CAファイルとCAが署名したSSLを生成するスクリプトを作成しました。
#/usr/bin/env bash
# Absolute path to this script, e.g. /home/user/bin/foo.sh
SCRIPT=$(readlink -f "${BASH_SOURCE}")
# Absolute path this script is in, thus /home/user/bin
BASEDIR=$(dirname ${SCRIPT})
FINAL_CERTPATH=${BASEDIR}
CA_CERT=${BASEDIR}/ca.cert
CA_KEY=${BASEDIR}/ca.key
if [[ ! -f ${CA_CERT} ]] || [[ ! -f ${CA_KEY} ]]; then
echo "GENERATING CA CERTIFICATE"
openssl genrsa -out ${CA_KEY} 2048
openssl req -x509 -new -nodes \
-key ${CA_KEY} -subj "/C=GR/L=ATTICA" \
-days 1825 -out ${CA_CERT}
echo "DONE"
ls -l
echo "#####################################################"
fi
CERT_BASENAME="www"
CERTIFICATE_PATH=${BASEDIR}/${CERT_BASENAME}.crt
KEY_PATH=${BASEDIR}/${CERT_BASENAME}.key
SIGNING_REQUEST=${BASEDIR}/${CERT_BASENAME}.csr
echo "CREATING CERTIFICATE"
openssl req -new -sha512 -keyout ${KEY_PATH} -nodes -out ${SIGNING_REQUEST} -config ${BASEDIR}/ssl_config
echo "SIGNING CERTIFICATE using CA"
ls -l ${SIGNING_REQUEST}
openssl x509 -req -days 9000 -startdate -sha512 -in ${SIGNING_REQUEST} -CAkey ${CA_KEY} -CA ${CA_CERT} -CAcreateserial -extfile ${BASEDIR}/v3.sign -out ${CERTIFICATE_PATH}
rm -rf ${SIGNING_REQUEST}
echo "#######################################"
echo "IMPORT these cert into your system as CA cert:"
echo ${CA_CERT}
署名された構成は次のとおりです。
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
# Local hosts
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = ::1
# List your domain names here
DNS.4 = 172.21.0.6
DNS.5 = example.local
DNS.6 = example2.local
証明書の場合:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
prompt=no
[ req_distinguished_name ]
countryName = GR
stateOrProvinceName = Attica
localityName = Echarnes
organizationName = PC_MAGAS
commonName = example.local
CAをFirefoxにインポートしました。私は2つのnginx仮想ホストを準備しました。
events {
worker_connections 768;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset utf-8;
gzip on;
gzip_disable "msie6";
client_max_body_size 10000M;
server_tokens off;
error_log /dev/stdout debug;
#misc
server {
listen 80 default;
server_name _;
return 308 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/www.crt;
ssl_certificate_key /etc/nginx/www.key;
server_name example.local;
root /usr/share/nginx/html/example.local;
index index.html;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/www.crt;
ssl_certificate_key /etc/nginx/www.key;
server_name example2.local;
root /usr/share/nginx/html/example2.local;
index index.html;
}
}
/ets/hosts
docker nginx静的ホスティングで修正されました。
# TEST
172.21.0.6 example.local
172.21.0.6 example2.local
version: "3"
services:
nginx:
image: nginx
volumes:
- .:/usr/share/nginx/html
- "./nginx.conf:/etc/nginx/nginx.conf:ro"
- "./certs/www.crt:/etc/nginx/www.crt:ro"
- "./certs/www.key:/etc/nginx/www.key:ro"
networks:
frontend:
ipv4_address: 172.21.0.6
networks:
frontend:
ipam:
config:
- subnet: 172.21.0.0/24
しかし、Firefoxは次の問題を示しています。
理由をご存知ですか?
編集1
曲の設定を次のように修正しました。
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
# Local hosts
DNS.1 = localhost
DNS.3 = ::1
# List your domain names here
DNS.5 = example.local
DNS.6 = example2.local
# Custom IPS
IP.1 = 127.0.0.1
IP.2 = 172.21.0.6
問題が引き続き発生する
答え1
問題は、署名構成で以下を使用する必要があることです。
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
# Local hosts
DNS.1 = localhost
# List your domain names here
DNS.2 = example.local
DNS.3 = example2.local
# Custom IPS
IP.1 = 127.0.0.1
IP.2 = 172.21.0.6
IP.3 = ::1
::1
また、localhostドメインの場合はipv6です。また、DNSリストにもそれに応じて番号を付ける必要があります。あなたのDNS.5
合計は次のようにDNS.6
なります。DNS.2
DNS.3