使用 OpenSSL 创建自签名证书

乐优刘@07242024-09-03 10:47

mkdir -p /etc/nginx/conf.d/cert

#2、创建私钥

openssl genrsa -des3 -out https.key 1024

提示输入字符:

输入字符:rancher

root@ocean-app-1a-01 cert# openssl genrsa -des3 -out https.key 1024

Generating RSA private key, 1024 bit long modulus

...++++++

...++++++

e is 65537 (0x10001)

Enter pass phrase for https.key:

139880595519376:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters

Enter pass phrase for https.key:

Verifying - Enter pass phrase for https.key:

#3、创建签名请求证书

openssl req -new -key https.key -out https.csr

root@ocean-app-1a-01 cert# openssl req -new -key https.key -out https.csr

Enter pass phrase for https.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) XX:rancher

string is too long, it needs to be less than 2 bytes long

Country Name (2 letter code) XX:CN

State or Province Name (full name) \[\]:BJ

Locality Name (eg, city) Default City:beijing

Organization Name (eg, company) Default Company Ltd:

Organizational Unit Name (eg, section) \[\]:

Common Name (eg, your name or your server's hostname) \[\]:

Email Address \[\]:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password \[\]:rancher

An optional company name \[\]:

#4、在加载SSL支持的Nginx并使用上述私钥时除去必须的口令

$ cp https.key https.key.org

$ openssl rsa -in https.key.org -out https.key

输入 rancher

root@ocean-app-1a-01 cert# openssl rsa -in https.key.org -out https.key

输入 rancher

Enter pass phrase for https.key.org:

writing RSA key

#5、最后标记证书使用上述私钥和CSR和有效期

openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt

root@ocean-app-1a-01 cert# openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt

Signature ok

subject=/C=CN/ST=BJ/L=beijing/O=Default Company Ltd

Getting Private key

#6、nginx添加配置如下:

示例

server {

listen 443 ssl; #监听443端口

server_name linking-rancher.di.bigdata;

ssl_certificate /etc/nginx/conf.d/cert/https.crt;

ssl_certificate_key /etc/nginx/conf.d/cert/https.key;

ssl_session_timeout 5m;

#charset koi8-r;

#access_log /var/log/nginx/host.access.log main;

location / {

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Accept-Encoding 'gzip';

复制代码 
    ##配置使wss协议生效
    proxy_http_version 1.1;    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    
    client_max_body_size 2G;
    proxy_pass https://rancher;
}
#error_page  404              /404.html;
# redirect server error pages to the static page /50x.html
#
error_page   500 502 503 504  /50x.html;
location = /50x.html {
    root   /usr/share/nginx/html;
}

}

实际配置

server {

listen 443 ssl;

server_name linking-rancher.di.bigdata;

ssl_certificate /etc/nginx/conf.d/cert/https.crt;

ssl_certificate_key /etc/nginx/conf.d/cert/https.key;

ssl_session_timeout 5m;

location / {

proxy_pass https://rancher;

proxy_redirect off;

##配置使wss协议生效

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

复制代码 
    #下面的参数取决环境需要
    #后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
    proxy_set_header           Host $host;
    proxy_set_header           X-Real-IP $remote_addr;
    proxy_set_header           X-Forwarded-For $proxy_add_x_forwarded_for;
    client_max_body_size       2G; #允许客户端请求的最大单文件字节数
    client_body_buffer_size    512k; #缓冲区代理缓冲用户端请求的最大字节数
    proxy_connect_timeout      300; #nginx跟后端服务器连接超时时间(代理连接超时)
    proxy_send_timeout         300; #后端服务器数据回传时间(代理发送超时)
    proxy_read_timeout         300; #连接成功后,后端服务器响应时间(代理接收超时)
    proxy_buffer_size          4k; #设置代理服务器(nginx)保存用户头信息的缓冲区大小
    proxy_buffers              4 32k; #proxy_buffers缓冲区,网页平均在32k以下的话,这样设置
    proxy_busy_buffers_size    64k; #高负荷下缓冲大小(proxy_buffers*2)
    proxy_temp_file_write_size 64k; #设定缓存文件夹大小
    fastcgi_buffer_size 128k;
    fastcgi_buffers 8 128k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 128k;
}   
location = /50x.html {
    root   /usr/share/nginx/html;
}

}

8443 是自动部署rancher 暴露的端口 https协议

upstream rancher{

server 10.0.0.24:8443;

server 10.0.0.24:8080;

}

相关推荐
SkyWalking中文站3 小时前
认识 Horizon UI · 1/17:SkyWalking 新一代可观测性控制台
运维·前端·监控
雪梨酱QAQ6 小时前
Kubeneters HA Cluster部署
运维
江华森10 小时前
Spring Cloud 微服务全栈实战:从 Eureka 到 Docker Compose 一文贯通
运维
江华森10 小时前
Matplotlib 数据绘图基础入门
运维
江华森10 小时前
NumPy 数值计算基础入门
运维
乘云数字DATABUFF4 天前
5分钟部署开源APM Databuff:OpenTelemetry全链路追踪入门实战
运维·后端
荣--6 天前
一键部署不是为了省时间 —— 它是把"买来的 PaaS"变成"自己的平台"的拐点
运维·zabbix·工程化·一键部署·平台化·边界设计
江华森6 天前
动手实战学 Docker — 从零到集群编排完全指南
运维
Avan_菜菜7 天前
FRP 内网穿透完整实战:从 HTTP 映射到 HTTPS 自签代理
运维·nginx·https
SelectDB8 天前
Litefuse 开源并推出单进程轻量模式,25 秒就能跑起来的 Agent 可观测与评估平台
运维·后端·自动化运维
热门推荐
012026年6月AI大模型全景报告:GPT-5.6、Claude Opus 4.8、Gemini 3.5,中美AI三足鼎立谁主沉浮?022026年6月AI行业全景:从百模大战到Agent元年,这30天发生了什么?032026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf04Trae国际版与国内版深度测评:AI原生IDE的双生花05【AI】2026 年具身智能模型和世界模型总结06Claude Code、Codex、Cursor三分天下:2026年AI编程Agent生态全景剖析07飞书长连接_事件订阅(接收消息,审批任务状态变更)08GitHub 镜像站点092026 AI 编程工具终极实战指南:Cursor vs Claude Code vs Copilot,开发者该怎么选?102026年AI架构实战:彻底解决OpenAI接口超时与封号,Python调用GPT-5.2/Sora2企业级架构详解(附源码+压测报告)