在前面一节介绍了如何创建CA, 以及如何用CA对CSR 证书请求文件进行签名,从而生成签名的服务器端证书。生成签名证书不是我们的最终目的,利用生成的签名证书来加密通信才是我们要达到的目的;这里跟我一起来学习如何使用这个签名的证书来搭建最简单的https网站:
[root@localhost conf.d]# lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 4761 root 6u IPv6 45014 0t0 TCP *:https (LISTEN)
httpd 4762 apache 6u IPv6 45014 0t0 TCP *:https (LISTEN)
httpd 4763 apache 6u IPv6 45014 0t0 TCP *:https (LISTEN)
httpd 4764 apache 6u IPv6 45014 0t0 TCP *:https (LISTEN)
httpd 4765 apache 6u IPv6 45014 0t0 TCP *:https (LISTEN)
httpd 4766 apache 6u IPv6 45014 0t0 TCP *:https (LISTEN)
[root@localhost conf.d]# lsof -i:80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
httpd 4761 root 4u IPv6 45006 0t0 TCP *:http (LISTEN)
httpd 4762 apache 4u IPv6 45006 0t0 TCP *:http (LISTEN)
httpd 4763 apache 4u IPv6 45006 0t0 TCP *:http (LISTEN)
httpd 4764 apache 4u IPv6 45006 0t0 TCP *:http (LISTEN)
httpd 4765 apache 4u IPv6 45006 0t0 TCP *:http (LISTEN)
httpd 4766 apache 4u IPv6 45006 0t0 TCP *:http (LISTEN)
[root@localhost conf.d]# curl -I https://127.0.0.1/
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@localhost conf.d]# curl -I http://127.0.0.1/
HTTP/1.1 403 Forbidden
Date: Tue, 17 Sep 2019 10:58:14 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
[root@localhost conf.d]#
[root@localhost cert_test]# ls -l
total 24
-rw-------. 1 root root 1359 Aug 18 21:31 CA_Cert.pem #CA证书
-rw-------. 1 root root 1675 Aug 18 21:20 CA_Key.key #CA的私钥
-rw-r--r--. 1 root root 1021 Aug 18 17:23 my_cert.csr #服务端证书请求文件
-rw-------. 1 root root 4509 Aug 18 22:12 my.crt #由CA签名之后的服务端证书
-rw-r--r--. 1 root root 1679 Aug 18 17:18 myprivate.key #服务端证书的私钥
[root@localhost cert_test]#
[root@localhost conf.d]# grep SSLCertificate ssl.conf | grep -Evi ^#
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#修改上述参数的值,修改后如下:
[root@localhost conf.d]# grep SSLCertificate ssl.conf | grep -Evi ^#
SSLCertificateFile /etc/httpd/conf.d/my.crt
SSLCertificateKeyFile /etc/httpd/conf.d/myprivate.key
[root@localhost cert_test]# ls -l /etc/httpd/conf.d/myprivate.key /etc/httpd/conf.d/my.crt
-rw-r-----. 1 root root 4509 Aug 18 22:12 /etc/httpd/conf.d/my.crt
-rw-r-----. 1 root root 1679 Sep 17 21:50 /etc/httpd/conf.d/myprivate.key
[root@localhost cert_test]#
[root@localhost conf.d]# grep SSLCACe ssl.conf
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
#修改上述参数的值,修改之后如下:
[root@localhost conf.d]# grep SSLCACe ssl.conf
SSLCACertificateFile /etc/httpd/conf.d/CA_Cert.pem
[root@localhost conf.d]# cp /root/cert_test/CA_Cert.pem /etc/httpd/conf.d/CA_Cert.pem
[root@localhost conf.d]# ls -l /etc/httpd/conf.d/CA_Cert.pem
-rw-r-----. 1 root root 1359 Sep 17 21:52 /etc/httpd/conf.d/CA_Cert.pem
[root@localhost conf.d]#
Sep 17 22:01:03 localhost.localdomain httpd[30975]: AH00526: Syntax error on line 100 of /etc/httpd/conf.d/ssl.conf:
Sep 17 22:01:03 localhost.localdomain httpd[30975]: SSLCertificateFile: file '/etc/httpd/conf.d/my.crt' does not exist or is empty
Sep 17 22:01:03 localhost.localdomain systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Sep 17 22:01:03 localhost.localdomain kill[30977]: kill: cannot find process ""
Sep 17 22:01:03 localhost.localdomain systemd[1]: httpd.service: control process exited, code=exited status=1
Sep 17 22:01:03 localhost.localdomain systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
经过检查,文件是存在的, 在centos中,默认情况下,selinux是打开的,所以关闭试试,果然重启成功:
[root@localhost cert_test]# setenforce 0
[root@localhost cert_test]# systemctl restart httpd.service
[root@localhost cert_test]#
[root@localhost cert_test]# curl -I https://127.0.0.1/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@localhost cert_test]#
#用-k参数跳过证书验证,可以看到curl的结果
[root@localhost cert_test]# curl -Ik https://127.0.0.1/
HTTP/1.1 403 Forbidden
Date: Tue, 17 Sep 2019 14:20:30 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
[root@localhost cert_test]# curl --cacert /etc/httpd/conf.d/CA_Cert.pem https://127.0.0.1/
curl: (51) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
[root@localhost cert_test]#
我们发现还是报错,这次的错误是 证书绑定的域名和当前请求域名不匹配;我们前面创建证书的时候使用的域名是:www . my.com, 所以查看下证书,确认下,重新测试:
[root@localhost cert_test]#openssl x509 -in ./my.crt -subject #结果中指名了适用于网站www . my.com
......
#因为没有对www . my.com注册DNS, 所以我们修改/etc/hosts, 把www . my.com 指向127.0.0.1, 再重新验证:
[root@localhost cert_test]# curl -I --cacert /etc/httpd/conf.d/CA_Cert.pem https://www.my.com/
HTTP/1.1 403 Forbidden
Date: Tue, 17 Sep 2019 11:36:36 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Last-Modified: Thu, 16 Oct 2014 13:20:58 GMT
ETag: "1321-5058a1e728280"
Accept-Ranges: bytes
Content-Length: 4897
Content-Type: text/html; charset=UTF-8
[root@localhost cert_test]#
至此,成功从创建证书到搭建自己的https网站完成了; 本文原创,转载请注明出处