基於Let’s Encrypt證書實現nginx https雙向認證
摘要:
第一步,先基於Let’s Encrypt證書配置https單向校驗的網站出來先
wget https://dl.eff.org/certbot-auto
chmod u+x certbot-auto
./certbot-auto certonly --standalone -m abc...
第一步,先基於Let’s Encrypt證書配置https單向校驗的網站出來先
wget https://dl.eff.org/certbot-auto chmod u+x certbot-auto ./certbot-auto certonly --standalone -m [email protected] --agree-tos -d abc.yubangweb.com
修改nginx的配置
server {
listen 80;
listen 443 ssl;
server_name abc.yubangweb.com;
root /var/web;
ssl_certificate /etc/letsencrypt/live/abc.yubangweb.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/abc.yubangweb.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/abc.yubangweb.com/chain.pem;
location / {
}
}
然後開啟瀏覽器,訪問:https://abc.yubangweb.com/
這個時候就配置好了單向校驗的https網站
第二步,就是自籤客戶端證書
# 籤服務端證書 openssl genrsa -des3 -out ca.key 4096 genrsa -out ca.key 4096 req -new -x509 -days 365 -key ca.key -out ca.crt # 籤客戶端證書 genrsa -out client.key 4096 req -new -key client.key -out client.csr x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 openssl pkcs12 -in client.p12 -out all.pem -nodes
第三步,nginx啟用客戶端證書校驗
# 在剛才的配置檔案新增這兩行 ssl_client_certificate /root/ssl/ca.crt; ssl_verify_client on;
測試一下客戶端證書是否生效(在其它機器執行下面命令)
# 注意複製上面生成的all.pem檔案 curl -k --cert all.pemhttps://abc.yubangweb.com
完整的nginx配置:
server {
listen 80;
listen 443 ssl;
server_name abc.yubangweb.com;
root /var/web;
ssl_certificate /etc/letsencrypt/live/abc.yubangweb.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/abc.yubangweb.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/abc.yubangweb.com/chain.pem;
ssl_client_certificate /root/ssl/ca.crt;
ssl_verify_client on;
location / {
}
}
如果需要控制某些請求需要客戶端證書校驗,則使用下列方法
server {
listen 80;
listen 443 ssl;
server_name abc.yubangweb.com;
root /var/web;
ssl_certificate /etc/letsencrypt/live/abc.yubangweb.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/abc.yubangweb.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/abc.yubangweb.com/chain.pem;
ssl_client_certificate /root/ssl/ca.crt;
ssl_verify_client optional;
location / {
if ($ssl_client_verify != SUCCESS) {
return 401;
}
}
location /abc {
}
}