使用 OpenSSL 创建自签名证书

乐优刘@07242024-09-03 10:47

mkdir -p /etc/nginx/conf.d/cert

#2、创建私钥

openssl genrsa -des3 -out https.key 1024

提示输入字符:

输入字符:rancher

root@ocean-app-1a-01 cert\]# openssl genrsa -des3 -out https.key 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ...++++++ e is 65537 (0x10001) Enter pass phrase for https.key: 139880595519376:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters Enter pass phrase for https.key: Verifying - Enter pass phrase for https.key: #3、创建签名请求证书 openssl req -new -key https.key -out https.csr ### \[root@ocean-app-1a-01 cert\]# openssl req -new -key https.key -out https.csr Enter pass phrase for https.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) \[XX\]:rancher string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) \[XX\]:CN State or Province Name (full name) \[\]:BJ Locality Name (eg, city) \[Default City\]:beijing Organization Name (eg, company) \[Default Company Ltd\]: Organizational Unit Name (eg, section) \[\]: Common Name (eg, your name or your server's hostname) \[\]: Email Address \[\]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password \[\]:rancher An optional company name \[\]: #4、在加载SSL支持的Nginx并使用上述私钥时除去必须的口令 $ cp https.key https.key.org $ openssl rsa -in https.key.org -out https.key ## 输入 rancher \[root@ocean-app-1a-01 cert\]# openssl rsa -in https.key.org -out https.key ## 输入 rancher Enter pass phrase for https.key.org: writing RSA key #5、最后标记证书使用上述私钥和CSR和有效期 openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt \[root@ocean-app-1a-01 cert\]# openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt Signature ok subject=/C=CN/ST=BJ/L=beijing/O=Default Company Ltd Getting Private key #6、nginx添加配置如下: #### 示例 server { listen 443 ssl; #监听443端口 server_name linking-rancher.di.bigdata; ssl_certificate /etc/nginx/conf.d/cert/https.crt; ssl_certificate_key /etc/nginx/conf.d/cert/https.key; ssl_session_timeout 5m; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Accept-Encoding 'gzip'; ##配置使wss协议生效 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; client_max_body_size 2G; proxy_pass https://rancher; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } #### 实际配置 server { listen 443 ssl; server_name linking-rancher.di.bigdata; ssl_certificate /etc/nginx/conf.d/cert/https.crt; ssl_certificate_key /etc/nginx/conf.d/cert/https.key; ssl_session_timeout 5m; location / { proxy_pass https://rancher; proxy_redirect off; ##配置使wss协议生效 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; #下面的参数取决环境需要 #后端的Web服务器可以通过X-Forwarded-For获取用户真实IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 2G; #允许客户端请求的最大单文件字节数 client_body_buffer_size 512k; #缓冲区代理缓冲用户端请求的最大字节数 proxy_connect_timeout 300; #nginx跟后端服务器连接超时时间(代理连接超时) proxy_send_timeout 300; #后端服务器数据回传时间(代理发送超时) proxy_read_timeout 300; #连接成功后,后端服务器响应时间(代理接收超时) proxy_buffer_size 4k; #设置代理服务器(nginx)保存用户头信息的缓冲区大小 proxy_buffers 4 32k; #proxy_buffers缓冲区,网页平均在32k以下的话,这样设置 proxy_busy_buffers_size 64k; #高负荷下缓冲大小(proxy_buffers*2) proxy_temp_file_write_size 64k; #设定缓存文件夹大小 fastcgi_buffer_size 128k; fastcgi_buffers 8 128k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; } location = /50x.html { root /usr/share/nginx/html; } } #### 8443 是自动部署rancher 暴露的端口 https协议 upstream rancher{ server 10.0.0.24:8443; server 10.0.0.24:8080; }

相关推荐
林克爱塞尔达7 分钟前
Linux入门(二)
linux·运维·chrome
Hello.Reader13 分钟前
Kafka 运维实战基本操作含命令与最佳实践
运维·kafka·linq
存储服务专家StorageExpert31 分钟前
手搓一个 DELL EMC Unity存储系统健康检查清单
linux·运维·服务器·存储维护·emc存储
SonOfWind03111 小时前
CentOS搭建本地源
linux·运维·centos
IT成长日记1 小时前
【Nginx开荒攻略】Nginx主配置文件结构与核心模块详解:从0到1掌握nginx.conf:
linux·运维·nginx·配置文件
代码的余温2 小时前
Web服务器VS应用服务器:核心差异解析
运维·服务器·前端
NiKo_W3 小时前
Linux 开发工具(1)
linux·运维·服务器
艾莉丝努力练剑3 小时前
【C++】类和对象(下):初始化列表、类型转换、Static、友元、内部类、匿名对象/有名对象、优化
linux·运维·c++·经验分享
-SGlow-4 小时前
Linux相关概念和易错知识点(45)(网络层、网段划分)
linux·运维·服务器·网络
潘潘潘潘潘潘潘潘潘潘潘潘4 小时前
【MySQL】从零开始学习MySQL:基础与安装指南
linux·运维·服务器·数据库·学习·mysql
热门推荐
01GitHub 镜像站点02KGG转MP3工具|非KGM文件|解密音频03A股预测还能更准?开源大模型Kronos带你跑通预测+回测全流程04UV安装并设置国内源0546个Nano-banana 精选提示词,持续更新中06UV 工具安装与国内镜像源配置指南07conda中设置镜像地址(附所有可换的地址)08智能库存管理的需求预测模型:从业务痛点到落地代码的完整实践09突破百度网盘的下载限速,两种方法教会你【超详细】10Spec-Kit 使用指南