版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/sinat_29843547/article/details/79704811
给官网配置HTTPS证书记录,第一次
当然要记录下来, 这是新出炉的官网themis官网
废话不多说,开始正题
1) 弯路
查阅到配置nginx 根证书,和秘钥就可以做到https正常访问
├── CACertificate-INTERMEDIATE-1.cer
├── CACertificate-ROOT-2.cer
├── themis.key
└── ServerCertificate.cer
这是老大给我的一窍不通的东西,老大提醒我,要建立证书链,还要注意移动设备访问证书会提示不安全的情况。
当时我还是很懵逼的。
查阅到如下配置
看看自己的防火墙 终端执行 iptables -L –line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
如上所示没有任何拦截,主要注意443端口拦截
如下配置nginx
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/sslcer/CACertificate-ROOT-2.cer;
ssl_certificate_key /etc/nginx/sslcer/themis.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;
ssl_prefer_server_ciphers on;
location / {
root /data/www/themiswww;
index index.html index.htm;
}
}
终端执行 nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
这样是秘钥和服务器证书搭配正确
访问 https://themis.im https正常
然后发现移动设备果然提示了 证书不受信任
终端执行 openssl s_client -connect www.themis.im:443
发现提示了
...
verify error:num=20:unable to get local issuer certificate
verify return:1
...
verify error:num=27:certificate not trusted
verify return:1
...
verify error:num=21:unable to verify the first certificate
verify return:1
...
Certificate chain
0 s:/businessCategory=Private.../CN=www.abc.com
i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G3
1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
…
最后的解决方案 生成证书链
终端执行 cat ServerCertificate.cer CACertificate-INTERMEDIATE-1.cer CACertificate-ROOT-2.cer > CACertificate-ROOT-1.pem
把 nginx 配置中的 CACertificate-ROOT-2.cer 替换为CACertificate-ROOT-1.pem
然后再次执行 openssl s_client -connect www.themis.im:443
Certificate chain
0 s:/CN=*.themis.im
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
......
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 512F18AE435BD0A126FE08BA6EC3A1D6343C4A2835B1C6F15B01C5E15B0BBFF0
Session-ID-ctx:
Master-Key: F86C0D5F7DF4DC436442CAE41CB6843769089AF5EC025525469ABD0461E612B63F530A55C35AA073EDE9C51BDF97A06D
Key-Arg : None
Start Time: 1522068649
Timeout : 300 (sec)
Verify return code: 0 (ok)
over.