当前位置: 首页 > 知识库问答 >
问题:

SSL证书对Ubuntu 16.04上的localhost无效

商兴朝
2023-03-14

到目前为止我所做的步骤:

  • CD/usr/local/share/CA-证书
  • OpenSSL请求-x509-sha256-nodes-newkey rsa:2048-days 365-keyout localhost.key-out localhost.crt
    • 国家/地区名称:空
    • 州或省名称:空
    • 地区名称:空
    • 组织名称:空
    • 组织单位名称:空
    • 通用名:localhost
    • 电子邮件地址:空

共有1个答案

齐昆
2023-03-14

证书还必须添加到浏览器信任存储中,您所做的步骤只是针对像CURL、WGET等工具。

在本地开发的docker容器中,我使用了一组bash脚本来设置根证书颁发机构,我将使用它来颁发开发所需的所有域证书。

浏览器只需要了解根证书颁发机构,而服务器则需要了解您颁发的所有域证书。

./setup-root-certificate.sh "root-ca.key" "root-ca.pem" "RootCertificateAuthority" && \
./create-domain-certificate.sh "localhost" "root-ca.key" "root-ca.pem" && \
./add-certificate-to-browser.sh "root-ca.pem" "RootCertificateAuthority"

警告:这些脚本已经在Docker容器中使用过,我还没有直接在主机中测试它们,但应该以同样的方式工作。

设置根证书:./setup-root-certificate.sh

#!/bin/bash

set -eu

###
# inspired https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/
###


ROOT_CA_KEY="${1?Missing Name for root certificate KEY file}"
ROOT_CA_PEM="${2?Missing Name for root certificate PEM file}"
ROOT_CA_NAME="${3?Missing Certificate Name}"
CONFIG_FILE="${4:-openssl.cnf}"

if [ ! -f ROOT_CA_PEM ]
    then
        printf "\n>>> CREATING A ROOT CERTIFICATE <<<\n"

        openssl req \
            -new \
            -newkey rsa:4096 \
            -days 3650 \
            -nodes \
            -x509 \
            -extensions v3_ca \
            -subj "/C=US/ST=CA/L=SF/O=${ROOT_CA_NAME}/CN=${ROOT_CA_NAME}" \
            -keyout ${ROOT_CA_KEY} \
            -out ${ROOT_CA_PEM} \
            -config ${CONFIG_FILE}

        printf "\n>>> ADDING ROOT CERTIFICATE TO THE TRUSTED STORE <<<\n"

        # add certificate to the trust store
        cp ${ROOT_CA_PEM} /usr/local/share/ca-certificates/self-signed-root-ca.crt
        update-ca-certificates

        # verifies the certificate
        openssl x509 -in ${ROOT_CA_PEM} -text -noout > "${ROOT_CA_NAME}.txt"

        printf "\n >>> ROOT CERTICATE CREATED SUCCESEFULY<<<\n"

    else
        printf "\n >>> ROOT CERTICATE ALREADY EXISTS <<<\n"
fi

创建域证书:./create-domain-certificate.sh

    #!/bin/bash

set -eu

###
# inspired https://fabianlee.org/2018/02/17/ubuntu-creating-a-trusted-ca-and-san-certificate-using-openssl-on-ubuntu/
###


DOMAIN="${1:-example.com}"
ROOT_CA_KEY="${2?Missing Name for root certificate KEY file}"
ROOT_CA_PEM="${3?Missing Name for root certificate PEM file}"

DOMAIN_CA_KEY="${DOMAIN}.key"
DOMAIN_CA_CSR="${DOMAIN}.csr"
DOMAIN_CA_CRT="${DOMAIN}.crt"
DOMAIN_CA_TXT="${DOMAIN}.txt"
CONFIG_FILE="${DOMAIN}.cnf" 


printf "\n>>> MERGINGING CONFIGURATION FROM ${DOMAIN_CA_TXT} INTO ${CONFIG_FILE} <<<\n"
cat openssl.cnf ${DOMAIN_CA_TXT} > ${CONFIG_FILE}


printf "\n>>> GENERATING KEY FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_KEY} <<<\n"

# generate the private/public RSA key pair for the domain
openssl genrsa -out ${DOMAIN_CA_KEY} 4096

printf "\n>>> GENERATING CSR FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_CSR} <<<\n"

# create the server certificate signing request:
openssl req \
    -subj "/CN=${DOMAIN}" \
    -extensions v3_req \
    -sha256 \
    -new \
    -key ${DOMAIN_CA_KEY} \
    -out ${DOMAIN_CA_CSR}

printf "\n>>> GENERATING CRT FOR DOMAIN CERTIFICATE: ${DOMAIN_CA_CRT} <<<\n"

# generate the server certificate using the: server signing request, the CA signing key, and CA cert.
openssl x509 \
            -req \
            -extensions v3_req \
            -days 3650 \
            -sha256 \
            -in ${DOMAIN_CA_CSR} \
            -CA ${ROOT_CA_PEM} \
            -CAkey ${ROOT_CA_KEY} \
            -CAcreateserial \
            -out ${DOMAIN_CA_CRT} \
            -extfile ${CONFIG_FILE}

# verifies the certificate
openssl x509 -in ${DOMAIN_CA_CRT} -text -noout > ${DOMAIN}.txt

printf "\n >>> CERTIFICATE CREATED FOR DOMAIN: ${DOMAIN} <<<\n"
#!/bin/bash

###
# https://thomas-leister.de/en/how-to-import-ca-root-certificate/
###


### Script installs root.cert.pem to certificate trust store of applications using NSS
### (e.g. Firefox, Thunderbird, Chromium)
### Mozilla uses cert8, Chromium and Chrome use cert9

###
### Requirement: apt install libnss3-tools
###


###
### CA file to install (CUSTOMIZE!)
###

CA_PEM="${1?Missing file name for the PEM certificate}"
CA_NAME="${2?Missing Certificate Name}"
BROWSER_CONFIG_DIR="${3:-/home}"

###
### For cert8 (legacy - DBM)
###

for certDB in $(find ${BROWSER_CONFIG_DIR} -name "cert8.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${CA_NAME}" -t "TCu,Cu,Tu" -i ${CA_PEM} -d dbm:${certdir}
done


###
### For cert9 (SQL)
###

for certDB in $(find ${BROWSER_CONFIG_DIR} -name "cert9.db")
do
    certdir=$(dirname ${certDB});
    certutil -A -n "${certname}" -t "TCu,Cu,Tu" -i ${CA_PEM} -d sql:${certdir}
done
 类似资料:
  • 我收到以下错误,我似乎无法确定如何在本地主机(WampServer)上修复该错误。 PHP版本为5.4.3和Apache 2.2.22 我已经在这两个php中添加了这一行。ini文件和phpForApache。ini,无济于事。 也尝试过各种组合,但运气不佳。也许我需要一个不同的卡塞特。pem?我正在使用http://curl.haxx.se/ca/cacert.pem

  • 我正在尝试从GCE(Google Compute Engine)实例使用Google Cloud SQL over SSL。我的问题是无法通过SSL连接到云SQL实例。 mysql命令工作正常。我可以用认证文件连接到云SQL实例。 我在使用mysqli时也犯了同样的错误。 这是一个很好的例子 这个问题看起来和我的案子有关,但还没有答案。使用PHP与Mysql连接的SSL自签名认证 有人知道解决方案

  • 我尝试用默认的amazon子域:some-unique-path.elb.amazonaws.com在ALB上配置https,问题是我找不到如何为该域生成ssl证书:amazon证书管理器不允许为amazonaws子域生成证书。有没有什么方法可以使它不购买自定义域和配置为ALB?

  • 我使用Amazon certificate Manager为我的站点创建了一个SSL证书。证书用于*.example.com。然后,我将这个证书附加到我的ELB,并将实例协议保留为HTTP。所以SSL链只在客户端和ELB之间。我在53路有两张A唱片。一个用于example.com,一个用于www.example.com。这两个都被别名为ELB。当我做https://www.example.com时

  • 我有SSL证书、私钥和SSLCertificateChain证书如下: > SSL证书: ----开始证书---- 私钥: ----开始RSA私钥----- 这里有钥匙 在/opt/tomcat/conf/server.xml中将连接器修改为: 我重新启动了tomcat服务器,http://www.digicert.com/help/show错误“SSL证书不可信”,如图所示。 文件扩展名或con