CA 파일과 CA가 서명한 SSL을 생성하는 스크립트를 만들었습니다.
#/usr/bin/env bash
# Absolute path to this script, e.g. /home/user/bin/foo.sh
SCRIPT=$(readlink -f "${BASH_SOURCE}")
# Absolute path this script is in, thus /home/user/bin
BASEDIR=$(dirname ${SCRIPT})
FINAL_CERTPATH=${BASEDIR}
CA_CERT=${BASEDIR}/ca.cert
CA_KEY=${BASEDIR}/ca.key
if [[ ! -f ${CA_CERT} ]] || [[ ! -f ${CA_KEY} ]]; then
echo "GENERATING CA CERTIFICATE"
openssl genrsa -out ${CA_KEY} 2048
openssl req -x509 -new -nodes \
-key ${CA_KEY} -subj "/C=GR/L=ATTICA" \
-days 1825 -out ${CA_CERT}
echo "DONE"
ls -l
echo "#####################################################"
fi
CERT_BASENAME="www"
CERTIFICATE_PATH=${BASEDIR}/${CERT_BASENAME}.crt
KEY_PATH=${BASEDIR}/${CERT_BASENAME}.key
SIGNING_REQUEST=${BASEDIR}/${CERT_BASENAME}.csr
echo "CREATING CERTIFICATE"
openssl req -new -sha512 -keyout ${KEY_PATH} -nodes -out ${SIGNING_REQUEST} -config ${BASEDIR}/ssl_config
echo "SIGNING CERTIFICATE using CA"
ls -l ${SIGNING_REQUEST}
openssl x509 -req -days 9000 -startdate -sha512 -in ${SIGNING_REQUEST} -CAkey ${CA_KEY} -CA ${CA_CERT} -CAcreateserial -extfile ${BASEDIR}/v3.sign -out ${CERTIFICATE_PATH}
rm -rf ${SIGNING_REQUEST}
echo "#######################################"
echo "IMPORT these cert into your system as CA cert:"
echo ${CA_CERT}
서명된 구성은 다음과 같습니다.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
# Local hosts
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = ::1
# List your domain names here
DNS.4 = 172.21.0.6
DNS.5 = example.local
DNS.6 = example2.local
인증서의 경우:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt=no
[ req_distinguished_name ]
countryName = GR
stateOrProvinceName = Attica
localityName = Echarnes
organizationName = PC_MAGAS
commonName = example.local
CA를 Firefox로 가져왔습니다. 나는 2개의 nginx 가상 호스트를 준비했습니다.
events {
worker_connections 768;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset utf-8;
gzip on;
gzip_disable "msie6";
client_max_body_size 10000M;
server_tokens off;
error_log /dev/stdout debug;
#misc
server {
listen 80 default;
server_name _;
return 308 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/www.crt;
ssl_certificate_key /etc/nginx/www.key;
server_name example.local;
root /usr/share/nginx/html/example.local;
index index.html;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/www.crt;
ssl_certificate_key /etc/nginx/www.key;
server_name example2.local;
root /usr/share/nginx/html/example2.local;
index index.html;
}
}
/ets/hostsdocker nginx 정적 호스팅으로 수정했습니다 .
# TEST
172.21.0.6 example.local
172.21.0.6 example2.local
version: "3"
services:
nginx:
image: nginx
volumes:
- .:/usr/share/nginx/html
- "./nginx.conf:/etc/nginx/nginx.conf:ro"
- "./certs/www.crt:/etc/nginx/www.crt:ro"
- "./certs/www.key:/etc/nginx/www.key:ro"
networks:
frontend:
ipv4_address: 172.21.0.6
networks:
frontend:
ipam:
config:
- subnet: 172.21.0.0/24
그러나 Firefox는 다음과 같은 문제를 보여줍니다.
이유를 아시나요?
Brave 브라우저가 제대로 작동하는 것 같습니다.
편집 1
노래 구성을 다음과 같이 수정했습니다.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
# Local hosts
DNS.1 = localhost
DNS.3 = ::1
# List your domain names here
DNS.5 = example.local
DNS.6 = example2.local
# Custom IPS
IP.1 = 127.0.0.1
IP.2 = 172.21.0.6
문제가 계속 발생합니다
답변1
문제는 서명 구성에서 다음을 사용해야 한다는 것입니다.
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
# Local hosts
DNS.1 = localhost
# List your domain names here
DNS.2 = example.local
DNS.3 = example2.local
# Custom IPS
IP.1 = 127.0.0.1
IP.2 = 172.21.0.6
IP.3 = ::1
::1또한 localhost 도메인의 경우 ipv6입니다. 또한 DNS 목록에도 그에 따라 번호가 지정되어야 합니다. 귀하의 DNS.5합계는 다음 과 DNS.6같아야 합니다 .DNS.2DNS.3