现在的世界满是https,若想和外部相处,我们也常常需要使用到https的页面.安全越来越被人重视,而成本并不是很高,配置一个SSL自然是理所应当的.

这次使用的是从 namecheap 上购买的 comodo 提供的 positivessl wildcard产品,价格有点肉痛,实际上大概花了RMB600的样子.

有些细节和以前alphassl搞到的证书不太一样,所以稍稍记录下,以便以后查询.

掏钱后,在nemecheap账号下出现了一个inactive的证书,需要自己配置安装.

首先在自己的机器中生成一个key.过程如下:

openssl genrsa -rand /var/log/authd.log -out aminer.org.key 2048
openssl req -new -key aminer.org.key -sha256 -out aminer.org.csr
cp aminer.org.key aminer.org.key.origin
openssl x509 -req -days 365 -in aminer.org.csr -signkey aminer.org.key -out aminer.org.crt

它需要填写内容大致如下

11059 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
..+++
.......+++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN   #国家代码
State or Province Name (full name) [Some-State]:Beijing  #省
Locality Name (eg, city) []:Beijing  #市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Tsinghua University  #机构
Organizational Unit Name (eg, section) []:KEG  #更细的单位
Common Name (e.g. server FQDN or YOUR name) []: *.aminer.org   #此处必须是带通配符的域名.比如本例中,是所有aminer的子域名和aminer.org本身
Email Address []:foo@bar.xyz #收邮件用

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: # 可以不填
An optional company name []: # 可以不写
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Tsinghua University/OU=KEG/CN=*.aminer.org/emailAddress=foo@bar.xyz
Getting Private key

最后生成个一组文件.其中.crt文件是要给comodo的,而.key文件要保存好.

.crt在active过程中提交,随后查收 admin@yourdomain.com 确认.然后在前面填写的 email address 中会收到一个确认信和附件. 附件内容大致如下:

STAR_youdomainname.crt
ComodoRSADomainValidationSecureServerCA.crt
COMODORSAAddTrustCA.crt
AddTrustExternalCARoot.crt

你需要把所有的证书合到一起

cat STAR_youdomainname.crt ComodoRSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalRoot.crt >> cert_chain.crt

然后nginx中配置如下:

server {
        listen 443 default_server ssl;
        server_name static.aminer.org;

        ssl on;
        ssl_certificate /path_of_cert_chain/cert_chain;
        ssl_certificate_key /path_of_key/aminer.org.key;
        ssl_dhparam /path_to_dhparam/dhparam.pem;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:S256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:50m;
        ssl_stapling on;
        ssl_stapling_verify on;

        add_header Strict-Transport-Security max-age=15768000;

        # SOMETHING ELSE
}

大致就是加上如上几行完事.

不知道你是否注意到,在listen 443后,ssl前,有个default_server字样.这是为了应付如下这个错误:

2015/05/25 21:52:16 [error] 29179#0: *9264 no "ssl_certificate" is defined in server listening on SSL port while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443

至少要有一个default_server才能除掉这个error.为啥?没明白.我的另一台服务器好像没这毛病...

另外,dhparam也是需要系统再生成个的,命令也很容易:

openssl dhparam -out dhparam.pem 4096

最后到ssllabs测一下就ok: https://www.ssllabs.com/ssltest/analyze.html

相关链接:

  • 1. 官方介绍: https://www.namecheap.com/support/knowledgebase/article.aspx/9419/0/nginx
  • 2. youran同学的相关提示: https://wordpress.youran.me/nginx-ssl/
Categories: Code

Yu

Ideals are like the stars: we never reach them, but like the mariners of the sea, we chart our course by them.

10 Comments

二学长 · June 12, 2015 at 13:52

Google Chrome 31.0.1650.63 Google Chrome 31.0.1650.63 GNU/Linux GNU/Linux

就是不知道能不能直接回邮件关联相关回复.

    yu · June 12, 2015 at 14:12

    Google Chrome 43.0.2357.81 Google Chrome 43.0.2357.81 Mac OS X  10.10.3 Mac OS X 10.10.3

    @二学长 目前做不到…因为邮件服务器和网站不在一块儿.

    另外,点击评论右上角Reply Me回复才行…

      二学长 · June 12, 2015 at 14:18

      Google Chrome 31.0.1650.63 Google Chrome 31.0.1650.63 GNU/Linux GNU/Linux

      @yu
      怪不得@不上

二学长 · June 12, 2015 at 13:51

Google Chrome 31.0.1650.63 Google Chrome 31.0.1650.63 GNU/Linux GNU/Linux

@yu 恩,这种回复看着不错啊,很清晰.

二学长 · June 12, 2015 at 11:06

Google Chrome 31.0.1650.63 Google Chrome 31.0.1650.63 GNU/Linux GNU/Linux

推荐一个跟本篇相关的博客文章:
https://s.how/nginx-ssl/

    yu · June 12, 2015 at 12:23

    Google Chrome 43.0.2357.81 Google Chrome 43.0.2357.81 Mac OS X  10.10.3 Mac OS X 10.10.3

    @二学长 看了下,好像和我说的没啥区别…

    yu · June 12, 2015 at 12:24

    Google Chrome 43.0.2357.81 Google Chrome 43.0.2357.81 Mac OS X  10.10.3 Mac OS X 10.10.3

    @二学长 另外,这种缩进以示回复感觉如何?

    yu · June 12, 2015 at 12:26

    Google Chrome 43.0.2357.81 Google Chrome 43.0.2357.81 Mac OS X  10.10.3 Mac OS X 10.10.3

    @二学长 不过,这货域名好牛逼,我见过另外的一个是del.icio.us

youran · May 29, 2015 at 16:16

Firefox 38.0 Firefox 38.0 Windows 7 Windows 7

我们当时申请的这个泛域名证书,是那个人违规签发的哈哈。后来那人就跑路了,据说有人从他那办的证书后来被globalsign revoke掉了。反正这个价格用到现在还没被revoke已经值了

    yu · May 29, 2015 at 19:59

    Google Chrome 43.0.2357.81 Google Chrome 43.0.2357.81 Mac OS X  10.10.3 Mac OS X 10.10.3

    @youran 的确,真是多谢你当时推荐.

    买个同样的正规的SSL要600每年,心都在滴血…幸好不是自己掏钱

Leave a Reply to 二学长 Cancel reply

Your email address will not be published. Required fields are marked *