nginx https/nginx 配置
source link: http://abcdxyzk.github.io/blog/2018/06/06/tools-nginx-config/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
nginx https/nginx 配置
2018-06-06 00:50:00
curl wget 不验证证书进行https请求
wget 'https://x.x.x.x/get_ips' --no-check-certificate
curl 'https://x.x.x.x/get_ips' -k
生成证书和私匙
openssl req -newkey rsa:4096 -nodes -keyout test_private.perm -new -x509 -sha512 -days 3650 -subj "/CN=test.com/" -out test.crt
test_private.perm 是私匙, test.crt 是证书
其中CN和nginx.conf中的server_name一样
vim /etc/nginx/nginx.conf
http {
server {
listen 443;
server_name test.com;
ssl on;
ssl_certificate /root/test.crt;
ssl_certificate_key /root/test_private.perm;
location / {
root /var/www/html;
index index.html;
}
}
...
}
自建证书得不到信任,所以会提示: curl: (60) Peer’s certificate issuer has been marked as not trusted by the user.
解决方法:
拿服务器证书
openssl s_client -showcerts -connect www.baidu.com:443
curl 参数带证书
curl -v 'https://test.com/kk' --resolve 'test.com:443:192.168.2.7' --trace-time --cacert /root/test.crt
或者将证书加到信任的证书列表中
cat /root/test.crt >> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
curl -v 'https://test.com/kk' --resolve 'test.com:443:192.168.2.7' --trace-time
访问的host一定要是证书中CN(commonname), 不然会提示: curl: (51) Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK