第一种方法
step 1:增加alias到/etc/hosts
127.0.1.1 localhostssl
step 2:创建ssl证书
$ sudo mkdir /usr/local/nginx/cert
$ cd /usr/local/nginx/cert
$ sudo openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 365 -keyout localhost.key -out localhost.crt
查看证书内容
$ openssl x509 -text -noout -in localhost.crt
step 3:配置nginx.conf
server {
server_name localhostssl;
rewrite ^(.*) https://local.website.dev$1 permanent;
}
server {
listen 443 ssl;
ssl_certificate /usr/local/nginx/cert/localhost.crt;
ssl_certificate_key /usr/local/nginx/cert/localhost.key;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name localhostssl;
location / {
proxy_pass http://localhost;
}
}
step 4:reload nginx
$ sudo /usr/local/nginx/sbin/nginx -s reload
step 5:浏览器访问https://localhost
Your connection is not private
Attackers might be trying to steal your information from localhostssl (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
To get Chrome’s highest level of security, turn on enhanced protection
certutil方法报错
sudo apt-get install libnss3-tools
certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i localhost.crt
$ rm -rf $HOME/.pki/nssdb
$ certutil -d $HOME/.pki/nssdb -N
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password: 12345678
Re-enter password: 12345678
$ certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "localhost" -i /usr/local/nginx/cert/localhost.crt
Enter Password or Pin for "NSS Certificate DB":12345678
hui@hui:/usr/local/nginx
$ certutil -d sql:$HOME/.pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
localhost CT,c,c
试了下浏览器访问还是有问题,可以用下面这个办法设置下浏览器,但是播放已经是可以了。
chrome://flags/
播放https视频测试
这时候用vlc播放原来搭建的hls源,发现已经是https了,虽然有报错信息。
vlc https://localhost/hls/playlist.m3u8
vlc https://localhostssl/hls/playlist.m3u8
[00007fad2c01b0e0] gnutls tls client error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.
[00007fad2c12aa60] gnutls tls client error: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected.
看log直接播放http的还是有区别的,说明https生效了,ffplay也行。
vlc http://localhost/hls/playlist.m3u8
ffplay http://localhost/hls/playlist.m3u8 -v debug
第二种配置方法
step 1
$ openssl genrsa -des3 -out myCA.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................................................+++++
...................................+++++
e is 65537 (0x010001)
Enter pass phrase for myCA.key:2048
Verifying - Enter pass phrase for myCA.key:2048
step 2
$ openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem
Enter pass phrase for myCA.key:
140352584024512:error:28078065:UI routines:UI_set_result_ex:result too small:../crypto/ui/ui_lib.c:903:You must type in 4 to 1023 characters
Enter pass phrase for myCA.key:
Can't load /home/hui/.rnd into RNG
140352584024512:error:2807106B:UI routines:UI_process:processing error:../crypto/ui/ui_lib.c:543:while reading strings
140352584024512:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/hui/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhostssl
Email Address []:
step 3
$ openssl req -new -key localhost.key -out localhost.csr
Can't load /home/hui/.rnd into RNG
140475862180288:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/home/hui/.rnd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:localhostssl
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
step 4
$ > localhost.ext cat <<-EOF
> authorityKeyIdentifier=keyid,issuer
> basicConstraints=CA:FALSE
> keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
> subjectAltName = @alt_names
> [alt_names]
> DNS.1 = localhost
> DNS.2 = bar.localhost
> IP.1 = 192.168.31.122
> EOF
step 5
openssl x509 -req -in localhost.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial\
-out localhost.crt -days 825 -sha256 -extfile localhost.ext
step 6: verify
$ openssl verify -CAfile myCA.pem -verify_hostname bar.localhost localhost.crtlocalhost.crt: OK
step7: import in chrome
Import myCA.pem as an "Authority" (not into "Your Certificates") in your Chrome \
settings (Settings > Manage certificates > Authorities > Import)
Use the localhost.crt and localhost.key files in your server
step8: 浏览器访问https://localhostssl OK
参考
|