Apply Wildcard SSL and Nginx HTTPS

Zeuxis  2013-09-17  Notes / Server 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# 進入 Nginx 和建立存放證書的位置
cd /usr/local/nginx/conf
mkdir certs
cd certs

# 生成 2048 的 RSA 私匙和 CSR
openssl req -new -newkey rsa:2048 -nodes -out example.com.csr -keyout example.com.key

	Generating a 2048 bit RSA private key
	..............................................................................................................+++
	..............................+++
	writing new private key to 'example.com.key'
	-----
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [AU]:CN
	State or Province Name (full name) [Some-State]:HongKong
	Locality Name (eg, city) []:Kowloon
	Organization Name (eg, company) [Internet Widgits Pty Ltd]:example.com
	Organizational Unit Name (eg, section) []:
	Common Name (eg, YOUR name) []:*.example.com
	Email Address []:[email protected]
	
	Please enter the following 'extra' attributes
	to be sent with your certificate request
	A challenge password []:
	An optional company name []:
	
	
# 改變生成的檔案權限

    chmod 400 example.com.key
    chown root:root example.com.key

# 執行 `cat example.com.csr` 得出下面的 2048 CSR 內容,對應申請內容

    Domain    : *.example.com
    Server IP : 111.292.237.196
    Email     : admin@…
    2048 CSR  : 
    
    -----BEGIN CERTIFICATE REQUEST-----
    MI..這裡是 CSR 檔案的內容..==
    -----END CERTIFICATE REQUEST-----

# 提交之後等電郵,如果確定無問題就點 I APPROVE
# 之後會再收到電郵,裡面會有兩張證書並另存

- 第一張是 example.com.crt 
- 第二張是 example.com.DigiCertCA.crt

# 將兩張證合併 

	cat example.com.crt example.com.DigiCertCA.crt >> example.com.bundled.crt

# 進入 Server

	ssh SERVER_IP

# 編輯 Nginx

	vim /usr/local/nginx/conf/vhosts/example.com.conf

# 內容為

    server {
        listen      80;
        server_name example.com;
    
        rewrite ^/(.*) https://$server_name/$1 permanent;
    }
    
    server {
        listen      443;
    
        ssl                 on;
        ssl_certificate     /usr/local/nginx/conf/certs/example.com.bundled.crt;
        ssl_certificate_key /usr/local/nginx/conf/certs/example.com.key;
        ssl_session_timeout 5m;
    
        charset     utf-8;
        server_name example.com;
        root        /home/user/example.com;
        index       index.html index.htm index.php;
    
        access_log logs/example.com.access.log;
    
        location ~ \.php$ {
            fastcgi_pass    127.0.0.1:9000;
            fastcgi_index   index.php;
            fastcgi_param   SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include         fastcgi_params;
    
            fastcgi_param   HTTPS       on;
            fastcgi_param   HTTP_SCHEME https;
        }
    
        location ~ /\.ht {
            deny all;
        }
    }
© Copyright 2007 - 2023 by Zeuxis Lo.