cfssl生成自签证书
安装cfssl
wget https://pkg.cfssl.org/R1.2/cfssl_linux-amd64 -O /usr/local/bin/cfssl
wget https://pkg.cfssl.org/R1.2/cfssljson_linux-amd64 -O /usr/local/bin/cfssljson
wget https://pkg.cfssl.org/R1.2/cfssl-certinfo_linux-amd64 -O /usr/local/bin/cfssl-certinfo
chmod +x /usr/local/bin/cfssl*
生成ca证书
#创建csr的json配置文件
[root@localhost certs]# vim ca-csr.json
{
"CN": "k8s-ca",
"hosts": [
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "sichuan",
"L": "chengdu",
"O": "hi",
"OU": "ops"
}
],
"ca": {
"expiry": "175200h"
}
}
#创建基于根证书的config配置文件
[root@localhost certs]# vim ca-config.json
{
"signing": {
"default": {
"expiry": "175200h"
},
"profiles": {
"server": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth"
]
},
"client": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"client auth"
]
},
"peer": {
"expiry": "175200h",
"usages": [
"signing",
"key encipherment",
"server auth",
"client auth"
]
}
}
}
}
生成CA证书和私钥
[root@localhost certs]# cfssl gencert -initca ca-csr.json |cfssl-json -bare ca #生成命令
2020/04/24 03:33:55 [INFO] generating a new CA key and certificate from CSR
2020/04/24 03:33:55 [INFO] generate received request
2020/04/24 03:33:55 [INFO] received CSR
2020/04/24 03:33:55 [INFO] generating key: rsa-2048
2020/04/24 03:33:55 [INFO] encoded CSR
2020/04/24 03:33:55 [INFO] signed certificate with serial number 438107443971268110509803837811802775660837260854
[root@localhost certs]# ll
total 16
-rw-r--r-- 1 root root 989 Apr 24 03:33 ca.csr
-rw-r--r-- 1 root root 326 Apr 24 03:31 ca-csr.json
-rw------- 1 root root 1679 Apr 24 03:33 ca-key.pem #根证书私钥,这个需要保存好
-rw-r--r-- 1 root root 1338 Apr 24 03:33 ca.pem #根证书
生成服务器证书
[root@localhost certs]# vim hi-host-server-csr.json
{
"CN": "hi",
"hosts": [
"test.hi-host.com"
],
"key": {
"algo": "rsa",
"size": 2048
},
"names": [
{
"C": "CN",
"ST": "sichuan",
"L": "chengdu",
"O": "hi",
"OU": "ops"
}
]
}
[root@localhost certs]# cfssl gencert -ca=ca.pem -ca-key=ca-key.pem -config=ca-config.json -profile=server hi-host-server-csr.json|cfssl-json -bare hi-host-server
[root@localhost certs]# ll | grep hi-host
-rw-r--r-- 1 root root 1045 May 1 22:33 hi-host-server.csr
-rw-r--r-- 1 root root 302 May 1 22:02 hi-host-server-csr.json
-rw------- 1 root root 1679 May 1 22:33 hi-host-server-key.pem
-rw-r--r-- 1 root root 1395 May 1 22:33 hi-host-server.pem
配置nginx
[root@localhost certs]# vim /etc/nginx/conf.d/test.hi-host.com.conf
server {
listen 443 ssl;
server_name test.hi-host.com;
client_max_body_size 1000m;
ssl_certificate /root/certs/hi-host-server.pem;
ssl_certificate_key /root/certs/hi-host-server-key.pem;
location / {
proxy_pass http://127.0.0.1:180;
}
}
#重启nginx
解决浏览器访问https不安全问题
以上配置好后,就可以访问域名https://test.hi-host.com ,但是这里访问的时候还是提示不安全,但是能看到有证书,证书无效,这就是自签证书会有这样的问题。所以我们需要将ca.pem证书导入到浏览器中,这里以chrome为例,设置步骤如下:
- 将ca.pem该后缀名为ca.crt
- 设置
- 搜索https—->管理证书
- 选择受信任根证书颁发机构
- 导入ca.crt
- 重启浏览器
- 重新访问
每日一句
-
这个世上,并不是所有的爱都是最好的爱,退而求其次也不失为爱的一种方式。
——夏七夕
今日排行
- VSCode插件 - 快速生成表格并格式化
快速生成表格 - Docker编译出现:temporary error (try again later)
Docker编译镜像出现:fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.12/main: temporary error (try again later)
WARNING: Ignoring APKINDEX.2c4ac24e.tar.gz: No such file or directory问题 - OpenCV-Python图像滤波(平滑处理)(平均、中值、高斯、双边滤波)
图像在获取和传输过程种会受到随机信号的干扰从而产生噪声,例如电阻引起的热噪声、光子噪声、暗电流噪声以及光响应非均匀性噪声等,由于噪声会影响对图像的理解以及后续的处理工作,因此去除噪声的影响在图像中具有十分重要的意义。图像中常见的噪声有:椒盐噪声、高斯噪声、泊松噪声和乘性噪声。 - OpenCV-Python图像融合
OpenCV-Python图像融合
- Go开源库和项目整理
Golang开源库和项目整理,持续更新
点击排行
- VSCode插件 - 快速生成表格并格式化
快速生成表格
- Electron打包错误“Error: Application entry file ..”解决方案
打包出现如下错误:Error: Application entry file "dist\electron\main.js" in the "D:\gui\demo2\build\win-unpacked\resources\app.asar" does not exist. Seems like a wrong configuration. - Electron页面跳转、浏览器打开链接和打开新窗口
Electron页面跳转、浏览器打开链接和打开新窗口
- Docker编译出现:temporary error (try again later)
Docker编译镜像出现:fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.12/main: temporary error (try again later)
WARNING: Ignoring APKINDEX.2c4ac24e.tar.gz: No such file or directory问题
- mac git用户名和密码修改
在Mac电脑中,如何对Git的用户名和密码进行修改呢?起初不懂Mac,所以整了很久,本文将记录如何对这个进行操作,以便后期使用。 - Git保存和清除用户名、密码
在使用Git的过程中,不想每次都输入用户名和密码去拉取代码,所以就需要保存这些信息,那么既然有保存了,就必须有清除功能。