现在的世界满是https,若想和外部相处,我们也常常需要使用到https的页面.安全越来越被人重视,而成本并不是很高,配置一个SSL自然是理所应当的.

这次使用的是从namecheap上购买的comodo提供的positivessl wildcard产品,价格有点肉痛,实际上大概花了RMB600的样子.

有些细节和以前alphassl搞到的证书不太一样,所以稍稍记录下,以便以后查询.

掏钱后,在nemecheap账号下出现了一个inactive的证书,需要自己配置安装.

首先在自己的机器中生成一个key.过程如下:

openssl genrsa -rand /var/log/authd.log -out aminer.org.key 2048
openssl req -new -key aminer.org.key -sha256 -out aminer.org.csr
cp aminer.org.key aminer.org.key.origin
openssl x509 -req -days 365 -in aminer.org.csr -signkey aminer.org.key -out aminer.org.crt

它需要填写内容大致如下

11059 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
..+++
.......+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN   #国家代码
State or Province Name (full name) [Some-State]:Beijing  #省
Locality Name (eg, city) []:Beijing  #市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tsinghua University  #机构
Organizational Unit Name (eg, section) []:KEG  #更细的单位
Common Name (e.g. server FQDN or YOUR name) []:*.aminer.org   #此处必须是带通配符的域名.比如本例中,是所有aminer的子域名和aminer.org本身
Email Address []:admin@aminer.org #收邮件用

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # 可以不填
An optional company name []: # 可以不写
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Tsinghua University/OU=KEG/CN=*.aminer.org/emailAddress=admin@aminer.org
Getting Private key

最后生成个一组文件.其中.crt文件是要给comodo的,而.key文件要保存好.

.crt在active过程中提交,随后查收admin@yourdomain.com确认.然后在前面填写的email address中会收到一个确认信和附件.附件内容大致如下:

STAR_youdomainname.crt
ComodoRSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt

你需要把所有的证书合到一起

cat STAR_youdomainname.crt ComodoRSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalRoot.crt >> cert_chain.crt

然后nginx中配置如下:

server {
        listen 443 default_server ssl;
        server_name static.aminer.org;

        ssl on;
        ssl_certificate /path_of_cert_chain/cert_chain;
        ssl_certificate_key /path_of_key/aminer.org.key;
        ssl_dhparam /path_to_dhparam/dhparam.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:S256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;

        add_header Strict-Transport-Security max-age=15768000;

        # SOMETHING ELSE
}

大致就是加上如上几行完事.

不知道你是否注意到,在listen 443后,ssl前,有个default_server字样.这是为了应付如下这个错误:

2015/05/25 21:52:16 [error] 29179#0: *9264 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443

至少要有一个default_server才能除掉这个error.为啥?没明白.我的另一台服务器好像没这毛病...

另外,dhparam也是需要系统再生成个的,命令也很容易:

openssl dhparam -out dhparam.pem 4096

最后到ssllabs测一下就ok: https://www.ssllabs.com/ssltest/analyze.html

相关链接:

  • 1. 官方介绍: https://www.namecheap.com/support/knowledgebase/article.aspx/9419/0/nginx
  • 2. youran同学的相关提示: https://wordpress.youran.me/nginx-ssl/
来自的你,很高兴你能看到这儿。若本文对你有所用处,或者内容有什么不足之处,敬请毫不犹豫给个回复。谢谢!