我使用Mozilla SSL Configuration Generator(https://mozilla.github.io/server-side-tls/ssl-config-generator/)生成nginx配置文件。
配置文件中有一个项目,如下所示:
ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
我使用Let's Encrypt证书,如何生成ssl_trusted_certificate?
答案 0 :(得分:1)
只有在进行客户端证书验证时才需要这样做。
Syntax: ssl_trusted_certificate file;
Default: —
Context: http, server
This directive appeared in version 1.3.7.
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
In contrast to the certificate set by ssl_client_certificate, the list of these certificates will not be sent to clients.
我认为这不是您的需要,因为您只想主持一个HTTPS站点。你只需要评论指令就可以了。
答案 1 :(得分:0)
ssl_trusted_certificate /etc/letsencrypt/live/YOUR_DOMAIN/chain.pem; 所有生成的密钥和颁发的证书都可以在/ etc / letsencrypt / live / $ domain中找到。
...
如果您在Nginx> = 1.3.7上使用OCSP装订,应提供chain.pem作为ssl_trusted_certificate来验证OCSP响应。
此信息也位于certbot为您的域安装的README文件中。这是我网域的文件:
root@webserver:/etc/letsencrypt/live/dougrichardson.org$ ls
README cert.pem chain.pem fullchain.pem privkey.pem
root@webserver:/etc/letsencrypt/live/dougrichardson.org$ cat README
This directory contains your keys and certificates.
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used
without reading further documentation (see link below).
WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!
We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.