Nginx配置HTTPS证书网站

前提：

1、主机需要先安装openssl

    2、编译安装nginx时，要加上--with-http_ssl_module  这个ssl模块

现在开始配置：（我当时配置时，主机已安装了openssl，但编译时没有加载http_ssl_module模块，所以后面会报错，这里详解说明下）

1、生成自签字证书

 [root@localhost /]# openssl req -new -x509 -keyout /root/ca.key -out /root/ca.crt
 Generating a  bit RSA private key
 .............................+++
 .......................................................................................................................+++
 writing new private key to '/root/ca.key'
 Enter PEM pass phrase:           #输入密钥保护密码
 Verifying - Enter PEM pass phrase:       #确认密钥保护密码
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name ( letter code) [XX]:CN
 State or Province Name (full name) []:xian
 Locality Name (eg, city) [Default City]:xian
 Organization Name (eg, company) [Default Company Ltd]:learn
 Organizational Unit Name (eg, section) []:it
 Common Name (eg, your name or your server's hostname) []:learner
 Email Address []:ying@126.com

回车结束

2、修改配置文件openssl.cnf (注意：修改前，先备份下)

[root@localhost /]# vi /etc/pki/tls/openssl.cnf

####################################################################
[ ca ]
default_ca      = CA_default            # The default ca section

####################################################################
[ CA_default ]

dir             = /etc/pki/CA           # Where everything is kept #证书的根目录，要记住这个目录
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                        # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.

certificate     = $dir/ca.crt           # The CA certificate  # 修改这里，表示签名时使用的证书
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number
                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

3、复制证书到证书根目录/etc/pki/CA下,并在该目录下创建空文件index.txt和serial，并向serial输入”01“

 [root@localhost ~]# cd /etc/pki/CA/
 [root@localhost CA]# cp /root/ca.crt .
 [root@localhost CA]# ls
 ca.crt  certs  crl  newcerts  private
 [root@localhost CA]# touch index.txt
 [root@localhost CA]# touch serial
 [root@localhost CA]# echo "" >serial

4、生成服务器RSA私钥/root/server.key

 [root@localhost ~]# openssl genrsa -des3 -out /root/server.key 1024
 Generating RSA private key,  bit long modulus
 .............++++++
 .++++++
 e is  (0x10001)
 Enter pass phrase for /root/server.key: #设置此密钥的保护密码
 Verifying - Enter pass phrase for /root/server.key: #确认设置此密钥的保护密码

5、为私钥去除口令---公钥

 [root@localhost ~]# openssl rsa -in /root/server.key -out /root/server_nopwd.key
 Enter pass phrase for /root/server.key: #输入第4步生成的密钥的保护密码
 writing RSA key

6、生成证书请求文件/root/server.csr

 [root@localhost ~]# openssl req -new -key /root/server.key -out /root/server.csr
 Enter pass phrase for /root/server.key:  #输入第4步生成的密钥的保护密码
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 --------下面这部分应该和创建私有证书时填的一样------------------------
 Country Name ( letter code) [XX]:CN
 State or Province Name (full name) []:xian
 Locality Name (eg, city) [Default City]:xian
 Organization Name (eg, company) [Default Company Ltd]:learn
 Organizational Unit Name (eg, section) []:it
 Common Name (eg, your name or your server's hostname) []:learner
 Email Address []:ying@.com
 ----------------------------------------------------------------
 Please enter the following 'extra' attributes
 to be sent with your certificate request
 A challenge password []:
 An optional company name []:learn

7、用私有证书给证书请求文件/root/server.csr签名

 [root@localhost ~]# openssl ca -in /root/server.csr -out /root/server.crt -cert /root/ca.crt -keyfile /root/ca.key -config /etc/pki/tls/openssl.cnf
 Using configuration from /etc/pki/tls/openssl.cnf
 Enter pass phrase for /root/ca.key: #输入第1步生成的密钥的保护密码
 Check that the request matches the signature
 Signature ok
 Certificate Details:
         Serial Number:  (0x1)
         Validity
             Not Before: Nov  ::  GMT
             Not After : Nov  ::  GMT
         Subject:
             countryName               = CN
             stateOrProvinceName       = xian
             organizationName          = learn
             organizationalUnitName    = it
             commonName                = learner
             emailAddress              = ying@.com
         X509v3 extensions:
             X509v3 Basic Constraints:
                 CA:FALSE
             Netscape Comment:
                 OpenSSL Generated Certificate
             X509v3 Subject Key Identifier:
                 8A:::B0::::AF::AD::C3::1F::A5:C5:::E2
             X509v3 Authority Key Identifier:
                 keyid:::7A::::D2::F8:A0::C8:FE:A8::9A:1E:BC:D3:

 Certificate is to be certified until Nov  ::  GMT ( days)
 Sign the certificate? [y/n]:y

  out of  certificate requests certified, commit? [y/n]y
 Write out database with  new entries
 Data Base Updated

8、编辑nginx配置文件/usr/local/nginx/conf/nginx.conf

 server {
          listen        ssl;
          server_name  x.x.x.x:; 

          ssl    on;
          ssl_certificate /root/server.crt;
          ssl_certificate_key /root/server_nopwd.key;

          location / {
              root   /var/www/html;
              index  index.html index.htm;
          }
     }

9. 重启服务

 [root@localhost sbin]# ./nginx -s reload

～～～～完成，在客户端上输入https://x.x.x.x:8001/即可访问成功。

当时由于安装nginx时，未编译http_ssl_module模块，导致nginx重启失败------提示：nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/ng.........

所以需要重新编译nginx来添加需要的模块。

Nginx重新编译添加模块

1. 找到安装nginx的源码根目录(即安装包存放目录)，如果没有的话下载新的源码并解压

 [root@localhost /]# cd software
 [root@localhost software]# ls
 nginx-1.10.  nginx-1.10..tar.gz

2. 查看nginx版本极其编译参数

/usr/local/nginx/sbin/nginx -V

3. 进入nginx源码目录

 [root@localhost software]# cd nginx-1.10.

4.重新编译的代码和模块

[root@localhost nginx-1.10.]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module

5.  make下 （注意：千万别make install，否则就覆盖安装了），make完之后在/software/nginx-1.10.2/objs目录下就多了个nginx，这个就是新版本的程序了

6. 备份旧的nginx程序

 [root@localhost ~]# cd /usr/local/nginx/sbin/
 [root@localhost sbin]# ls
 nginx
 [root@localhost sbin]# cp nginx nginx_back_by_zhang20161117
 [root@localhost sbin]# ls
 nginx  nginx_back_by_zhang20161117

7. 删除旧的nginx程序，并把新的nginx程序复制到/usr/local/nginx/sbin/下

 [root@localhost sbin]# rm nginx
 rm：是否删除普通文件 "nginx"？y
3 [root@localhost sbin]# cp /software/nginx-1.10./objs/nginx /usr/local/nginx/sbin/

8. 测试新的nginx程序是否正确

 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -t
 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
 nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

9. 平滑启动服务 (非必须)

 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -s reload

10. 查看模块是否已安装 (非必须)

 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -V
 nginx version: nginx/1.10.
 built by gcc 4.8.  (Red Hat 4.8.-) (GCC)
 built with OpenSSL 1.0.1e-fips  Feb
 TLS SNI support enabled
 configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module

11. 重启

 [root@localhost sbin]# ./nginx -s quit
 [root@localhost sbin]# ./nginx

nginx重新加载模块完成！

apache配置https 参考： http://ask.apelearn.com/question/1029