使用 OpenSSL 创建自签名证书

乐优刘@07242024-09-03 10:47

mkdir -p /etc/nginx/conf.d/cert

#2、创建私钥

openssl genrsa -des3 -out https.key 1024

提示输入字符:

输入字符:rancher

root@ocean-app-1a-01 cert\]# openssl genrsa -des3 -out https.key 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ...++++++ e is 65537 (0x10001) Enter pass phrase for https.key: 139880595519376:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters Enter pass phrase for https.key: Verifying - Enter pass phrase for https.key: #3、创建签名请求证书 openssl req -new -key https.key -out https.csr ### \[root@ocean-app-1a-01 cert\]# openssl req -new -key https.key -out https.csr Enter pass phrase for https.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) \[XX\]:rancher string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) \[XX\]:CN State or Province Name (full name) \[\]:BJ Locality Name (eg, city) \[Default City\]:beijing Organization Name (eg, company) \[Default Company Ltd\]: Organizational Unit Name (eg, section) \[\]: Common Name (eg, your name or your server's hostname) \[\]: Email Address \[\]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password \[\]:rancher An optional company name \[\]: #4、在加载SSL支持的Nginx并使用上述私钥时除去必须的口令 $ cp https.key https.key.org $ openssl rsa -in https.key.org -out https.key ## 输入 rancher \[root@ocean-app-1a-01 cert\]# openssl rsa -in https.key.org -out https.key ## 输入 rancher Enter pass phrase for https.key.org: writing RSA key #5、最后标记证书使用上述私钥和CSR和有效期 openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt \[root@ocean-app-1a-01 cert\]# openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt Signature ok subject=/C=CN/ST=BJ/L=beijing/O=Default Company Ltd Getting Private key #6、nginx添加配置如下: #### 示例 server { listen 443 ssl; #监听443端口 server_name linking-rancher.di.bigdata; ssl_certificate /etc/nginx/conf.d/cert/https.crt; ssl_certificate_key /etc/nginx/conf.d/cert/https.key; ssl_session_timeout 5m; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Accept-Encoding 'gzip'; ##配置使wss协议生效 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; client_max_body_size 2G; proxy_pass https://rancher; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } #### 实际配置 server { listen 443 ssl; server_name linking-rancher.di.bigdata; ssl_certificate /etc/nginx/conf.d/cert/https.crt; ssl_certificate_key /etc/nginx/conf.d/cert/https.key; ssl_session_timeout 5m; location / { proxy_pass https://rancher; proxy_redirect off; ##配置使wss协议生效 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; #下面的参数取决环境需要 #后端的Web服务器可以通过X-Forwarded-For获取用户真实IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 2G; #允许客户端请求的最大单文件字节数 client_body_buffer_size 512k; #缓冲区代理缓冲用户端请求的最大字节数 proxy_connect_timeout 300; #nginx跟后端服务器连接超时时间(代理连接超时) proxy_send_timeout 300; #后端服务器数据回传时间(代理发送超时) proxy_read_timeout 300; #连接成功后,后端服务器响应时间(代理接收超时) proxy_buffer_size 4k; #设置代理服务器(nginx)保存用户头信息的缓冲区大小 proxy_buffers 4 32k; #proxy_buffers缓冲区,网页平均在32k以下的话,这样设置 proxy_busy_buffers_size 64k; #高负荷下缓冲大小(proxy_buffers*2) proxy_temp_file_write_size 64k; #设定缓存文件夹大小 fastcgi_buffer_size 128k; fastcgi_buffers 8 128k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; } location = /50x.html { root /usr/share/nginx/html; } } #### 8443 是自动部署rancher 暴露的端口 https协议 upstream rancher{ server 10.0.0.24:8443; server 10.0.0.24:8080; }

相关推荐
Fcy64843 分钟前
Linux下 进程(一)(冯诺依曼体系、操作系统、进程基本概念与基本操作)
linux·运维·服务器·进程
袁袁袁袁满1 小时前
Linux怎么查看最新下载的文件
linux·运维·服务器
代码游侠1 小时前
学习笔记——设备树基础
linux·运维·开发语言·单片机·算法
Harvey9031 小时前
通过 Helm 部署 Nginx 应用的完整标准化步骤
linux·运维·nginx·k8s
珠海西格电力科技2 小时前
微电网能量平衡理论的实现条件在不同场景下有哪些差异?
运维·服务器·网络·人工智能·云计算·智慧城市
释怀不想释怀3 小时前
Linux环境变量
linux·运维·服务器
zzzsde3 小时前
【Linux】进程(4):进程优先级&&调度队列
linux·运维·服务器
聆风吟º4 小时前
CANN开源项目实战指南:使用oam-tools构建自动化故障诊断与运维可观测性体系
运维·开源·自动化·cann
NPE~4 小时前
自动化工具Drissonpage 保姆级教程(含xpath语法)
运维·后端·爬虫·自动化·网络爬虫·xpath·浏览器自动化
神梦流5 小时前
GE 引擎的内存优化终局:静态生命周期分析指导下的内存分配与复用策略
linux·运维·服务器
热门推荐
01GitHub 镜像站点02Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services03openclaw配置教程(linux+局域网ollama)04OpenClaw Chrome扩展使用教程 - 浏览器中继控制05Linux下V2Ray安装配置指南06UV安装并设置国内源07Claude Code Skills 实用使用手册08一文了解国产算子编程语言 TileLang,TileLang 对国产开源生态的影响与启示09让 Trae IDE 智能体 “读懂”文档 Excel+PDF+DOCX :mcp-documents-reader 工具使用指南10Vue-skills的中文文档