nginx,ssl,证书和校验

1. 什么是 HTTPS#

要保证 Web 浏览器到服务器的安全连接,HTTPS 几乎是唯一选择。HTTPS 其实就是 HTTP over SSL,也就是让 HTTP 连接建立在 SSL 安全连接之上。SSL 使用证书来创建安全连接,有两种验证模式:

  • 仅客户端验证服务器的证书,客户端自己不提供证书;

  • 客户端和服务器都互相验证对方的证书。

普通的 Web 网站只采用第一种方式,第二种方式用于网上银行等安全性要求较高的网站。

在第二种方式中,客户端采用这种方式验证证书:服务器自己的证书必须经过某"权威"证书的签名,而这个"权威"证书又可能经过更权威的证书签名,这么一级一级追溯上去,最顶层那个最权威的证书就称为根证书。根证书直接内置在浏览器中,这样,浏览器就可以利用自己自带的根证书去验证某个服务器的证书是否有效。如果要提供一个有效的证书,服务器的证书必须从VeriSign这样的证书颁发机构签名。这样,浏览器就可以验证通过,否则,浏览器给出一个证书无效的警告。一般安全要求较高的内网环境,可以通过创建自签名 SSL 证书来加密通信。

2. 什么是数字证书#

在 HTTPS 的传输过程中,有一个非常关键的角色--数字证书,那什么是数字证书?它有什么作用呢?

所谓数字证书,是一种用于电脑的身份识别机制。由数字证书颁发机构(CA)对使用私钥创建的签名请求文件做的签名(盖章),表示 CA 结构对证书持有者的认可。

2.1. 优点#

数字证书拥有以下几个优点:

  • 使用数字证书能够提高用户的可信度;
  • 数字证书中的公钥,能够与服务端的私钥配对使用,实现数据传输过程中的加密和解密;
  • 在证认使用者身份期间,使用者的敏感个人数据并不会被传输至证书持有者的网络系统上。

2.2. 数字证书类型#

x509 的证书编码格式有两种:

  • PEM(Privacy-enhanced Electronic Mail)是明文格式的,以 -----BEGIN CERTIFICATE-----开头,以-----END CERTIFICATE-----结尾。中间是经过 base64 编码的内容,apache 需要的证书就是这类编码的证书.查看这类证书的信息的命令为:openssl x509 -noout -text -in server.pem

  • DER 是二进制格式的证书,查看这类证书的信息的命令为: openssl x509 -noout -text -inform der -in server.der

2.3. 扩展名#

  • .crt 证书文件,可以是 DER(二进制)编码的,也可以是 PEM(ASCII (Base64))编码的),在类 unix 系统中比较常见;
  • .cer 也是证书,常见于 Windows 系统。编码类型同样可以是 DER 或者 PEM 的,windows 下有工具可以转换 crt 到 cer;
  • .csr 证书签名请求文件,一般是生成请求以后发送给 CA,然后 CA 会给您签名并发回证书;
  • .key 一般公钥或者密钥都会用这种扩展名,可以是 DER 编码的或者是 PEM 编码的。查看 DER 编码的(公钥或者密钥)的文件的命令为: openssl rsa -inform DER -noout -text -in xxx.key。查看 PEM 编码的(公钥或者密钥)的文件的命令为: openssl rsa -inform PEM -noout -text -in xxx.key
  • .p12 证书文件,包含一个 X509 证书和一个被密码保护的私钥

3. 什么是自签名证书#

当由于某种原因(如:不想通过 CA 购买证书,或者仅是用于测试等情况),无法正常获取 CA 签发的证书。这时可以生成一个自签名证书。使用这个自签名证书的时候,会在客户端浏览器报一个错误,签名证书授权未知或不可信(signing certificate authority is unknown and not trusted)。

自签名证书有两种类型:

  • 自签名证书

  • 私有 CA 签名证书

    自签名证书的IssuerSubject是相同的。

它们的区别有以下三点:

  • 自签名的证书无法被吊销,私有 CA 签名的证书可以被吊销。

  • 如果您的规划需要创建多个证书,那么使用私有 CA 签名的方法比较合适,因为只要给所有的客户端都安装相同的 CA 证书,那么以该 CA 证书签名过的证书,客户端都是信任的,也就只需要安装一次就够了。

  • 如果您使用用自签名证书,您需要给所有的客户端安装该证书才会被信任。如果您需要第二个证书,则需要给所有客户端安装第二个 CA 证书才会被信任。

4. 如何生成自签名证书#

4.1. 一键生成 ssl 自签名证书脚本

[root@nginx ok]# cat create_self-signed-cert.sh 

#!/bin/bash -e
 
help ()
{
    echo  ' ================================================================ '
    echo  ' --ssl-domain: 生成ssl证书需要的主域名,如不指定则默认为localhost,如果是ip访问服务,则可忽略;'
    echo  ' --ssl-trusted-ip: 一般ssl证书只信任域名的访问请求,有时候需要使用ip去访问server,那么需要给ssl证书添加扩展IP,多个IP用逗号隔开;'
    echo  ' --ssl-trusted-domain: 如果想多个域名访问,则添加扩展域名(SSL_TRUSTED_DOMAIN),多个扩展域名用逗号隔开;'
    echo  ' --ssl-size: ssl加密位数,默认2048;'
    echo  ' --ssl-date: ssl有效期,默认10年;'
    echo  ' --ca-date: ca有效期,默认10年;'
    echo  ' --ssl-cn: 国家代码(2个字母的代号),默认CN;'
    echo  ' 使用示例:'
    echo  ' ./create_self-signed-cert.sh --ssl-domain=www.test.com --ssl-trusted-domain=www.test2.com \ '
    echo  ' --ssl-trusted-ip=1.1.1.1,2.2.2.2,3.3.3.3 --ssl-size=2048 --ssl-date=3650'
    echo  ' ================================================================'
}
 
case "$1" in
    -h|--help) help; exit;;
esac
 
if [[ $1 == '' ]];then
    help;
    exit;
fi
 
CMDOPTS="$*"
for OPTS in $CMDOPTS;
do
    key=$(echo ${OPTS} | awk -F"=" '{print $1}' )
    value=$(echo ${OPTS} | awk -F"=" '{print $2}' )
    case "$key" in
        --ssl-domain) SSL_DOMAIN=$value ;;
        --ssl-trusted-ip) SSL_TRUSTED_IP=$value ;;
        --ssl-trusted-domain) SSL_TRUSTED_DOMAIN=$value ;;
        --ssl-size) SSL_SIZE=$value ;;
        --ssl-date) SSL_DATE=$value ;;
        --ca-date) CA_DATE=$value ;;
        --ssl-cn) CN=$value ;;
    esac
done
 
# CA相关配置
CA_DATE=${CA_DATE:-3650}
CA_KEY=${CA_KEY:-cakey.pem}
CA_CERT=${CA_CERT:-cacerts.pem}
CA_DOMAIN=localhost
 
# ssl相关配置
SSL_CONFIG=${SSL_CONFIG:-$PWD/openssl.cnf}
SSL_DOMAIN=${SSL_DOMAIN:-localhost}
SSL_DATE=${SSL_DATE:-3650}
SSL_SIZE=${SSL_SIZE:-2048}
 
## 国家代码(2个字母的代号),默认CN;
CN=${CN:-CN}
 
SSL_KEY=$SSL_DOMAIN.key
SSL_CSR=$SSL_DOMAIN.csr
SSL_CERT=$SSL_DOMAIN.crt
 
echo -e "\033[32m ---------------------------- \033[0m"
echo -e "\033[32m       | 生成 SSL Cert |       \033[0m"
echo -e "\033[32m ---------------------------- \033[0m"
 
if [[ -e ./${CA_KEY} ]]; then
    echo -e "\033[32m ====> 1. 发现已存在CA私钥,备份"${CA_KEY}"为"${CA_KEY}"-bak,然后重新创建 \033[0m"
    mv ${CA_KEY} "${CA_KEY}"-bak
    openssl genrsa -out ${CA_KEY} ${SSL_SIZE}
else
    echo -e "\033[32m ====> 1. 生成新的CA私钥 ${CA_KEY} \033[0m"
    openssl genrsa -out ${CA_KEY} ${SSL_SIZE}
fi
 
if [[ -e ./${CA_CERT} ]]; then
    echo -e "\033[32m ====> 2. 发现已存在CA证书,先备份"${CA_CERT}"为"${CA_CERT}"-bak,然后重新创建 \033[0m"
    mv ${CA_CERT} "${CA_CERT}"-bak
    openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_DATE} -out ${CA_CERT} -subj "/C=${CN}/CN=${CA_DOMAIN}"
else
    echo -e "\033[32m ====> 2. 生成新的CA证书 ${CA_CERT} \033[0m"
    openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_DATE} -out ${CA_CERT} -subj "/C=${CN}/CN=${CA_DOMAIN}"
fi
 
echo -e "\033[32m ====> 3. 生成Openssl配置文件 ${SSL_CONFIG} \033[0m"
cat > ${SSL_CONFIG} <<EOM
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
EOM
 
if [[ -n ${SSL_TRUSTED_IP} || -n ${SSL_TRUSTED_DOMAIN} ]]; then
    cat >> ${SSL_CONFIG} <<EOM
subjectAltName = @alt_names
[alt_names]
EOM
    IFS=","
    dns=(${SSL_TRUSTED_DOMAIN})
    dns+=(${SSL_DOMAIN})
    for i in "${!dns[@]}"; do
      echo DNS.$((i+1)) = ${dns[$i]} >> ${SSL_CONFIG}
    done
 
    if [[ -n ${SSL_TRUSTED_IP} ]]; then
        ip=(${SSL_TRUSTED_IP})
        for i in "${!ip[@]}"; do
          echo IP.$((i+1)) = ${ip[$i]} >> ${SSL_CONFIG}
        done
    fi
fi
 
echo -e "\033[32m ====> 4. 生成服务SSL KEY ${SSL_KEY} \033[0m"
openssl genrsa -out ${SSL_KEY} ${SSL_SIZE}
 
echo -e "\033[32m ====> 5. 生成服务SSL CSR ${SSL_CSR} \033[0m"
openssl req -sha256 -new -key ${SSL_KEY} -out ${SSL_CSR} -subj "/C=${CN}/CN=${SSL_DOMAIN}" -config ${SSL_CONFIG}
 
echo -e "\033[32m ====> 6. 生成服务SSL CERT ${SSL_CERT} \033[0m"
openssl x509 -sha256 -req -in ${SSL_CSR} -CA ${CA_CERT} \
    -CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \
    -days ${SSL_DATE} -extensions v3_req \
    -extfile ${SSL_CONFIG}
 
echo -e "\033[32m ====> 7. 证书制作完成 \033[0m"
echo
echo -e "\033[32m ====> 8. 以YAML格式输出结果 \033[0m"
echo "----------------------------------------------------------"
echo "ca_key: |"
cat $CA_KEY | sed 's/^/  /'
echo
echo "ca_cert: |"
cat $CA_CERT | sed 's/^/  /'
echo
echo "ssl_key: |"
cat $SSL_KEY | sed 's/^/  /'
echo
echo "ssl_csr: |"
cat $SSL_CSR | sed 's/^/  /'
echo
echo "ssl_cert: |"
cat $SSL_CERT | sed 's/^/  /'
echo
 
echo -e "\033[32m ====> 9. 附加CA证书到Cert文件 \033[0m"
cat ${CA_CERT} >> ${SSL_CERT}
echo "ssl_cert: |"
cat $SSL_CERT | sed 's/^/  /'
echo
 
echo -e "\033[32m ====> 10. 重命名服务证书 \033[0m"
echo "cp ${SSL_DOMAIN}.key tls.key"
cp ${SSL_DOMAIN}.key tls.key
echo "cp ${SSL_DOMAIN}.crt tls.crt"
cp ${SSL_DOMAIN}.crt tls.crt

4.2. 脚本说明#

  • 复制以上代码另存为create_self-signed-cert.sh或者其他您喜欢的文件名。
  • 脚本参数

--ssl-domain: 生成ssl证书需要的主域名,如不指定则默认为www.rancher.local,如果是ip访问服务,则可忽略;

--ssl-trusted-ip: 一般ssl证书只信任域名的访问请求,有时候需要使用ip去访问server,那么需要给ssl证书添加扩展IP,多个IP用逗号隔开;

--ssl-trusted-domain: 如果想多个域名访问,则添加扩展域名(TRUSTED_DOMAIN),多个TRUSTED_DOMAIN用逗号隔开;

--ssl-size: ssl加密位数,默认2048;

--ssl-cn: 国家代码(2个字母的代号),默认CN;

使用案列:

[root@nginx ok]# ./create_self-signed-cert.sh --ssl-domain=jetto.jettech.com --ssl-trusted-domain=jetto.jettech.com --ssl-trusted-ip=172.16.10.21,192.168.1.65,172.16.10.59,172.16.10.33 --ssl-size=2048  --ssl-date=3650

5. 验证证书#

注意: 因为使用的是自签名证书,浏览器会提示证书的颁发机构是未知的。

把生成的 ca 证书和去除密码的私钥文件部署到 web 服务器后,执行以下命令验证:

  • 通过 openssl 本地校验,应该返回状态为 ok

    [root@nginx ok]# ls
    cacerts.pem cakey.pem jetto.jettech.com.crt jetto.jettech.com.key tls.crt
    cacerts.srl create_self-signed-cert.sh jetto.jettech.com.csr openssl.cnf tls.key
    [root@nginx ok]# openssl verify -CAfile cacerts.pem tls.crt
    tls.crt: OK

openssl x509 -in tls.crt -noout -text执行后查看对应的域名和扩展 iP 是否正确

[root@nginx ok]# openssl x509 -in tls.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            92:75:63:e3:78:e8:61:81
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, CN=localhost
        Validity
            Not Before: Jan  2 02:57:29 2024 GMT
            Not After : Dec 30 02:57:29 2033 GMT
        Subject: C=CN, CN=jetto.jettech.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d7:8d:dc:3e:e7:f6:aa:cb:76:86:03:92:9c:a1:
                    30:f8:4e:94:81:da:3a:3a:86:9d:8e:94:50:df:05:
                    31:3c:92:a0:86:01:ad:52:54:ff:d8:b0:3e:64:4b:
                    5c:da:23:e4:1d:d8:86:da:54:3c:d8:3d:78:2c:9b:
                    09:bf:47:1d:f2:76:4f:7b:c7:3f:55:23:d9:6a:ca:
                    34:be:81:6e:ae:a2:8f:fd:56:90:fb:45:31:22:1a:
                    0c:f8:cf:bb:91:9d:d9:dd:d8:ae:6f:e2:49:e6:9f:
                    04:71:9b:ea:64:94:13:46:a2:aa:05:45:17:48:a6:
                    ac:9e:db:d0:10:af:17:f1:cd:8e:b8:ce:ec:24:1b:
                    cd:1f:59:fa:04:a9:81:ce:88:be:9a:53:37:b2:bb:
                    51:ee:ea:81:76:70:62:f2:5a:0d:8a:d2:40:ce:95:
                    e0:cb:0c:09:08:a2:7c:50:c1:5b:b1:0d:0a:6d:e5:
                    46:e2:5f:df:30:c8:94:bc:eb:ed:2e:59:24:3b:04:
                    35:b7:69:7e:34:53:0d:d2:b1:cd:84:46:38:ae:af:
                    3f:96:3a:b8:df:7a:cb:ec:06:55:86:20:ad:42:4b:
                    c5:96:73:2c:bf:31:c8:81:1d:7f:af:49:05:27:8e:
                    6b:99:a4:86:3e:26:e6:01:4e:21:e3:ef:3d:d6:0f:
                    7b:bb
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Subject Alternative Name: 
                DNS:jetto.jettech.com, DNS:jetto.jettech.com, IP Address:172.16.10.21, IP Address:192.168.1.65, IP Address:172.16.10.59, IP Address:172.16.10.33
    Signature Algorithm: sha256WithRSAEncryption
         11:72:53:fe:34:c5:9c:e9:85:79:df:68:b2:1f:e0:a9:db:cd:
         d6:72:ca:ed:07:bd:10:b6:11:9c:f5:ce:81:e2:54:ed:6e:5b:
         77:a1:9f:d5:8c:40:80:73:21:54:31:a1:f0:b2:e2:37:dd:e5:
         14:3d:f1:87:ee:fa:69:ac:8a:05:f4:32:ab:04:fb:0d:d5:b9:
         7b:d3:cc:84:47:89:b6:27:45:d5:e0:89:b9:a9:c5:14:36:ed:
         d2:5b:f0:20:96:7e:8c:8e:87:fe:e9:71:08:18:d1:f9:6f:30:
         91:d9:ba:eb:7f:f7:32:f1:94:dd:5b:bf:02:bd:cb:51:99:b2:
         43:51:d0:ae:69:d7:1f:f5:ec:a3:e6:98:1d:2d:8c:07:78:3e:
         23:0b:73:fb:25:41:61:fb:88:bf:a1:f2:92:ed:50:48:47:f2:
         37:a8:67:c6:0b:db:05:24:1d:38:4e:97:d7:51:06:1e:5f:09:
         d9:04:77:20:79:63:43:45:a6:b9:c2:f6:92:ae:fd:26:e7:0f:
         15:27:91:ee:96:e1:90:0f:3b:00:62:d5:6d:29:17:cd:95:45:
         06:af:92:a8:9f:ed:8e:c1:7b:67:1b:de:4b:45:eb:94:a3:4f:
         8e:f1:bc:2a:3c:dd:aa:93:13:33:15:03:fe:95:30:54:7b:45:
         7a:2b:a0:cd

次错误是由于服务没有启动,启动nginx服务且配置ssl

[root@nginx nginx]# cat nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    upstream rancher_servers_http {
        least_conn;
        server 192.168.99.189:80 max_fails=3 fail_timeout=5s;
    }
    server {
        listen       80;
        listen       [::]:80;
        server_name  jetto.jettech.com;
        location / {
		proxy_pass http://rancher_servers_http;
	}
    }
    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  jetto.jettech.com;
        ssl_certificate "/home/wubo/rancher/cert/ok/tls.crt";
        ssl_certificate_key "/home/wubo/rancher/cert/ok/tls.key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        location / {
		proxy_pass http://rancher_servers_http;
	}
    }
}

再次执行:

[root@nginx ok]# openssl s_client -connect jetto.jettech.com:443 -servername jetto.jettech.com
CONNECTED(00000003)
depth=1 C = CN, CN = localhost
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/C=CN/CN=jetto.jettech.com
   i:/C=CN/CN=localhost
 1 s:/C=CN/CN=localhost
   i:/C=CN/CN=localhost
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDUTCCAjmgAwIBAgIJAJJ1Y+N46GGBMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
BAYTAkNOMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjQwMTAyMDI1NzI5WhcNMzMx
MjMwMDI1NzI5WjApMQswCQYDVQQGEwJDTjEaMBgGA1UEAwwRamV0dG8uamV0dGVj
aC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXjdw+5/aqy3aG
A5KcoTD4TpSB2jo6hp2OlFDfBTE8kqCGAa1SVP/YsD5kS1zaI+Qd2IbaVDzYPXgs
mwm/Rx3ydk97xz9VI9lqyjS+gW6uoo/9VpD7RTEiGgz4z7uRndnd2K5v4knmnwRx
m+pklBNGoqoFRRdIpqye29AQrxfxzY64zuwkG80fWfoEqYHOiL6aUzeyu1Hu6oF2
cGLyWg2K0kDOleDLDAkIonxQwVuxDQpt5UbiX98wyJS86+0uWSQ7BDW3aX40Uw3S
sc2ERjiurz+WOrjfesvsBlWGIK1CS8WWcyy/MciBHX+vSQUnjmuZpIY+JuYBTiHj
7z3WD3u7AgMBAAGjgYMwgYAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0l
BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMEcGA1UdEQRAMD6CEWpldHRvLmpldHRl
Y2guY29tghFqZXR0by5qZXR0ZWNoLmNvbYcErBAKFYcEwKgBQYcErBAKO4cErBAK
ITANBgkqhkiG9w0BAQsFAAOCAQEAEXJT/jTFnOmFed9osh/gqdvN1nLK7Qe9ELYR
nPXOgeJU7W5bd6Gf1YxAgHMhVDGh8LLiN93lFD3xh+76aayKBfQyqwT7DdW5e9PM
hEeJtidF1eCJuanFFDbt0lvwIJZ+jI6H/ulxCBjR+W8wkdm663/3MvGU3Vu/Ar3L
UZmyQ1HQrmnXH/Xso+aYHS2MB3g+Iwtz+yVBYfuIv6Hyku1QSEfyN6hnxgvbBSQd
OE6X11EGHl8J2QR3IHljQ0WmucL2kq79JucPFSeR7pbhkA87AGLVbSkXzZVFBq+S
qJ/tjsF7ZxveS0XrlKNPjvG8KjzdqpMTMxUD/pUwVHtFeiugzQ==
-----END CERTIFICATE-----
subject=/C=CN/CN=jetto.jettech.com
issuer=/C=CN/CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2339 bytes and written 441 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 60F07007FE335A3F64723F91A7C7141BED0A9877306264554FAD006C598C4B93
    Session-ID-ctx: 
    Master-Key: FA55E587A368FC67E6330CCA9BF43EE463A7D721D3ED6195BE40D2FEB310E3261C095B1AFF910CFD21198DF9200D9D1B
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 600 (seconds)
    TLS session ticket:
    0000 - 84 8b eb 52 3d 31 df 8c-d3 f8 03 72 88 cb 5f d6   ...R=1.....r.._.
    0010 - 44 3f 3a 2a 3c e4 b7 ad-53 8b 05 92 de 44 b6 51   D?:*<...S....D.Q
    0020 - 48 60 79 f4 7a 42 a2 8f-92 94 08 27 78 14 8e 1c   H`y.zB.....'x...
    0030 - a8 2b e7 6f 04 46 26 cb-cd b4 b0 90 7b a8 70 44   .+.o.F&.....{.pD
    0040 - d2 5a 60 67 56 0b 05 b4-53 26 b7 32 42 ae 8f 87   .Z`gV...S&.2B...
    0050 - 24 65 99 85 02 4c 30 0a-a3 cb f6 2d f3 e8 84 3a   $e...L0....-...:
    0060 - fe 5f e7 13 9c 4d 2c 53-fc 7d 24 26 73 65 51 88   ._...M,S.}$&seQ.
    0070 - 80 43 3e d3 71 f3 95 6f-ea 47 4c e7 a8 67 a8 33   .C>.q..o.GL..g.3
    0080 - 0f 81 30 cb f2 33 cb 89-1f 5f c7 5d d1 d4 65 05   ..0..3..._.]..e.
    0090 - 16 1d c4 de cc 49 cc 55-dd 27 58 62 34 0f 6a 05   .....I.U.'Xb4.j.
    00a0 - 22 51 bf 17 b0 73 7f 19-64 04 80 2e f8 cd fc 7b   "Q...s..d......{
    00b0 - 0b be bc 74 7c e9 e5 a0-bc 82 d5 c8 8f 1d 1e 79   ...t|..........y

    Start Time: 1704175421
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

有错误:depth=1 C = CN, CN = localhost

verify error:num=19:self signed certificate in certificate chain

  • 添加 CA 证书验证:

    [root@nginx ok]# openssl s_client -connect jetto.jettech.com:443 -servername jetto.jettech.com -CAfile cacerts.pem 
    CONNECTED(00000003)
    depth=1 C = CN, CN = localhost
    verify return:1
    depth=0 C = CN, CN = jetto.jettech.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=CN/CN=jetto.jettech.com
       i:/C=CN/CN=localhost
     1 s:/C=CN/CN=localhost
       i:/C=CN/CN=localhost
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIDUTCCAjmgAwIBAgIJAJJ1Y+N46GGBMA0GCSqGSIb3DQEBCwUAMCExCzAJBgNV
    BAYTAkNOMRIwEAYDVQQDDAlsb2NhbGhvc3QwHhcNMjQwMTAyMDI1NzI5WhcNMzMx
    MjMwMDI1NzI5WjApMQswCQYDVQQGEwJDTjEaMBgGA1UEAwwRamV0dG8uamV0dGVj
    aC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXjdw+5/aqy3aG
    A5KcoTD4TpSB2jo6hp2OlFDfBTE8kqCGAa1SVP/YsD5kS1zaI+Qd2IbaVDzYPXgs
    mwm/Rx3ydk97xz9VI9lqyjS+gW6uoo/9VpD7RTEiGgz4z7uRndnd2K5v4knmnwRx
    m+pklBNGoqoFRRdIpqye29AQrxfxzY64zuwkG80fWfoEqYHOiL6aUzeyu1Hu6oF2
    cGLyWg2K0kDOleDLDAkIonxQwVuxDQpt5UbiX98wyJS86+0uWSQ7BDW3aX40Uw3S
    sc2ERjiurz+WOrjfesvsBlWGIK1CS8WWcyy/MciBHX+vSQUnjmuZpIY+JuYBTiHj
    7z3WD3u7AgMBAAGjgYMwgYAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0l
    BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMEcGA1UdEQRAMD6CEWpldHRvLmpldHRl
    Y2guY29tghFqZXR0by5qZXR0ZWNoLmNvbYcErBAKFYcEwKgBQYcErBAKO4cErBAK
    ITANBgkqhkiG9w0BAQsFAAOCAQEAEXJT/jTFnOmFed9osh/gqdvN1nLK7Qe9ELYR
    nPXOgeJU7W5bd6Gf1YxAgHMhVDGh8LLiN93lFD3xh+76aayKBfQyqwT7DdW5e9PM
    hEeJtidF1eCJuanFFDbt0lvwIJZ+jI6H/ulxCBjR+W8wkdm663/3MvGU3Vu/Ar3L
    UZmyQ1HQrmnXH/Xso+aYHS2MB3g+Iwtz+yVBYfuIv6Hyku1QSEfyN6hnxgvbBSQd
    OE6X11EGHl8J2QR3IHljQ0WmucL2kq79JucPFSeR7pbhkA87AGLVbSkXzZVFBq+S
    qJ/tjsF7ZxveS0XrlKNPjvG8KjzdqpMTMxUD/pUwVHtFeiugzQ==
    -----END CERTIFICATE-----
    subject=/C=CN/CN=jetto.jettech.com
    issuer=/C=CN/CN=localhost
    ---
    No client certificate CA names sent
    Peer signing digest: SHA256
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 2339 bytes and written 441 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-GCM-SHA384
        Session-ID: 95FE938078066FABC655FB417B9BA69E250EAACF2F7778AC8764044D5006AE5A
        Session-ID-ctx: 
        Master-Key: 741A656493A66E006BB21504DE4E6C32E5B4D8A251149438B1ACCDE235FC1C3069B15F4BF28A190381B15EF2C9F690BA
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 600 (seconds)
        TLS session ticket:
        0000 - 84 8b eb 52 3d 31 df 8c-d3 f8 03 72 88 cb 5f d6   ...R=1.....r.._.
        0010 - 31 09 68 8f 35 10 82 f9-c2 b4 61 91 dd 95 36 11   1.h.5.....a...6.
        0020 - 2d 8e 2d 5f 85 8a c4 cb-64 f6 a1 ac 1d 8e e9 4f   -.-_....d......O
        0030 - 26 79 03 c0 fa f1 58 44-28 52 00 d5 1e e5 f5 27   &y....XD(R.....'
        0040 - 1f e6 d7 fe e2 38 7d 0d-fa 0a f2 5d 38 c5 36 75   .....8}....]8.6u
        0050 - 94 a5 77 08 79 95 37 45-b7 e7 ba 38 79 00 42 db   ..w.y.7E...8y.B.
        0060 - 3b 54 aa db e9 9c 07 b2-80 74 dc 21 b7 41 31 c3   ;T.......t.!.A1.
        0070 - cd a3 46 68 3f 84 0f 91-1f ae 74 35 d6 8d 88 06   ..Fh?.....t5....
        0080 - 42 07 2a 14 67 52 f4 bd-db 0a 13 08 49 b3 d9 bd   B.*.gR......I...
        0090 - 7c f9 1d b0 45 5d d3 85-c9 82 c6 5a dc 35 f4 5a   |...E].....Z.5.Z
        00a0 - 8e ec f0 cc 78 da 3e 90-7d 7f 96 66 1d dd 5d 03   ....x.>.}..f..].
        00b0 - 0b 51 f6 ff f9 77 a5 5d-75 e5 73 0c 30 e7 ae 11   .Q...w.]u.s.0...
    
        Start Time: 1704175560
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    
相关推荐
lwprain23 分钟前
安装支持ssl的harbor 2.1.4 docker 19.03.8 docker-compose 1.24.0
网络协议·ssl·harbor
软件技术员24 分钟前
Let‘s Encrypt SSL证书:acmessl.cn申请免费3个月证书
服务器·网络协议·ssl
耗同学一米八37 分钟前
2024 年河北省职业院校技能大赛网络建设与运维赛项样题四
运维·网络
_半夏曲1 小时前
node.js、nginx、iis、tomcat针对部署方面的简述
nginx·node.js·tomcat
东华果汁哥1 小时前
【linux 免密登录】快速设置kafka01、kafka02、kafka03 三台机器免密登录
linux·运维·服务器
肖永威2 小时前
CentOS环境上离线安装python3及相关包
linux·运维·机器学习·centos
布鲁格若门2 小时前
CentOS 7 桌面版安装 cuda 12.4
linux·运维·centos·cuda
Eternal-Student2 小时前
【docker 保存】将Docker镜像保存为一个离线的tar归档文件
运维·docker·容器
dessler2 小时前
云计算&虚拟化-kvm-扩缩容cpu
linux·运维·云计算
DC_BLOG2 小时前
Linux-Apache静态资源
linux·运维·apache