湖濱散記部落格的樹心幽徑[login][主頁]
496:20190527為Ubuntu Linux 的 httpd 裝SSL自行簽發的憑證

(0) $ openssl version

OpenSSL 1.0.2g  1 Mar 2016

(1)建立一個 私密金鑰檔server.key

$ sudo openssl genrsa -out server.key 2048
[sudo] password for treehrt:
Generating RSA private key, 2048 bit long modulus
..........+++
.........+++
e is 65537 (0x10001)

(2) $ cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA24OoYXvvZJ1Krs7fR+fEju0KkzVGFhsKXYK0UljfvsfS33xP
:

Ckms0R8/DG6uqkeFJEHDurVa58LuKI6BBL4jrOoDN1VloTuhuzdoVg==
-----END RSA PRIVATE KEY-----

(3)建立憑證要求檔server.csr

$ sudo openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
State or Province Name (full name) [Some-State]:ILAN
Locality Name (eg, city) []:ilan-city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:insecta?
Organizational Unit Name (eg, section) []:ice?
Common Name (e.g. server FQDN or YOUR name) []:insecta.idv.tw
Email Address []:t??@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:w??w??
An optional company name []:k??s

(4)$ cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIDBzCCAe8CAQAwgY8xCzAJBgNVBAYTAlRXMQ0wCwYDVQQIDARJTEFOMRIwEAYD
VQQHDAlpbGFuLWNpdHkxFDASBgNVBAoMC2luc2VjdGEuaWR2MQwwCgYDVQQLDANp
:

VgRz0SPkJu/5aFghFykfMCCJlg1DM0CN4PDDfaJ3PrE8ASz/nrpLwMHyuWzA4ZUv
w2DhP5rDXW3SA0c=
-----END CERTIFICATE REQUEST-----

(5)$ vi ssl.conf
treehrt ~$ cat ssl.conf
[req]
prompt = no
default_md = sha256
default_bits = 2048
distinguished_name = dn
x509_extensions = v3_req

[dn]
C = TW
ST = Taiwan
L = Taipei
O = Tree Inc.
OU = IT Department
emailAddress = treehrt@insecta.idv.tw
CN = localhost

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.localhost
DNS.2 = localhost
DNS.3 = 192.168.2.100
treehrt ~$

(6)建立出 私密金鑰 (server.key) 與 憑證檔案 (server.crt)

sudo openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.conf
[sudo] password for treehrt:
Generating a 2048 bit RSA private key
.........+++
................+++
writing new private key to 'server.key'
-----

(6) 顯示自簽憑證檔內容

$ cat server.crt
-----BEGIN CERTIFICATE-----
MIID5TCCAs2gAwIBAgIJAP+j2xBoRWsCMA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
VQQGEwJUVzEPMA0GA1UECAwGVGFpd2FuMQ8wDQYDVQQHDAZUYWlwZWkxEjAQBgNV

:

VaZ/BRqgO/SvwN8zBn4RFqzIHje9LB9xWP3AX+I3kHyX875Y4waw9GI=
-----END CERTIFICATE-----

 

 

(7)匯入自簽憑證到「受信任的根憑證授權單位」

$ sudo cp  server.crt  /usr/local/share/ca-certificates/server.crt

$ sudo update-ca-certificates

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.

(8)$ sudo systemctl restart apache2

(9)$ sudo systemctl status apache2

以上沒成功。

(10-1)$  openssl version
OpenSSL 1.0.2g  1 Mar 2016

(10-2)$ sudo openssl genrsa -out server.key 2048
[sudo] password for treehrt:
Generating RSA private key, 2048 bit long modulus
.......................................................................................................+++
..................+++
e is 65537 (0x10001)

(10-3)$ cat server.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAzHHKyEdG3E4v07NbvLico3Ns/lx8Nr/Nq6UJHuM6PrddMb/6
:

NWjAXNzzx3qrZhacFVhHSgV5tSVzg6n2qHLINi82tCdgLaKX8CU=
-----END RSA PRIVATE KEY-----
(10-4)$  vi ssl.conf

(10-5)$ cat ssl.conf
[req]
prompt = no
default_md = sha256
default_bits = 2048
distinguished_name = dn
x509_extensions = v3_req

[dn]
C = TW
ST = Taiwan
L = Taipei
O = Tree Inc.
OU = IT Department
emailAddress = treehrt@insecta.idv.tw
CN = localhost

[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.localhost
DNS.2 = localhost
DNS.3 = 192.168.2.100

(10-6)$ sudo openssl req -x509 -new -nodes -sha256 -utf8 -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt -config ssl.conf
Generating a 2048 bit RSA private key
...............................+++
..................................................+++
writing new private key to 'server.key'
-----

(10-7)$ cat server.key
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDHDMTiLflDMcgB
:

gMBGPQ6F+gnU5/7fFoRQzg==
-----END PRIVATE KEY-----

(10-8)$  cat server.crt
-----BEGIN CERTIFICATE-----
MIID5TCCAs2gAwIBAgIJANHXEbZGPQg9MA0GCSqGSIb3DQEBCwUAMIGWMQswCQYD
:

xOw+eWpGqeZzmzWhoDJd/XSnt7Pp0USYiCU7d6gcccdt7B2Z23HB+90=
-----END CERTIFICATE-----

(10-9)$ sudo cp  server.crt  /usr/local/share/ca-certificates

(10-10)$ sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

Adding debian:server.pem
done.
done.

(10-11)$ sudo systemctl status apache2

(10-12)$  sudo systemctl restart apache2

(10-13)設定browser,以firefox為例:

在about:preferences#privacy/偏好設定/憑證/檢視憑證/伺服器/新增例外網站/

輸入位置:https://localhost/取得憑證/無可用資訊?????。

仍沒有成功。

 

(11-1)$ sudo mkdir /etc/apache2/ssl

(11-2) $ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

(11-3)$ ls -l /etc/apache2/ssl

-rw-r--r-- 1 root root 1379  5月 28 11:09 apache.crt

-rw-r--r-- 1 root root 1704  5月 28 11:09 apache.key

(11-4)

$ sudo vim /etc/apache2/sites-available/default-ssl.conf

$ cat /etc/apache2/sites-available/default-ssl.conf|grep apache               

:

SSLCertificateFile /etc/apache2/ssl/apache.crt               

SSLCertificateKeyFile /etc/apache2/ssl/apache.key

:

(11-5)sudo service apache2 restart

(11-6)chrome browser :  https://163.25.20.90/

ERR_SSL_PROTOCOL_ERROR

(11-7) $ sudo cp  /etc/apache2/ssl/apache.crt  /usr/local/share/ca-certificates

(11-8)$  sudo update-ca-certificates

Updating certificates in /etc/ssl/certs...

1 added, 0 removed; done.

Running hooks in /etc/ca-certificates/update.d...
Adding debian:apache.pemdone.done

(11-9)$ sudo service apache2 restart

(11-10)firefox :https://163.25.20.90/

SSL_ERROR_RX_RECORD_TOO_LONG

(11-11)$ sudo a2ensite default-ssl.conf
Site default-ssl already enabled

(12)終於成功如下截圖

alt

 

REF0:https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04

REF1:Ubuntu Apache 上用自簽憑證啟用 https 服務 https://ccnrz.wordpress.com/2017/05/04/%E5%9C%A8-ubuntu-apache-%E4%B8%8A%E5%95%9F%E7%94%A8-https-%E8%87%AA%E7%B0%BD%E6%86%91%E8%AD%89/

REF2 : 20180629openssl操作 http://lfwiki.kmvs.km.edu.tw/lf/index.php?op=ViewArticle&articleId=415&blogId=70

REF3:https://blog.hahasmile.com/%E5%9C%A8apache%E4%B8%8A%E8%A8%AD%E5%AE%9A%E5%AE%89%E8%A3%9Dssl%E6%86%91%E8%AD%89/

REF4:https://blog.miniasp.com/post/2019/02/25/Creating-Self-signed-Certificate-using-OpenSSL


select id,article_id,topic,text from lt_articles_text where article_id =496; ok. update lt_articles set num_reads=num_reads +1 where id=496; ok.