现在的世界满是https,若想和外部相处,我们也常常需要使用到https的页面.安全越来越被人重视,而成本并不是很高,配置一个SSL自然是理所应当的.
这次使用的是从 namecheap 上购买的 comodo 提供的 positivessl wildcard产品,价格有点肉痛,实际上大概花了RMB600的样子.
有些细节和以前alphassl搞到的证书不太一样,所以稍稍记录下,以便以后查询.
掏钱后,在nemecheap账号下出现了一个inactive的证书,需要自己配置安装.
首先在自己的机器中生成一个key.过程如下:
openssl genrsa -rand /var/log/authd.log -out aminer.org.key 2048 openssl req -new -key aminer.org.key -sha256 -out aminer.org.csr cp aminer.org.key aminer.org.key.origin openssl x509 -req -days 365 -in aminer.org.csr -signkey aminer.org.key -out aminer.org.crt
它需要填写内容大致如下
11059 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus ..+++ .......+++ e is 65537 (0x10001) You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN #国家代码 State or Province Name (full name) [Some-State]:Beijing #省 Locality Name (eg, city) []:Beijing #市 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tsinghua University #机构 Organizational Unit Name (eg, section) []:KEG #更细的单位 Common Name (e.g. server FQDN or YOUR name) []: *.aminer.org #此处必须是带通配符的域名.比如本例中,是所有aminer的子域名和aminer.org本身 Email Address []:foo@bar.xyz #收邮件用 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: # 可以不填 An optional company name []: # 可以不写 Signature ok subject=/C=CN/ST=Beijing/L=Beijing/O=Tsinghua University/OU=KEG/CN=*.aminer.org/emailAddress=foo@bar.xyz Getting Private key
最后生成个一组文件.其中.crt文件是要给comodo的,而.key文件要保存好.
.crt在active过程中提交,随后查收 admin@yourdomain.com 确认.然后在前面填写的 email address 中会收到一个确认信和附件. 附件内容大致如下:
STAR_youdomainname.crt ComodoRSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt
你需要把所有的证书合到一起
cat STAR_youdomainname.crt ComodoRSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalRoot.crt >> cert_chain.crt
然后nginx中配置如下:
server {
listen 443 default_server ssl;
server_name static.aminer.org;
ssl on;
ssl_certificate /path_of_cert_chain/cert_chain;
ssl_certificate_key /path_of_key/aminer.org.key;
ssl_dhparam /path_to_dhparam/dhparam.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:S256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;
# SOMETHING ELSE
}
大致就是加上如上几行完事.
不知道你是否注意到,在listen 443后,ssl前,有个default_server字样.这是为了应付如下这个错误:
2015/05/25 21:52:16 [error] 29179#0: *9264 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443
至少要有一个default_server才能除掉这个error.为啥?没明白.我的另一台服务器好像没这毛病...
另外,dhparam也是需要系统再生成个的,命令也很容易:
openssl dhparam -out dhparam.pem 4096
最后到ssllabs测一下就ok: https://www.ssllabs.com/ssltest/analyze.html
相关链接:
- 1. 官方介绍: https://www.namecheap.com/support/knowledgebase/article.aspx/9419/0/nginx
- 2. youran同学的相关提示: https://wordpress.youran.me/nginx-ssl/
10 Comments
二学长 · June 12, 2015 at 13:52
就是不知道能不能直接回邮件关联相关回复.
yu · June 12, 2015 at 14:12
@二学长 目前做不到…因为邮件服务器和网站不在一块儿.
另外,点击评论右上角Reply Me回复才行…
二学长 · June 12, 2015 at 14:18
@yu
怪不得@不上
二学长 · June 12, 2015 at 13:51
@yu 恩,这种回复看着不错啊,很清晰.
二学长 · June 12, 2015 at 11:06
推荐一个跟本篇相关的博客文章:
https://s.how/nginx-ssl/
yu · June 12, 2015 at 12:23
@二学长 看了下,好像和我说的没啥区别…
yu · June 12, 2015 at 12:24
@二学长 另外,这种缩进以示回复感觉如何?
yu · June 12, 2015 at 12:26
@二学长 不过,这货域名好牛逼,我见过另外的一个是del.icio.us
youran · May 29, 2015 at 16:16
我们当时申请的这个泛域名证书,是那个人违规签发的哈哈。后来那人就跑路了,据说有人从他那办的证书后来被globalsign revoke掉了。反正这个价格用到现在还没被revoke已经值了
yu · May 29, 2015 at 19:59
@youran 的确,真是多谢你当时推荐.
买个同样的正规的SSL要600每年,心都在滴血…幸好不是自己掏钱