您现在的位置是:首页 > 其他

李清波 2017-08-15 其他 6867 复制当前网址

OneinStack阿里云镜像Nginx、Apache配置Https详细图解

[root@iZwz976helegzn6jf0w7plZ oneinstack]# ./vhost.sh

#######################################################################
#       OneinStack for CentOS/RadHat 5+ Debian 6+ and ubuntu 12+      #
#       For more information please visit https://oneinstack.com      #
#######################################################################

Do you want to setup SSL under Nginx? [y/n]: y

Please input domain(example: www.example.com): www.liqingbo.cn

Please input the directory for the domain:www.liqingbo.cn :
(Default directory: /data/wwwroot/www.liqingbo.cn): /data/wwwroot/www.liqingbo.cn

Create Virtul Host directory......
set permissions of Virtual Host directory......
domain=www.liqingbo.cn

Do you want to add more domain name? [y/n]: n

Do you want to redirect all HTTP requests to HTTPS? [y/n]: n (如果想设置http自动跳转到https的话就选y,这里我选择的是n)

Do you want to use a Let's Encrypt certificate? [y/n]: n (如果没有可跳过)

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [CN]: CN

State or Province Name (full name) [Shanghai]: Hainan

Locality Name (eg, city) [Shanghai]: Haikou

Organization Name (eg, company) [Example Inc.]: Liqingbo

Organizational unit Name (eg, section) [IT Dept.]: IT

Do you want to add hotlink protection? [y/n]: n

Allow Nginx/Tengine/OpenResty access_log? [y/n]: y
You access log file=/data/wwwlogs/www.liqingbo.cn_nginx.log

Allow Apache access_log? [y/n]: y
You access log file=/data/wwwlogs/www.liqingbo.cn_apache.log

nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/usr/local/nginx/conf/ssl/www.liqingbo.cn.crt"
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
Reload Nginx......
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/usr/local/nginx/conf/ssl/www.liqingbo.cn.crt"

Syntax OK
Restart Apache......

#######################################################################
#       OneinStack for CentOS/RadHat 5+ Debian 6+ and ubuntu 12+      #
#       For more information please visit https://oneinstack.com      #
#######################################################################
Your domain:           www.liqingbo.cn
Nginx Virtualhost conf:      /usr/local/nginx/conf/vhost/www.liqingbo.cn.conf
Apache Virtualhost conf:     /usr/local/apache/conf/vhost/www.liqingbo.cn.conf
Directory of:           /data/wwwroot/www.liqingbo.cn
Self-signed SSL Certificate:   /usr/local/nginx/conf/ssl/www.liqingbo.cn.crt
SSL Private Key:         /usr/local/nginx/conf/ssl/www.liqingbo.cn.key
SSL CSR File:          /usr/local/nginx/conf/ssl/www.liqingbo.cn.csr


到这步的时候算是已经配置好环境该域名的已经了

如果没什么问题,此时通过https已经能正常访问,只不过会被浏览器提示该网站不安全,因为证书没有对应上。


这里已阿里云的免费证书作为示例

将已经申请好的证书下载,里面一般包含几个文件

apache的一般包含4个文件,如下

图片.png

如果是nginx,那么就只有两个

图片.png

我们这里是已nginx来说明,我们把这两个文件上传到服务器,因为用OneinStack镜像,所以我们把这两个文件放到对应目录下,如

/usr/local/nginx/conf/ssl/214216134950893.pem

/usr/local/nginx/conf/ssl/214216134950893.key


这个时候我们来看一下系统生成的配置文件

Nginx Virtualhost conf:      /usr/local/nginx/conf/vhost/www.liqingbo.cn.conf
Apache Virtualhost conf:     /usr/local/apache/conf/vhost/www.liqingbo.cn.conf


我们首先来打开第一个配置文件/usr/local/nginx/conf/vhost/www.liqingbo.cn.conf

图片.png

注意这两个文件

www.liqingbo.cn.crt

www.liqingbo.cn.key

我们会发现在阿里云下载的证书并没有crt这个文件,其实pem对应的就是crt


ssl_certificate /usr/local/nginx/conf/ssl/www.liqingbo.cn.crt;
ssl_certificate_key /usr/local/nginx/conf/ssl/www.liqingbo.cn.key;

改成

ssl_certificate /usr/local/nginx/conf/ssl/214216134950893.pem

ssl_certificate/usr/local/nginx/conf/ssl/214216134950893.key


我们来看一下第二个配置文件/usr/local/apache/conf/vhost/www.liqingbo.cn.conf

图片.png

跟第一个配置文件一样

SSLCertificateFile "/usr/local/nginx/conf/ssl/www.liqingbo.cn.crt"
SSLCertificateKeyFile "/usr/local/nginx/conf/ssl/www.liqingbo.cn.key"
改成

SSLCertificateFile "/usr/local/nginx/conf/ssl/214216134950893.pem"
SSLCertificateKeyFile "/usr/local/nginx/conf/ssl/214216134950893.key"

到这里的时候基本已经修改完成

此时我们重新启动一下httpd


重启命令(好像都可以,不过你都可以试一下,区别我也不太懂)

systemctl restart httpd

service httpd restart

/etc/init.d/httpd restart


如果没什么问题就已经设置成功了!


总结:

通过OneinStact镜像配置https,配置好之后默认是能访问的,不过会提示证书不安全

此时我们再通过已经购买好的证书替换掉原来的证书即可。


===========出现错误汇集==========

1,、"Syntax error on line 80 of c:/apache/conf/extra/httpd-ssl.conf:ErrorLog takes one argument,The filename of the error log"或者"Syntax error on line 99 of c:/apache/conf/extra/httpd-ssl.conf:SSLCertificateFile takes one argument,SSL Server Certificate file ('/path/to/file' -PEM or DER encoded)"

解决方法:文件路径加双引号


2、"Syntax error on line 76 of C:/apache/conf/extra/httpd-ssl.conf:SSLSessionCache: 'shmcb' session cache not supported (known names: ). Maybe you need to load the appropriate socache module (mod_socache_shmcb?)."

解决办法:

打开httpd.conf,找到 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so,把前面的注释去掉。


文章来源:http://liqingbo.com/blog-1458.html

评论