zoukankan      html  css  js  c++  java
  • Nginx配置免费SSL证书StartSSL,解决Firefox不信任问题

    先在StartSSL上申请免费一年的SSL证书,具体过程网上很多教程。然后把申请到的key和crt文件上传到服务器,比如/usr/local/nginx/certs/.

     Nginx配置SSL证书

    直接贴上我的nginx的部分配置:

    server {
            listen 443;
        server_name   domain.com www.domain.com ;
            ssl on;
            ssl_certificate /usr/local/nginx/ssl/ssl.crt;
            ssl_certificate_key /usr/local/nginx/ssl/ssl.key; 
    
        if ($http_transfer_encoding ~* chunked) {
             return 444;
          }
    
        gzip on;
    
        if (-d $request_filename) {
            rewrite ^/(.*)([^/])$ $scheme://$host/$1$2/ permanent;
         }
    
         root   /home/wwwroot/;
    
         ssi off;
         ssi_silent_errors off;
         ssi_types text/shtml;
    
         location / {
             index  index.html index.htm index.shtml index.php;
             autoindex    off;
         }
    
        location /nginx_status {
            stub_status on;
            access_log off;
        }
    
         location ~ (favicon.ico) { 
             log_not_found off;
             access_log   off; 
         }
    
         location ~* .(gif|jpg|jpeg|png|bmp|swf)$ {
             expires 1y;
         }
    
         location ~* .(js|css)$ {
             expires 7d;
         }
    
        #------------
         location ~* ^(.+).(php[3-9]?|phtm[l]?)(/.*)*$ {
             set $real_script_name $1.$2;
             set $path_info $3;
    
             if (!-f $document_root$real_script_name) {
                 return 404;
             }
    
              fastcgi_pass 127.0.0.1:8999;
              fastcgi_param HTTPS on;
              include enable_php.conf;
         }
    }

    现在重启Nginx,Chrome应该能正常显示Https.如果只想使用Https连接,可以再添加一个server,然后跳转到https

    server {
            listen 80;
        server_name   liuzhichao.com www.liuzhichao.com ;
            rewrite     ^   https://$server_name$request_uri? permanent;
    }

     解决Firefox不信任StartSSL证书问题

    wget http://cert.startssl.com/certs/ca.pem
    wget http://cert.startssl.com/certs/sub.class1.server.ca.pem
    cat ca.pem sub.class1.server.ca.pem >> ca-certs.crt
    cat ca-certs.crt >> ssl.crt

    再次重启Nginx,本想这下Firefox也应该能正常识别证书了,但是重启Nginx遇到了SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error错误。

    [emerg]: SSL_CTX_use_certificate_chain_file("/usr/local/nginx/certs/ssl.crt")
     failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib)
    configuration file /usr/local/nginx/conf/nginx.conf test failed

    这个的意思就是server.crt读取到意外错误行.这是因为我们在合并StartSSL提供的crt证书时,直接cat到了ssl.crt里。使用vi或者nano命令打开并编辑ssl.crt,找到:

    -----END CERTIFICATE----------BEGIN CERTIFICATE-----

    修改为:

    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----

    保存这个crt文件,再次重启Nginx服务,输入申请证书时私钥的密码,启动成功后,现在使用Firefox访问网站也能信任证书了。

  • 相关阅读:
    转:Jenkins自动化部署入门详细教程
    详解MySQL锁
    常见的内存溢出与解决办法
    read IEEE Standard for verilog(1)
    verilog之状态机
    quantus18的signaltap逻辑分析仪
    英语文档之关键词统计
    cadence软件画版图操作
    英语文档之vivado界面
    verilog之wire和reg
  • 原文地址:https://www.cnblogs.com/kaifayuan/p/4356668.html
Copyright © 2011-2022 走看看