树莓派/Debian Apache2 配置自建 CA 实现 HTTPS(SSL) 服务
<h2 id="一前言">一、前言</h2><p>前文 树莓派/Debian Apache2 实现 HTTPS(SSL) 服务 提到,Apache2 实现 HTTPS(SSL) 服务有两种方法以及之间的区别,这里讲述如何通过 **OpenSSL 自建 CA ** 来 <strong>自签名证书</strong> 和 <strong>颁发 SSL 证书</strong> 实现 HTTPS(SSL) 服务。</p>
<h3 id="1-下载-apache2">1. 下载 Apache2</h3>
<pre><code class="language-shell">sudo apt-get install apache2
</code></pre>
<h3 id="2-停止-apache2-服务">2. 停止 Apache2 服务</h3>
<p><strong>这一步必做</strong> 。</p>
<ul>
<li>
<p>以 root 权限执行命令:</p>
<pre><code class="language-shell">sudo /etc/init.d/apache2 stop
</code></pre>
</li>
<li>
<p>这时应显示:</p>
<pre><code class="language-shell">[ ok ] Stopping apache2 (via systemctl): apache2.service.
</code></pre>
</li>
</ul>
<h2 id="二自建-ca">二、自建 CA</h2>
<h3 id="1-创建工作环境">1. 创建工作环境</h3>
<pre><code class="language-shell">cd /etc/apache2/ && sudo mkdir -p ownSSL/CA && sudo mkdir ownSSL/Server && cd /etc/apache2/
</code></pre>
<ul>
<li>
<p>在此初始工作环境中,子目录的重要性及其内容如下:</p>
<pre><code class="language-shell">/etc/apache2/ownSSL/CA : 包含CA私匙、CA 证书请求、CA根证书
/etc/apache2/ownSSL/Server : 包含Server私匙、Server证书请求、Server证书
</code></pre>
</li>
</ul>
<h3 id="1-生成-ca-私匙">1. 生成 CA 私匙</h3>
<pre><code class="language-shell">sudo openssl genrsa -out CA/CA_private.key 2048
</code></pre>
<p>成功显示:</p>
<pre><code class="language-shell">Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
...................................................+++++
e is 65537 (0x010001)
</code></pre>
<h3 id="2-生成-ca-证书请求">2. 生成 CA 证书请求</h3>
<pre><code class="language-shell">sudo openssl req -new -key CA/CA_private.key -out CA/CA_request.csr
</code></pre>
<p>过程中,提示需要你输入该根证书相关信息,自行更改:</p>
<pre><code class="language-shell">You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :BeiJing
Locality Name (eg, city) []:BJ
Organization Name (eg, company) :Yogile
Organizational Unit Name (eg, section) []:Yogile
Common Name (e.g. server FQDN or YOUR name) []:Yogile
Email Address []:example@mail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:opensslca
An optional company name []:Yogile
</code></pre>
<h3 id="3-生成-ca-根证书">3. 生成 CA 根证书</h3>
<pre><code class="language-shell">sudo openssl x509 -req -in CA/CA_request.csr -extensions v3_ca -signkey CA/CA_private.key -out CA/CA_root.crt
</code></pre>
<p>成功显示:</p>
<pre><code class="language-shell">Signature ok
subject=C = CN, ST = BeiJing, L = BJ, O = Yogile, OU = Yogile, CN = Yogile, emailAddress = example@mail.com
Getting Private key
</code></pre>
<h2 id="三自建-server-端证书">三、自建 Server 端证书</h2>
<h3 id="1-生成-server-私匙">1. 生成 Server 私匙</h3>
<pre><code class="language-shell">sudo openssl genrsa -out Server/Server_private.key 2048
</code></pre>
<p>成功显示:</p>
<pre><code class="language-shell">Generating RSA private key, 2048 bit long modulus (2 primes)
............+++++
.......................+++++
e is 65537 (0x010001)
</code></pre>
<h3 id="2-生成-server-证书请求">2. 生成 Server 证书请求</h3>
<pre><code class="language-shell">sudo openssl req -new -key Server/Server_private.key -out Server/Server_request.csr
</code></pre>
<p>过程中,提示需要你输入该根证书相关信息,自行更改:</p>
<pre><code class="language-shell">You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) :BeiJing
Locality Name (eg, city) []:BJ
Organization Name (eg, company) :Yogile
Organizational Unit Name (eg, section) []:Yogile
Common Name (e.g. server FQDN or YOUR name) []:Yogile
Email Address []:example@mail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:example@mail.com
An optional company name []:Yogile
</code></pre>
<h3 id="3-生成-server-证书">3. 生成 Server 证书</h3>
<ul>
<li>
<p>创建配置文件openssl.cnf</p>
<pre><code class="language-shell">sudo vim openssl.cnf
</code></pre>
<p>参考如下:</p>
<pre><code>
distinguished_name = req_distinguished_name
req_extensions = v3_req
countryName = CN
countryName_default = CN
stateOrProvinceName = BJ
stateOrProvinceName_default = BeiJing
localityName = BJ
localityName_default = BeiJing
organizationalUnitName= Yogile
organizationalUnitName_default= Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max= 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
# 注意这个IP.1的设置,IP地址需要和你的服务器的监听地址一样 DNS为server网址
IP.1 = 192.168.0.129
DNS.1 = www.example.com
</code></pre>
<p>需要将 Server 监听的地址写入证书中,如果访问时地址与证书中地址不一致将不能通过证书认证。</p>
<ul>
<li>在这里我用是虚拟机,没有公网 IP ,也没有设置域名解析,IP.1 和 DNS.1 都设为了虚拟机 IP 地址,可行。</li>
</ul>
</li>
<li>
<p>执行命令生成 Server 证书</p>
<pre><code class="language-shell">sudo openssl x509 -days 365 -req -in Server/Server_request.csr -extensionsv3_req -CAkey CA/CA_private.key -CA CA/CA_root.crt -CAcreateserial -out Server/Server_root.crt-extfile openssl.cnf
</code></pre>
<p>成功显示:</p>
<pre><code>Signature ok
subject=C = CN, ST = BeiJing, L = BJ, O = Yogile, OU = Yogile, CN = Yogile, emailAddress = example@mail.com
Getting CA Private Key
</code></pre>
</li>
</ul>
<h2 id="四检查目录结构确定无误">四、检查目录结构,确定无误</h2>
<p>使用 <code>tree</code> 命令检查环境良好,配置无误:</p>
<pre><code class="language-shell">yogile@debyogile:/etc/apache2/ownSSL$ tree
.
├── CA
│ ├── CA_private.key
│ ├── CA_request.csr
│ ├── CA_root.crt
│ └── CA_root.srl
├── openssl.cnf
└── Server
├── Server_private.key
├── Server_request.csr
└── Server_root.crt
2 directories, 8 files
</code></pre>
<h2 id="五apache2-ssl-证书加载">五、Apache2 SSL 证书加载</h2>
<ul>
<li><strong>特别注意:必须一步步按照后续步骤来,否则特别容易出错!</strong></li>
</ul>
<h3 id="1-停止-apache2-服务">1. 停止 Apache2 服务</h3>
<p><strong>这一步必做</strong> 。</p>
<ul>
<li>
<p>以 root 权限执行命令:</p>
<pre><code class="language-shell">sudo /etc/init.d/apache2 stop
</code></pre>
</li>
<li>
<p>这时应显示:</p>
<pre><code class="language-shell">[ ok ] Stopping apache2 (via systemctl): apache2.service.
</code></pre>
</li>
</ul>
<h3 id="2--启用ssl模块">2.启用SSL模块</h3>
<ul>
<li>
<p>以 root 权限启用SSL模块:</p>
<pre><code class="language-shell">sudo a2enmod ssl
</code></pre>
<p>如果执行成功显示:</p>
<pre><code>Considering dependency setenvif for ssl:
Module setenvif already enabled
Considering dependency mime for ssl:
Module mime already enabled
Considering dependency socache_shmcb for ssl:
Enabling module socache_shmcb.
Enabling module ssl.
See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates.
To activate the new configuration, you need to run:
systemctl restart apache2
</code></pre>
</li>
<li>
<p>它最后提醒你执行一条重启命令:</p>
<pre><code class="language-shell">sudo /etc/init.d/apache2 restart
</code></pre>
<p>这里要以 root 权限执行这条命令,否则报错。</p>
<p>注意:这里重启了 Apache2。</p>
</li>
</ul>
<h3 id="3-停止-apache2-服务">3. 停止 Apache2 服务</h3>
<p><strong>这一步必做,和前两步的 “停止 Apache2 服务” 起到同样的效果</strong> 。</p>
<ul>
<li>
<p>以 root 权限执行命令:</p>
<pre><code class="language-shell">sudo /etc/init.d/apache2 stop
</code></pre>
</li>
<li>
<p>这时应显示:</p>
<pre><code class="language-shell">[ ok ] Stopping apache2 (via systemctl): apache2.service.
</code></pre>
</li>
</ul>
<h3 id="4--加载-ssl-配置文件-default-sslconf">4.加载 SSL 配置文件 default-ssl.conf</h3>
<ul>
<li>
<p>以 root 权限执行命令:</p>
<pre><code class="language-shell">sudo a2ensite default-ssl
</code></pre>
<p>正确返回结果:</p>
<pre><code class="language-shell">yogile@debyogile:/etc/apache2# sudo a2ensite default-ssl
a2ensite default-sslEnabling site default-ssl.
To activate the new configuration, you need to run:
systemctl reload apache2
</code></pre>
<p>它提醒执行 <code>systemctl reload apache2</code> ,先不管它,进行下一步 <strong>启动 Apache2 服务</strong> 。</p>
</li>
<li>
<p>这时 <strong>启动 Apache2 服务</strong> :</p>
<pre><code class="language-shell">sudo /etc/init.d/apache2 start
</code></pre>
<p>启动成功显示:</p>
<pre><code class="language-shell">[ ok ] Starting apache2 (via systemctl): apache2.service.
</code></pre>
</li>
<li>
<p>启动 Apache2 服务成功后,加载 SSL 配置文件 default-ssl.conf</p>
<pre><code class="language-shell">sudo systemctl reload apache2
</code></pre>
<p>成功无显示。</p>
</li>
</ul>
<h2 id="四apache2-ssl-证书配置">四、Apache2 SSL 证书配置</h2>
<p>加载完成了,修改其配置。</p>
<h3 id="1-添加监听端口">1. 添加监听端口</h3>
<ul>
<li>
<p>编辑监听端口配置文件</p>
<pre><code class="language-shell">sudo vim /etc/apache2/ports.conf
</code></pre>
<p>一般显示:</p>
<pre><code class="language-shell"># If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</code></pre>
</li>
<li>
<p>添加监听端口 443</p>
<p>将示例中第 5 行 <code>Listen 80</code> 修改成 <code>Listen 80 443</code> :</p>
<pre><code># If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
#/etc/apache2/sites-enabled/000-default.conf
Listen 80 443
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</code></pre>
</li>
<li>
<p><code>:wq</code> 保存退出</p>
</li>
</ul>
<h3 id="2--修改-ssl-配置文件--default-sslconf">2.修改 SSL 配置文件default-ssl.conf</h3>
<ul>
<li>
<p>编辑SSL 配置文件default-ssl.conf</p>
<pre><code>sudo vim /etc/apache2/sites-enabled/default-ssl.conf
</code></pre>
<p>如果忽略注释会显示:</p>
<pre><code class="language-shell"><IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
</code></pre>
</li>
<li>
<p>添加 <code>ServerName <主机名></code> ,例:</p>
<pre><code class="language-shell">ServerAdmin webmaster@localhost
ServerName yogile.icu
DocumentRoot /var/www/html
</code></pre>
<p>这里的主机名填写为: 按 OpenSSL 文档操作时文件 exampleserver.cnf 中的 <code>DNS.0</code> :</p>
<pre><code class="language-shell">[ alt_names ]
DNS.0 = yogile.icu
DNS.1 = www.yogile.icu
</code></pre>
</li>
<li>
<p>修改加载 SSL 证书位置,例:</p>
<pre><code class="language-shell">SSLCertificateFile /etc/apache2/ownSSL/Server/Server_root.crt
SSLCertificateKeyFile /etc/apache2/ownSSL/Server/Server_private.key
</code></pre>
</li>
<li>
<p><code>:wq</code> 保存退出</p>
</li>
</ul>
<h3 id="3-重启-apache2-服务">3. 重启 Apache2 服务</h3>
<ul>
<li>
<p>输入命令重启 Apache2 服务</p>
<pre><code class="language-shell">sudo /etc/init.d/apache2 restart
</code></pre>
<p>成功会显示:</p>
<pre><code class="language-shell">[ ok ] Restarting apache2 (via systemctl): apache2.service.
</code></pre>
</li>
<li>
<p>配benz置成功。</p>
</li>
</ul>
<h2 id="五网页登录测试">五、网页登录测试</h2>
<h3 id="1-在浏览器中输入-https-域名公网-ip-或私网-ip">1. 在浏览器中输入 <code>https://</code> +域名、公网 IP 或私网 IP</h3>
<p><img src="https://img2020.cnblogs.com/blog/1591904/202003/1591904-20200313173200271-2056680787.png" alt="" loading="lazy"></p>
<h3 id="2-点击-高级---继续前往不安全">2. 点击 <code>“高级” -> 继续前往(不安全)</code></h3>
<p><img src="https://img2020.cnblogs.com/blog/1591904/202003/1591904-20200313173215488-732967362.png" alt="" loading="lazy"></p>
<h3 id="3-httpsssl-配置成功">3. HTTPS(SSL) 配置成功</h3>
<p><img src="https://img2020.cnblogs.com/blog/1591904/202003/1591904-20200313173227746-162728732.png" alt="" loading="lazy"></p>
<h2 id="六端口重定向">六、端口重定向</h2>
<p>现在虽然实现了,HTTPS 协议服务,但是 80 端口依然可以访问 HTTP 协议服务。<br>
可参考下一篇博客 树莓派/Debian HTTP 到 HTTPS 端口重定向 实现了 80 端口到 443 端口的重定向</p><br><br>
来源:https://www.cnblogs.com/Yogile/p/12487790.html
頁:
[1]