutil.exe -store -enterprise CA |grep 宅基地|^root|^CA"因此,将 CA 证书安装到当前用户中 >受信任的根证书颁发机构商店似乎是最好的选择.并且确保不要忘记重新启动您的浏览器.
更深入的解释它的工作原理
在 Vagrantfile 中,它需要 scripts/homestead.rb,然后运行 <代码>Homestead.configure.这就是配置 vagrant 以进行所有必要准备的方法.
在那里我们可以查看:
if settings.include?网站"settings["sites"].each 都做 |site|# 创建 SSL 证书config.vm.provision 外壳"做|s|s.name = "创建证书:"+ 站点[地图"]s.path = scriptDir + "/create-certificate.sh";s.args = [站点[地图"]]结尾...config.vm.provision 外壳"做|s|...s.path = scriptDir + "/serve-#{type}.sh";...结尾...结尾结尾所以,这些两个 nginx 分别配置.
进一步阅读
I'm getting this problem:
The error that I'm seeing in Windows 10 Chrome Version 65.0.3325.181 (Official Build) (64-bit) is:
Your connection is not private
Attackers might be trying to steal your information from ((mysite)) (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID
This page is not secure (broken HTTPS).
Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).
Firefox Quantum 59.0.2 (64-bit) says:
Your connection is not secure
The owner of ((mysite)) has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Connection is Not Secure
Could not verify this certificate because the issuer is unknown.
I have already tried: https://stackoverflow.com/a/47755133/470749
vboxmanage --version
5.2.6r120293
vagrant -v
Vagrant 2.0.2
git branch
* (HEAD detached at v7.3.0)
vagrant box list
laravel/homestead (virtualbox, 5.2.0)
vagrant box update
==> vboxHomestead: Checking for updates to 'laravel/homestead'
vboxHomestead: Latest installed version: 5.2.0
vboxHomestead: Version constraints: >= 5.2.0
vboxHomestead: Provider: virtualbox
==> vboxHomestead: Box 'laravel/homestead' (v5.2.0) is running the latest version.
I wonder if this means that I'm not yet using release 7.1.0 (which has in its changelog "sign SSL certificates with a custom root certificate"), and I wonder if that's why I have this SSL HTTPS problem.
What are the next steps I should try now to get the certificate working?
Unfortunately, I don't have an easy way of checking it on Windows, so I'm going to use VirtualBox running on Linux here. Install vagrant, then:
$ vagrant box add laravel/homestead
$ git clone https://github.com/laravel/homestead.git
$ cd homestead
$ git checkout v7.3.0
$ bash init.sh
I've simplified Homestead.yaml a bit (you might prefer to stick with the defaults):
---
ip: "192.168.10.10"
provider: virtualbox
folders:
- map: /home/yuri/_/la1
to: /home/vagrant/code
sites:
- map: homestead.test
to: /home/vagrant/code/public
Then:
$ mkdir -p ~/_/la1/public
$ echo '<?php echo "it works";' > ~/_/la1/public/index.php
$ vagrant up
$ vagrant ssh -c 'ls /etc/nginx/sites-enabled'
homestead.test
$ vagrant ssh -c 'cat /etc/nginx/sites-enabled/homestead.test'
server {
listen 80;
listen 443 ssl http2;
server_name .homestead.test;
root "/home/vagrant/code/public";
...
ssl_certificate /etc/nginx/ssl/homestead.test.crt;
ssl_certificate_key /etc/nginx/ssl/homestead.test.key;
}
As we can see it has the certificates in /etc/nginx/ssl:
$ vagrant ssh -c 'ls -1 /etc/nginx/ssl'
ca.homestead.homestead.cnf
ca.homestead.homestead.crt
ca.homestead.homestead.key
ca.srl
homestead.test.cnf
homestead.test.crt
homestead.test.csr
homestead.test.key
I tried to trust server certificate systemwide, but it didn't work out. It appeared on Servers tab in Firefox' Certificate Manager, but that didn't make Firefox trust it. I could probably have added an exception, but trusting CA certificates looks like a better option. Trusting CA certificate makes browser trust any certificate they issue (new sites running under Homestead). So we're going to go with CA certificate here:
$ vagrant ssh -c 'cat /etc/nginx/ssl/ca.homestead.homestead.crt' > ca.homestead.homestead.crt
$ sudo trust anchor ca.homestead.homestead.crt
$ trust list | head -n 5
pkcs11:id=%4c%f9%25%11%e5%8d%ad%5c%2a%f3%63%b6%9e%53%c4%70%fa%90%4d%77;type=cert
type: certificate
label: Homestead homestead Root CA
trust: anchor
category: authority
Then, I've added 192.168.10.10 homestead.test to /etc/hosts, restarted Chromium, and it worked:
P.S. I'm running Chromium 65.0.3325.162, and Firefox 59.0.
Windows
Apparently, Windows doesn't have trust utility. Under Windows one has two stores: Local Machine and Current User Certificate stores. No point in using Local Machine Certificate Store, since we're making it work just for our current user. Then, there are substores. With two predefined of them being of most interest: Trusted Root Certification Authorities and Intermediate Certification Authorities Stores. Commonly referred in command line as root and CA.
You can access Chrome's Certificate Manager by following chrome://settings/?search=Manage%20certificates, then clicking Manage certificates. Of most interest are Trusted Root Certification Authorities and Intermediate Certification Authorities tabs.
One way to manager certificates is via command line:
>rem list Current User > Trusted Root Certification Authorities store
>certutil.exe -store -user root
>rem list Local Machine > Intermediate Certification Authorities store
>certutil.exe -store -enterprise CA
>rem GUI version of -store command
>certutil.exe -viewstore -user CA
>rem add certificate to Current User > Trusted Root Certification Authorities store
>certutil.exe -addstore -user root path ofile.crt
>rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number
>certutil.exe -delstore -user root 03259fa1
>rem GUI version of -delstore command
>certutil.exe -viewdelstore -user CA
The results are as follows (for both Local Machine and Current User Certificate stores):
root
homestead.test.crt
error
ca.homestead.homestead.crt
appears in Trusted Root Certification Authorities tab
CA
homestead.test.crt
doesn't work, appears in Other People tab
ca.homestead.homestead.crt
doesn't work, appears in Intermediate Certification Authorities tab
Other options would be double-clicking on a certificate in Explorer, importing certificates from Chrome's Certificate Manager, using Certificates MMC Snap-in (run certmgr.msc), or using CertMgr.exe.
For those who have grep installed, here's how to quickly check where is the certificate:
>certutil.exe -store -user root | grep "homestead|^root|^CA" ^
& certutil.exe -store -user CA | grep "homestead|^root|^CA" ^
& certutil.exe -store -enterprise root | grep "homestead|^root|^CA" ^
& certutil.exe -store -enterprise CA | grep "homestead|^root|^CA"
So, installing CA certificate into Current User > Trusted Root Certification Authorities store seems like the best option. And make sure not to forget to restart your browser.
more in-depth explanation of how it works
In Vagrantfile it requires scripts/homestead.rb, then runs Homestead.configure. That's the method, that configures vagrant to make all the needed preparations.
There we can see:
if settings.include? 'sites'
settings["sites"].each do |site|
# Create SSL certificate
config.vm.provision "shell" do |s|
s.name = "Creating Certificate: " + site["map"]
s.path = scriptDir + "/create-certificate.sh"
s.args = [site["map"]]
end
...
config.vm.provision "shell" do |s|
...
s.path = scriptDir + "/serve-#{type}.sh"
...
end
...
end
end
So, these two files create certificate and nginx config respectively.
further reading
How to make browser trust localhost SSL certificate?
这篇关于如何在本地 Laravel Homestead 站点上获取 https 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
