配置HTTPS证书记录

给官网配置HTTPS证书记录,第一次 当然要记录下来, 这是新出炉的官网themis官网

废话不多说,开始正题

1) 弯路

查阅到配置nginx 根证书,和秘钥就可以做到https正常访问

这是老大给我的一窍不通的东西,老大提醒我,要建立证书链,还要注意移动设备访问证书会提示不安全的情况。

1
2
3
4
├── CACertificate-INTERMEDIATE-1.cer
├── CACertificate-ROOT-2.cer
├── themis.key
└── ServerCertificate.cer

当时我还是很懵逼的。所以建议大家还是查询一下证书链。 查阅到如下配置

看看自己的防火墙 终端执行 iptables -L –line-numbers

1
2
3
4
5
6
7
8
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

如上所示没有任何拦截,主要注意443端口拦截

如下配置nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
server {
    listen       443;
    server_name  localhost;
    ssl                  on;
    ssl_certificate      /etc/nginx/sslcer/CACertificate-ROOT-2.cer;
    ssl_certificate_key      /etc/nginx/sslcer/themis.key;
    ssl_session_timeout  5m;
    ssl_protocols  SSLv3 TLSv1;
    ssl_ciphers  HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;
    ssl_prefer_server_ciphers   on;
    location / {
     root   /data/www/themiswww;
     index  index.html index.htm;
    }
 }

终端执行 nginx -t

1
2
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

这样是秘钥和服务器证书搭配正确 访问 https://themis.im https正常

然后发现移动设备果然提示了 证书不受信任

终端执行 openssl s_client -connect www.themis.im:443

发现提示了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
...
verify error:num=20:unable to get local issuer certificate
verify return:1
...
verify error:num=27:certificate not trusted
verify return:1
...
verify error:num=21:unable to verify the first certificate
verify return:1
...
Certificate chain
 0 s:/businessCategory=Private.../CN=www.abc.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G3
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign

最后的解决方案 生成证书链 终端执行 cat ServerCertificate.cer CACertificate-INTERMEDIATE-1.cer CACertificate-ROOT-2.cer > CACertificate-ROOT-1.pem

把 nginx 配置中的 CACertificate-ROOT-2.cer 替换为CACertificate-ROOT-1.pem

然后再次执行 openssl s_client -connect www.themis.im:443

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Certificate chain
 0 s:/CN=*.themis.im
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust RSA CA 2018
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
......
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 512F18AE435BD0A126FE08BA6EC3A1D6343C4A2835B1C6F15B01C5E15B0BBFF0
    Session-ID-ctx:
    Master-Key: F86C0D5F7DF4DC436442CAE41CB6843769089AF5EC025525469ABD0461E612B63F530A55C35AA073EDE9C51BDF97A06D
    Key-Arg   : None
    Start Time: 1522068649
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

在 myssl做了一下评测

修改了如下配置

1
2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;

over.