我创建了一个ssl证书但我浏览器告诉我"该网站不受信任"。此外,https://被划掉,当光标悬停在它上面时,它会显示:
service certificate does not match the url.
我不确定如何配置证书以使其匹配。我尝试做的是在证书中设置Common Name字段以匹配我的网站名称:example.com但它没有用。
这是我的证书定义:
Issued To
Common Name (CN) example.com
Organization (O) xxxx xxxx
Organizational Unit (OU) xxxx xxxx
Serial Number xx:xx:xx:xx:xx:xx:xx
Issued By
Common Name (CN) example.com
Organization (O) xxxx xxxx
Organizational Unit (OU) xxxx xxxx
这是相应的nginx.conf:
server {
server_name example.com;
listen 443;
ssi on;
ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
client_max_body_size 4G;
location = / {
...
}
location ~ /.+ {
...
}
}
谁能告诉我怎么办?
在教程https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-nginx-for-ubuntu-12-04中,就在"第六步"之前,它说
Additionally, make sure that both of these lines
are commented out in the line toward the beginning of the file that says:
# Make site accessible from http://localhost/
# server_name localhost;
我没有那个。这是上述错误的原因吗?如果我需要这样做,这对我意味着什么?
以下行将在" server_name example.com"或" server_name localhost"?
location = / {
...
}
location ~ /.+ {
...
}
那是什么意思?为什么我需要第二台服务器?
同样,我如何摆脱错误:Identity of this website has not been verified. Server's certificate is not trusted.?
提前感谢您的关心和时间。
答案 0 :(得分:1)
我不确定如何配置证书使其匹配...你能告诉我如何指定SAN来openssl吗?
您需要使用配置文件。这是将SAN的DNS名称传递给OpenSSL的req(请求)实用程序的唯一方法(还有另外一种方法,但它已损坏)。
以下是可用作模板的配置文件。根据您的喜好更改值。
如果 您要创建自签名证书,请执行以下命令。包含-x509选项会创建自签名证书。
openssl req -config example-com.conf -new -x509 -newkey rsa:2048 \
-nodes -keyout example-com.key.pem -days 365 -out example-com.cert.pem
如果 您要创建签名请求,请执行以下命令。缺少-x509选项会创建请求。它还缺少证书的authorityKeyIdentifier。
openssl req -config example-com.conf -new -newkey rsa:2048 \
-nodes -keyout example-com.key.pem -days 365 -out example-com.req.pem
您可以使用以下方式检查您的方便工作:
openssl x509 -in example-com.cert.pem -text -noout
和
openssl req -in example-com.req.pem -text -noout
我创建了一个ssl证书但浏览器告诉我“该网站不受信任”
您仍然需要导入自签名,以便您的浏览器信任它。但名字的问题将消失。例如见:
每个浏览器都不同。
如果我需要这样做[nginx配置],这对我意味着什么?
我不了解Web服务器配置。您可以在Server Fault,Webmaster Stack Exchange或Web Apps Stack Exchange获得帮助。
[ req ]
default_bits = 2048
default_keyfile = server-key.pem
distinguished_name = subject
req_extensions = req_extensions
x509_extensions = cert_extensions
string_mask = utf8only
[ subject ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName = Locality Name (eg, city)
localityName_default = New York
organizationName = Organization Name (eg, company)
organizationName_default = Example, LLC
# Use a friendly name here. Its presented to the user.
# The server's DNS name show up in Subject Alternate Names. Plus,
# DNS names here is deprecated by both IETF and CA/Browser Forums.
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_default = Example Company
emailAddress = Email Address
emailAddress_default = test@example.com
[ cert_extensions ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
# extendedKeyUsage = serverAuth
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ req_extensions ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
# extendedKeyUsage = serverAuth
subjectAltName = @alternate_names
nsComment = "OpenSSL Generated Certificate"
[ alternate_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = mail.example.com
DNS.4 = ftp.example.com
# Add these if you need them. But usually you don't want them or
# need them in production. You may need them for development.
# DNS.5 = localhost
# DNS.6 = localhost.localdomain
# DNS.7 = 127.0.0.1