使用 OpenSSL 创建自签名证书

乐优刘@07242024-09-03 10:47

mkdir -p /etc/nginx/conf.d/cert

#2、创建私钥

openssl genrsa -des3 -out https.key 1024

提示输入字符:

输入字符:rancher

root@ocean-app-1a-01 cert\]# openssl genrsa -des3 -out https.key 1024 Generating RSA private key, 1024 bit long modulus ...++++++ ...++++++ e is 65537 (0x10001) Enter pass phrase for https.key: 139880595519376:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters Enter pass phrase for https.key: Verifying - Enter pass phrase for https.key: #3、创建签名请求证书 openssl req -new -key https.key -out https.csr ### \[root@ocean-app-1a-01 cert\]# openssl req -new -key https.key -out https.csr Enter pass phrase for https.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) \[XX\]:rancher string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) \[XX\]:CN State or Province Name (full name) \[\]:BJ Locality Name (eg, city) \[Default City\]:beijing Organization Name (eg, company) \[Default Company Ltd\]: Organizational Unit Name (eg, section) \[\]: Common Name (eg, your name or your server's hostname) \[\]: Email Address \[\]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password \[\]:rancher An optional company name \[\]: #4、在加载SSL支持的Nginx并使用上述私钥时除去必须的口令 $ cp https.key https.key.org $ openssl rsa -in https.key.org -out https.key ## 输入 rancher \[root@ocean-app-1a-01 cert\]# openssl rsa -in https.key.org -out https.key ## 输入 rancher Enter pass phrase for https.key.org: writing RSA key #5、最后标记证书使用上述私钥和CSR和有效期 openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt \[root@ocean-app-1a-01 cert\]# openssl x509 -req -days 365 -in https.csr -signkey https.key -out https.crt Signature ok subject=/C=CN/ST=BJ/L=beijing/O=Default Company Ltd Getting Private key #6、nginx添加配置如下: #### 示例 server { listen 443 ssl; #监听443端口 server_name linking-rancher.di.bigdata; ssl_certificate /etc/nginx/conf.d/cert/https.crt; ssl_certificate_key /etc/nginx/conf.d/cert/https.key; ssl_session_timeout 5m; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Accept-Encoding 'gzip'; ##配置使wss协议生效 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; client_max_body_size 2G; proxy_pass https://rancher; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } #### 实际配置 server { listen 443 ssl; server_name linking-rancher.di.bigdata; ssl_certificate /etc/nginx/conf.d/cert/https.crt; ssl_certificate_key /etc/nginx/conf.d/cert/https.key; ssl_session_timeout 5m; location / { proxy_pass https://rancher; proxy_redirect off; ##配置使wss协议生效 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; #下面的参数取决环境需要 #后端的Web服务器可以通过X-Forwarded-For获取用户真实IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 2G; #允许客户端请求的最大单文件字节数 client_body_buffer_size 512k; #缓冲区代理缓冲用户端请求的最大字节数 proxy_connect_timeout 300; #nginx跟后端服务器连接超时时间(代理连接超时) proxy_send_timeout 300; #后端服务器数据回传时间(代理发送超时) proxy_read_timeout 300; #连接成功后,后端服务器响应时间(代理接收超时) proxy_buffer_size 4k; #设置代理服务器(nginx)保存用户头信息的缓冲区大小 proxy_buffers 4 32k; #proxy_buffers缓冲区,网页平均在32k以下的话,这样设置 proxy_busy_buffers_size 64k; #高负荷下缓冲大小(proxy_buffers*2) proxy_temp_file_write_size 64k; #设定缓存文件夹大小 fastcgi_buffer_size 128k; fastcgi_buffers 8 128k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; } location = /50x.html { root /usr/share/nginx/html; } } #### 8443 是自动部署rancher 暴露的端口 https协议 upstream rancher{ server 10.0.0.24:8443; server 10.0.0.24:8080; }

相关推荐
爱莉希雅&&&1 小时前
shell脚本之条件判断,循环控制,exit详解
linux·运维·服务器·ssh
Sylvan Ding2 小时前
远程主机状态监控-GPU服务器状态监控-深度学习服务器状态监控
运维·服务器·深度学习·监控·远程·gpu状态
北漂老男孩3 小时前
在 Linux 上安装 MATLAB:完整指南与疑难解决方案
linux·运维·matlab
Why not try?!3 小时前
Centos7 中 Docker运行配置Apache
运维·docker·容器
杰克逊的日记3 小时前
Flink运维要点
大数据·运维·flink
hnlucky4 小时前
如何彻底清空docker里面不使用的容器?
运维·docker·容器
像风一样的男人@4 小时前
Linux --systemctl损坏
linux·运维·服务器
南方以南_4 小时前
【云实验】搭建个人网盘实验
linux·运维·服务器
humors2214 小时前
Windows运维工具批处理版
运维·windows·计算机·电脑·笔记本·维护·台式机
xbd_zc5 小时前
【Linux Nano Vim快捷键大全】
linux·运维·vim
热门推荐
01KGG转MP3工具|非KGM文件|解密音频02YOLOv8入门 | 重要性能衡量指标、训练结果评价及分析及影响mAP的因素【发论文关注的指标】03从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑04【SpeedAI科研小助手】2分钟极速解决知网维普重复率、AIGC率过高,一键全文降!文件格式不变,公式都保留的!05DeepSeek各版本说明与优缺点分析06Coze扣子平台完整体验和实践(附国内和国际版对比)07Ubuntu24.04安装中文输入法08YOLOv5改进 | 添加CA注意力机制 + 增加预测层 + 更换损失函数之GIoU09苍穹外卖面试总结10组基轨迹建模 GBTM的介绍与实现(Stata 或 R)