編集1

編集1

CAファイルとCAが署名したSSLを生成するスクリプトを作成しました。

#/usr/bin/env bash

# Absolute path to this script, e.g. /home/user/bin/foo.sh
SCRIPT=$(readlink -f "${BASH_SOURCE}")
# Absolute path this script is in, thus /home/user/bin
BASEDIR=$(dirname ${SCRIPT})


FINAL_CERTPATH=${BASEDIR}

CA_CERT=${BASEDIR}/ca.cert
CA_KEY=${BASEDIR}/ca.key

if  [[ ! -f ${CA_CERT} ]] || [[ ! -f ${CA_KEY} ]]; then
    echo "GENERATING CA CERTIFICATE"
    openssl genrsa -out ${CA_KEY} 2048
    openssl req -x509 -new -nodes \
        -key ${CA_KEY} -subj "/C=GR/L=ATTICA" \
        -days 1825 -out ${CA_CERT}
    echo "DONE"
    ls -l
    echo "#####################################################"
fi

CERT_BASENAME="www"
CERTIFICATE_PATH=${BASEDIR}/${CERT_BASENAME}.crt
KEY_PATH=${BASEDIR}/${CERT_BASENAME}.key
SIGNING_REQUEST=${BASEDIR}/${CERT_BASENAME}.csr

echo "CREATING CERTIFICATE"

openssl req -new -sha512 -keyout ${KEY_PATH} -nodes -out ${SIGNING_REQUEST} -config ${BASEDIR}/ssl_config
echo "SIGNING CERTIFICATE using CA"
ls -l ${SIGNING_REQUEST}
openssl x509 -req -days 9000 -startdate  -sha512 -in ${SIGNING_REQUEST} -CAkey ${CA_KEY} -CA ${CA_CERT} -CAcreateserial -extfile ${BASEDIR}/v3.sign -out ${CERTIFICATE_PATH} 

rm -rf ${SIGNING_REQUEST}

echo "#######################################"
echo "IMPORT these cert into your system as CA cert:"
echo ${CA_CERT}

署名された構成は次のとおりです。

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names 

[alt_names]
# Local hosts
DNS.1 = localhost
DNS.2 = 127.0.0.1
DNS.3 = ::1 
# List your domain names here
DNS.4 = 172.21.0.6
DNS.5 = example.local
DNS.6 = example2.local

証明書の場合:

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
prompt=no

[ req_distinguished_name ]
countryName         = GR
stateOrProvinceName = Attica
localityName        = Echarnes
organizationName    = PC_MAGAS
commonName          = example.local

CAをFirefoxにインポートしました。私は2つのnginx仮想ホストを準備しました。

events {
  worker_connections  768;
}

http {
  include  /etc/nginx/mime.types;
  default_type  application/octet-stream;

  charset  utf-8;

  gzip  on;
  gzip_disable  "msie6";
  client_max_body_size 10000M;

  server_tokens   off;
  error_log /dev/stdout debug;

  #misc
  server {
    listen 80 default;
    server_name _;

    return 308 https://$host$request_uri;
  }

  server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/nginx/www.crt;
    ssl_certificate_key /etc/nginx/www.key;

    server_name example.local;

    root /usr/share/nginx/html/example.local;
    index index.html;
  }

  server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    
    ssl_certificate /etc/nginx/www.crt;
    ssl_certificate_key /etc/nginx/www.key;

    server_name example2.local;

    root /usr/share/nginx/html/example2.local;
    index index.html;
  }
}

/ets/hostsdocker nginx静的ホスティングで修正されました。

# TEST

172.21.0.6 example.local
172.21.0.6 example2.local 

version: "3"

services:

  nginx:
    image: nginx
    volumes:
      - .:/usr/share/nginx/html
      - "./nginx.conf:/etc/nginx/nginx.conf:ro"
      - "./certs/www.crt:/etc/nginx/www.crt:ro"
      - "./certs/www.key:/etc/nginx/www.key:ro"
    networks:
      frontend:
        ipv4_address: 172.21.0.6

networks:
  frontend:
    ipam:
      config:
        - subnet: 172.21.0.0/24

しかし、Firefoxは次の問題を示しています。

Firefoxで無効なドメインエラーが表示される

理由をご存知ですか?

Braveブラウザが正常に動作しているようです。 勇気を出して仕事をしましょう

編集1

曲の設定を次のように修正しました。

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names 

[alt_names]
# Local hosts
DNS.1 = localhost
DNS.3 = ::1 
# List your domain names here
DNS.5 = example.local
DNS.6 = example2.local
# Custom IPS
IP.1 = 127.0.0.1
IP.2 = 172.21.0.6

問題が引き続き発生する

答え1

問題は、署名構成で以下を使用する必要があることです。

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names 

[alt_names]
# Local hosts
DNS.1 = localhost
# List your domain names here
DNS.2 = example.local
DNS.3 = example2.local
# Custom IPS
IP.1 = 127.0.0.1
IP.2 = 172.21.0.6
IP.3 = ::1 

::1また、localhostドメインの場合はipv6です。また、DNSリストにもそれに応じて番号を付ける必要があります。あなたのDNS.5合計は次のようにDNS.6なります。DNS.2DNS.3

関連情報