VPS lnmp环境下安装SSL证书教程

网站安装SSL证书的前提是网站是独享IP，也就是说一个IP对应一个网站。SSL与网站程序无关，与服务器类型有关，本教程是针对VPS上的LNMP环境安装SSL的教程。

1、生成RSA密钥

li88-99:~# cd /usr/local/nginx/conf/
li88-99:/usr/local/nginx/conf# openssl genrsa -out momohost.key 2048

Generating RSA private key, 2048 bit long modulus
…..+++
.+++
e is 65537 (0x10001)

2、生成一个证书请求

li88-99:/usr/local/nginx/conf# openssl req -new -key momohost.key -out momohost.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–

Country Name (2 letter code) [AU]:CN //输入国家简写
State or Province Name (full name) [Some-State]:ShanDong //省市
Locality Name (eg, city) []:JiNan                             //城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:JunGe Host   //组织名称或公司名称
Organizational Unit Name (eg, section) []:          //可以不用填
Common Name (eg, YOUR name) []:jungehost.com     //输入要配置ssl的域名，如jungehost.com，注意jungehost.com 和www.jungehost.com 属于不同的域名。
Email Address []:admin@jungehost.com                     //输入邮箱

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: //可以不用填
An optional company name []: //可以不用填

按上面的注释输入相关信息后，会在目录下面生成jmomohost.csr这个文件，执行cat momohost.csr
将下面以—–BEGIN CERTIFICATE REQUEST—–开头到—–END CERTIFICATE REQUEST—–结尾的全部内容复制下来。需要使用这个momo.csr去NameCheap生成数字证书。

li88-99:/usr/local/nginx/conf# cat momohost.csr
—–BEGIN CERTIFICATE REQUEST—–
MIIBzTCCATYCAQAwgYwxCzAJBgNVBAYTAkNOMREwDwYDVQQIEwhTaGFuRG9uZzEO
MAwGA1UEBxMFSmlOYW4xEjAQBeNVBAoTCUp1bkdlSG9zdDEOMAwGA1UECxMFanVu
Z2UxEjAQBgNVBAMTCVNoaUp1baBMaTEiMCAGCSqGSIbcDQEJARYTYWRtaW5AanVu
Z2Vob3N0LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0R9hda1NJdoO
2tbvHevVY3fdpdn8ESpSewHC9yc9zVoc0tz9Ww5EfpDV9L222xv/Z8DlDf2pUfIG
X7F15qIQJZ/VCUDNxS5Y7bjNTzduMq8yQnqkB6h/dpnlFTJlDQrAl6vaoOhBcB5L
hMLAQBf1V8800MIn3nfxb9E6aoydSk8CAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GB
AJxQOaFHra/ILos8+HO8Wn/2bhfWAUR4ovyRGKMB/n0BQlHPfNhKbILRv9KI5EUL
dc6HCf3AALetjNiPHrfpJOCj4Ljqchu3WeodthuwRd9hzhZHCf43UiopofbfRzMp
lmAJFuUwN93IgFSrslCh66JaQceNa5x/TQIsmviuKZGC
—–END CERTIFICATE REQUEST—–

3、进入Namecheap的SSL证书管理界面，然后点击“Active Now”按钮准备购入SSL产品。这时会进入“Digital Certificate Order Form”页面，根据自己的web服务器类型在“Select Web Sever”中选择，博主的是Nginx。接着在SecureCRT终端上执行命令 [root@typecodes ssl]# cat moioi.csr ，然后复制从-----BEGIN CERTIFICATE REQUEST----- 到 -----END CERTIFICATE REQUEST----- 中的所有内容再粘贴到“Enter csr”下面的空白栏中。

4、最后点击“Next”，这时的界面会显示你的域名Whois信息上的相关邮箱地址列表，你需要选择能正常接收验证码的域名邮箱。填写完使用者的相关信息（像城市名、街道名等等尽量使用英文，中文可能会出错）后，Namecheap会发一封有验证码的邮件到你选择的域名邮箱中，进入邮箱点击“here”按钮，然后输入验证码即可完成SSL订单。这时，Namecheap会把PositiveSSL证书文件通过邮件发送到自己的邮箱发送证书邮件。

5、SSL证书提供商会在邮件中提供我们需要的四个.crt文件：域名证书文件moioi_com.crt、COMODORSADomainValidationSecureServerCA.crt、COMODORSAAddTrustCA.crt、根证书文件AddTrustExternalCARoot.crt，把它们导入到web服务器中的某个目录，例如/etc/nginx/ssl。一般情况下，直接用域名证书moioi_com.crt即可受到浏览器（例如chrome等）的信任。但是为了避免在火狐firefox中出现“此连接不受信任”的警告，需要按照以下顺序合并所有证书文件，然后重新生成一个.crt文件：

[root@typecodes ssl]# cat typecodes_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt &gt; moioi_last.crt

1	[root@typecodes ssl]# cat typecodes_com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > moioi_last.crt

最后，我们需要修改Nginx的配置文件（/etc/nginx/conf.d/default.conf）来让Nginx启用https协议，示例如下：

<span class="err">######</span> <span class="err">开始配置</span><span class="nt">Nginx</span><span class="err">文件，支持</span><span class="nt">http</span><span class="err">协议跳转到</span><span class="nt">https</span><span class="err">协议</span>
<span class="cp">[</span><span class="nx">root</span><span class="p">@</span><span class="nx">typecodes</span> <span class="nx">conf.d</span><span class="cp">]</span><span class="err">#</span> <span class="nt">vi</span> <span class="nt">default</span><span class="nc">.conf</span>
<span class="err">######</span> <span class="err">新增一个“</span><span class="nt">server</span><span class="err">”，保留原</span><span class="nt">80</span><span class="err">端口，并强制将</span><span class="nt">http</span><span class="err">协议转换到</span><span class="nt">https</span><span class="err">协议</span>
<span class="nt">server</span> <span class="p">{</span>
    <span class="n">listen</span> <span class="m">80</span><span class="p">;</span>
    <span class="n">server_name</span> <span class="n">www</span><span class="o">.</span><span class="n">moioi</span><span class="o">.</span><span class="n">com moioi.com</span><span class="p">;</span>
    return 301 https://www.moioi.com$request_uri;
<span class="p">}</span>
<span class="err">######</span> <span class="err">在原“</span><span class="nt">server</span><span class="err">”中，启用支持</span><span class="nt">https</span><span class="err">协议的</span><span class="nt">443</span><span class="err">端口，并配置相关信息</span>
<span class="nt">server</span> <span class="p">{</span>
    <span class="n">listen</span> <span class="m">443</span><span class="p">;</span>
    <span class="n">server_name</span>  <span class="n">www</span><span class="o">.</span><span class="n">moioi</span><span class="o">.</span><span class="n">com</span><span class="p">;</span>

    <span class="n">ssl</span> <span class="n">on</span><span class="p">;</span>
    <span class="err">#</span> <span class="err">最后新生成</span><span class="o">.</span><span class="n">crt</span><span class="err">文件</span>
    <span class="n">ssl_certificate</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">nginx</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">moioi_last</span><span class="o">.</span><span class="n">crt</span><span class="p">;</span>
    <span class="err">#</span> <span class="err">最开始生成</span><span class="o">.</span><span class="n">key</span><span class="err">文件</span>
    <span class="n">ssl_certificate_key</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">nginx</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">moioi</span><span class="o">.</span><span class="n">key</span><span class="p">;</span>
    <span class="n">ssl_session_cache</span> <span class="n">shared</span><span class="o">:</span><span class="n">SSL</span><span class="o">:</span><span class="m">10</span><span class="n">m</span><span class="p">;</span>
    <span class="n">ssl_session_timeout</span> <span class="m">10</span><span class="n">m</span><span class="p">;</span>
    <span class="n">ssl_ciphers</span> <span class="n">ALL</span><span class="o">:!</span><span class="n">aNULL</span><span class="o">:!</span><span class="n">ADH</span><span class="o">:!</span><span class="n">eNULL</span><span class="o">:!</span><span class="n">LOW</span><span class="o">:!</span><span class="n">EXP</span><span class="o">:</span><span class="n">RC4</span><span class="o">+</span><span class="n">RSA</span><span class="o">:+</span><span class="n">HIGH</span><span class="o">:+</span><span class="n">MEDIUM</span><span class="p">;</span> <span class="m">#Disabl</span><span class="n">es</span> <span class="n">all</span> <span class="n">weak</span> <span class="n">ciphers</span>
    <span class="n">ssl_protocols</span> <span class="n">SSLv3</span> <span class="n">TLSv1</span><span class="p">;</span> <span class="m">#enable</span><span class="n">s</span> <span class="n">SSLv3</span><span class="o">/</span><span class="n">TLSv1</span><span class="o">,</span> <span class="n">but</span> <span class="n">not</span> <span class="n">SSLv2</span> <span class="n">which</span> <span class="n">is</span> <span class="n">weak</span> <span class="n">and</span> <span class="n">should</span> <span class="n">no</span> <span class="n">longer</span> <span class="n">be</span> <span class="n">used</span><span class="o">.</span>
    <span class="n">ssl_prefer_server_ciphers</span> <span class="n">on</span><span class="p">;</span>
    <span class="o">***************</span><span class="err">省略其它不变的部分</span><span class="o">****************</span>
<span class="p">}</span>
<span class="err">######</span> <span class="err">重启</span><span class="nt">Nginx</span><span class="err">服务</span>
<span class="cp">[</span><span class="nx">root</span><span class="p">@</span><span class="nx">typecodes</span> <span class="nx">conf.d</span><span class="cp">]</span><span class="err">#</span> <span class="nt">service</span> <span class="nt">nginx</span> <span class="nt">restart</span>

###### 开始配置Nginx文件，支持http协议跳转到https协议

[root@typecodes conf.d]# vi default.conf

###### 新增一个“server”，保留原80端口，并强制将http协议转换到https协议

server {

listen 80;

server_name www.moioi.com moioi.com;

return 301 https://www.moioi.com$request_uri;

}

###### 在原“server”中，启用支持https协议的443端口，并配置相关信息

server {

listen 443;

server_name www.moioi.com;

ssl on;

# 最后新生成.crt文件

ssl_certificate /etc/nginx/ssl/moioi_last.crt;

# 最开始生成.key文件

ssl_certificate_key /etc/nginx/ssl/moioi.key;

ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

ssl_ciphers ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM; #Disables all weak ciphers

ssl_protocols SSLv3 TLSv1; #enables SSLv3/TLSv1, but not SSLv2 which is weak and should no longer be used.

ssl_prefer_server_ciphers on;

***************省略其它不变的部分****************

}

###### 重启Nginx服务

[root@typecodes conf.d]# service nginx restart

这时访问moioi.com和www.moioi.com都会自动跳转到https://www.moioi.com。

打赏赞(0)

发表评论 取消回复

发表评论取消回复