Nginx 自己生成证书并配置SSL

发表于2019年3月1日2022年7月21日作者评心静气

生成证书的脚本：

#!/bin/bash

openssl genrsa -des3 -passout pass:123456 -out ssl.key 2048

mv ssl.key xxx.key
openssl rsa -in xxx.key -passin pass:123456 -out ssl.key
rm xxx.key

openssl req -new -key ssl.key -out ssl.csr -subj "/CN=RootCA/C=CN/ST=Hunan/L=ChangSha/O=MyCompanName/OU=IT"

openssl x509 -req -days 3650 -in ssl.csr -signkey ssl.key -out ssl.crt

# 生成 pfx格式的文件
# openssl pkcs12 -export -in ssl.crt -inkey ssl.key -passin pass:123456 -out client.pfx

### rename the file

NOW_DATE=`date "+%Y%m%d%H%M%S"`

if [ x$1 != x ]; then
    #Have args
	    NEW_FILE_NAME=$1
else
    #Not have args
    NEW_FILE_NAME=$NOW_DATE
fi

echo $NEW_FILE_NAME
mv ssl.crt $NEW_FILE_NAME.crt
mv ssl.csr $NEW_FILE_NAME.csr
mv ssl.key $NEW_FILE_NAME.key

Nginx配置

server {
        listen       443;
        server_name 192.168.56.99 192.168.1.159 morse.5699.com;
        index index.html index.htm index.php;
        root /data/project/morseapp-api/public;
    # 索引目录
        autoindex on; 
        autoindex_exact_size off;
        autoindex_localtime on; 
    # SSL 配置
        ssl on; 
        ssl_certificate ../key/20190301111730.crt;
        ssl_certificate_key ../key/20190301111730.key;

        location / { 
           if (!-e $request_filename) {
                rewrite  ^(.*)$  /index.php?s=/$1  last;
                break;
            }   
        }   
        location ~ .*\.(php|php5)?$
        {   
            try_files $uri =404;
            fastcgi_pass  127.0.0.1:9000;
            fastcgi_index index.php;

            set $document_base_dir "/data/project/morseapp-api";
            fastcgi_param  PHP_ADMIN_VALUE "open_basedir=$document_base_dir:/tmp/:/var/tmp/:/proc/";
            fastcgi_split_path_info  ^((?U).+\.php)(/?.+)$;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;

            fastcgi_param  PATH_INFO  $fastcgi_path_info;
            fastcgi_param  PATH_TRANSLATED  $document_root$fastcgi_path_info;
            include fastcgi.conf;
        }   
        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {   
            #add_header Cache-Control no-store;
            expires 30d;
        }   
        location ~ .*\.(js|css)?$
        {   
            expires 1h; 
        }   
        location = /favicon.ico { 
            access_log off; 
            log_not_found off; 
        }   
}

在新版本中【尝试在 1.18中】

ssl on ; 
命令已经废弃，根据提示使用如下替换：
  nginx: [warn] the "ssl" directive is deprecated, use the "listen … ssl" directive instead in /data/nginx/conf/nginx.conf:101

提示，以下两个指定SSL证书位置的路径，
如果是相对路径，则默认是从conf 目录下面开始搜索

ssl_certificate
ssl_certificate_key
路径出错，会有如下提示：

nginx: [emerg] cannot load certificate key "/data/nginx/conf/conf/ssl/sz-yd.code.cn.key": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/data/nginx/conf/conf/ssl/sz-yd.code.cn.key','r') error:2006D080:BIOroutines:BIO_new_file:no such file)

默认使用的 .pem 与 .key 文件的组合
也可以使用 .crt 与 .key 文件的组合，如下所示

# ssl_certificate      cert.pem;     
ssl_certificate ssl/sz-yd.code.cn.crt;     
ssl_certificate_key  ssl/sz-yd.code.cn.key;