• HTTPS自己生成数字证书


    一、获取证书的途径

    1. 自签名证书,适用于开发者测试HTTPS,最快速的途径就是生成自签名证书,非常方便。
    2. Let's Encrypt证书,可以使用免费CA机构签发的证书。
    3. 使用收费CA机构签发的证书,如果对证书安全性、兼容性、功能有特殊需求,可以向CA机构申请证书。

    二、自签名证书

    自签名证书是我们自己签发的,浏览器不会集成私有的CA机构的根证书,所以打开页面的时候会进行提示,用户选择信任证书之后,后续的通信就会进行加密保护的。

    自签名证书的用途还是很广泛的,对于一些企业内部系统,由于购买证书需要成本,可以生成自签名证书,企业内部系统的用户一般运行在同一个局域网下,由防火墙保护,风险相对可控,当浏览器提示用户自签名证书存在风险时,用户可以选择信任自签名证书,等同于访问了一个HTTPS网站。

    生成自签名证书的步骤如下

    1.生成私钥对和CSR

    我们设置密钥的长度为2048bit;

    我们最终会得到flask_self_csr.pem和flask_self_key.pem两个文件;

    CSR(Certificate Signing Request)表示证书签名请求,里面包含了服务器的密钥对,CA机构接收到请求会验证CSR请求的签名;

    flask_self_csr.pem包含了我们的密钥对;

    执行命令之后,我们可以在交互式提示中,设置证书包含的一些信息;

    mango@mango-ubuntu:~/文档/blogs/web/证书$ openssl req  -newkey rsa:2048 -nodes -keyout flask_self_key.pem  -out flask_self_csr.pem
    Generating a RSA private key
    .........+++++
    ......+++++
    writing new private key to 'flask_self_key.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:CN
    State or Province Name (full name) [Some-State]:Beijing
    Locality Name (eg, city) []:Beijing
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:mango
    Organizational Unit Name (eg, section) []:mango
    Common Name (e.g. server FQDN or YOUR name) []:cee1-110-251-30-176.ngrok.io
    Email Address []:mango@163.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:          
    An optional company name []:
    
    
    1. 生成自签名证书

    接下来通过CSR生成证书,对于自签名证书,我们可以认为自己就是一个CA机构,输入如下命令生成证书:

    mango@mango-ubuntu:~/文档/blogs/web/证书$ openssl x509 -signkey flask_self_key.pem -in flask_self_csr.pem  -req -days 365 -out flask_self_cert.pem
    Signature ok
    subject=C = CN, ST = Beijing, L = Beijing, O = mango, OU = mango, CN = cee1-110-251-30-176.ngrok.io, emailAddress = mango@163.com
    Getting Private key
    
    
    1. 验证证书

    将生成的flask_self_cert.pem和flask_self_key.pem拷贝到站点根目录下,并设置启用ssl

    from flask import Flask
    
    
    app = Flask(__name__)
    
    @app.route("/", methods=["GET"])
    def hello():
        return 'hello python'
    
    if __name__ == "__main__":
        app.run('0.0.0.0', ssl_context=('flask_self_cert.pem', 'flask_self_key.pem'))
        # app.run('0.0.0.0', debug=True, ssl_context='adhoc')
    

    三、使用Let's Encrypt证书

    Let's Encrypt首先是一个CA机构,得到了很多大公司的支持,兼容性非常不错,同时它定义了ACME协议,将管理证书的流程进行了标准化、自动化,不用人工管理。可以使用基于ACME协议的客户端在Let's Encrypt管理证书,官方推荐Certbot客户端,使用非常方便。

    1.安装Certbot客户端

    mango@mango-ubuntu:~/文档/blogs/web/证书/certbot$ sudo snap install --classic certbot
    certbot 1.21.0 from Certbot Project (certbot-eff✓) installed
    
    

    2.手动生成证书和密钥文件

    mango@mango-ubuntu:~/文档/blogs/web/证书$ sudo certbot certonly --manual  -d 565c-110-251-30-176.ngrok.io 
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Requesting a certificate for 565c-110-251-30-176.ngrok.io
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Create a file containing just this data:
    
    csM3J5YGt3V-PQDeRpcDhjlpy7Hdf9tjh-NsIqqoA6A.eRfiNKPaGpDq-g1FefRl52GbfFeSDV_Qg8Gwe1KQP5M
    
    And make it available on your web server at this URL:
    
    http://565c-110-251-30-176.ngrok.io/.well-known/acme-challenge/csM3J5YGt3V-PQDeRpcDhjlpy7Hdf9tjh-NsIqqoA6A
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Press Enter to Continue
    
    Successfully received certificate.
    Certificate is saved at: /etc/letsencrypt/live/565c-110-251-30-176.ngrok.io/fullchain.pem
    Key is saved at:         /etc/letsencrypt/live/565c-110-251-30-176.ngrok.io/privkey.pem
    This certificate expires on 2022-02-10.
    These files will be updated when the certificate renews.
    
    NEXT STEPS:
    - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    If you like Certbot, please consider supporting our work by:
     * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
     * Donating to EFF:                    https://eff.org/donate-le
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    
    

    为了通过CA对站点的验证,我们需要新增对应的action来响应对应的请求

    @app.route("/.well-known/acme-challenge/csM3J5YGt3V-PQDeRpcDhjlpy7Hdf9tjh-NsIqqoA6A")
    def challenge():
        return 'csM3J5YGt3V-PQDeRpcDhjlpy7Hdf9tjh-NsIqqoA6A.eRfiNKPaGpDq-g1FefRl52GbfFeSDV_Qg8Gwe1KQP5M'
    
    1. 验证证书

    将生成的证书和密钥文件拷贝到站点根目录,并修改文件权限

    mango@mango-ubuntu:~/文档/blogs/webhook$ sudo cp /etc/letsencrypt/live/565c-110-251-30-176.ngrok.io/fullchain.pem fullchain.pem
    mango@mango-ubuntu:~/文档/blogs/webhook$ sudo cp /etc/letsencrypt/live/565c-110-251-30-176.ngrok.io/privkey.pem 
    mango@mango-ubuntu:~/文档/blogs/webhook$ sudo chown mango fullchain.pem
    mango@mango-ubuntu:~/文档/blogs/webhook$ sudo chown mango privkey.pem 
    

    修改站点启用ssl

    from flask import Flask
    
    app = Flask(__name__)
    
    @app.route("/", methods=["GET"])
    def hello():
        return 'hello python'
    
    @app.route("/.well-known/acme-challenge/csM3J5YGt3V-PQDeRpcDhjlpy7Hdf9tjh-NsIqqoA6A")
    def challenge():
        return 'csM3J5YGt3V-PQDeRpcDhjlpy7Hdf9tjh-NsIqqoA6A.eRfiNKPaGpDq-g1FefRl52GbfFeSDV_Qg8Gwe1KQP5M'
    
    if __name__ == "__main__":
        app.run('0.0.0.0', ssl_context=('fullchain.pem', 'privkey.pem'))
        # app.run('0.0.0.0', ssl_context=('flask_self_cert.pem', 'flask_self_key.pem'))
        # app.run('0.0.0.0', debug=True, ssl_context='adhoc')
    
    
  • 相关阅读:
    优化tomcat——jvm
    深入理解jvm
    Too many open files
    Ubuntu 18.04 chrome安装
    Ubuntu 对比度调节
    SSH 开启,安装
    Ubuntu的Gnome美化
    snap占用/dev/loop0-/dev/loop11占用100%
    C题——Halting Problem(补题)
    H:有趣的试剂(1317)
  • 原文地址:https://www.cnblogs.com/wufengtinghai/p/15559537.html
Copyright © 2020-2023  润新知