第一步 执行下面命令生成csr和key文件
openssl req -new -newkey rsa:2048 -nodes -keyout trips.com.key -out trips.com.csr
填写下面信息
Country Name (2 letter code) [AU]:CN State or Province Name (full name) [Some-State]:Beijing Locality Name (eg, city) []:Beijing Organization Name (eg, company) [Internet Widgits Pty Ltd]:Beijing trips International Travel Co.,Ltd Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:*.trips.com Email Address []:ops@trips.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:BJbc201712061438
第二步 使用生成的 csr文件去申请公钥
root@BC-BJ-ZW-:/mnt/godaddy-ssl-for-haproxy/# cat trips.com.csr -----BEGIN CERTIFICATE REQUEST----- MIIDHjCCAgYCAQAwgbcxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlqaW5nMRAw DgYDVQQHDAdCZWlqaW5nMTcwNQYDVQQKDC5CZWlqaW5nIEJhaWNoZW5nICBJbnRl cm5hdGlvbmFsIFRyYXZlbCBDby4sTHRkMQswCQYDVQQLDAJJVDEdMBsGA1UEAwwU c2VydmljZS5iYWljaGVuZy5jb20xHzAdBgkqhkiG9w0BCQEWEG9wc0BiYWljaGVu Zy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDx9r5Y1lulzLL sQ/kyuj+kbaXqqlfVIaiWAVaWkKtzJFGvM8vCmwQNeSq6cwTPGDpGgUjQE9oS1K/ 5x2IXpgF+yGbhWfI84IbD6YXSn196GrLR9oGqg2dI/dCAfqQ9S1kffhFXk25kmqZ kCQtINephwTHnfRSB73COszHduNf88e6voLzF/y+MIaot URM+YOvGnk1zt9HmfZv2iSM8HZvr/PL/BT90t736QCvUMqB/CsEEdNM7Yj9Zb1jcrG8FUHVOHyS+TvO909+sOhQTJrHEBvDwrWyUiIY LZlq//V1AgMBAAGgITAfBgkqhkiG9w0BCQcxEgwQQkpiYzIwMTcxMjA2MTQzODAN BgkqhkiG9w0BAQsFAAOCAQEAVcqOposcUsHg6YaBauFCb3gXcvvyZjH9elb5nYZO y7i1mOK14Vyjop6dssFcZeFijN3lWfTP51PAtE2XsgdXl63jYsbM4EgJyBonXw+R mltOtegLt6Gp5XcFFTLnNy+iAuFTutGpidh6dHuGLQ8SxfdEATi/G3kh3ziTZWSH DHWXGGwLJUNbOIyiuAhwhCXcQ8WhzhFol0sNAxDc9Zb4ahGv3AMiwhfqm/TCn0PD eVA1yABxI4xetkFptnND9QoXHu3LnHlbM5nVSUz76nRW+9l5GL6iOUVqZOHjb3g+ +9218o6zrbnv5J5oWbz+JKllmlaxtUcLzjwLKqVrjR0d1A== -----END CERTIFICATE REQUEST-----
第三步 godaddy会发生邮件给域名所有者(xiewenming@trips.com)进行授权dsz A记录解析码,添加后用域名所有者收到的邮件进行审核批准
第四步 等待godaddy审核(dv审核很快),审核完成会签发证书,可以下载下来2个crt文件如下
fed50e497f67ebb3.crt
gd_bundle-g2-g1.crt
第五步:在haroxy上面利用上面的文件和域名key生产pem文件,命令如下
cat trips.com.key cafd469e37cef3ca.crt gd_bundle-g2-g1.crt > /etc/ssl/service.trips/trips.com.combined.pem
第六步 添加配置文件
bind *:443 ssl crt /etc/ssl/service.trips/trips.com.combined.pem
nginx证书生成如下
cat cafd469e37cef3ca.crt gd_bundle-g2-g1.crt > trips.com.chained.crt
nginx配置文件
server { listen 80; server_name m.trips.com; listen 443 ssl; ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/nginx/conf.d/ssl/dhparam.pem; ssl_certificate /etc/nginx/conf.d/ssl/trips.com.crt; ssl_certificate_key /etc/nginx/conf.d/ssl/trips.com.key; # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; access_log /var/log/nginx/m.trips.log main; location / { proxy_pass http://192.168.31.53; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #include /etc/nginx/conf.d/m123.conf; set $domain default; } }
有时候运营商可能需要一个cer格式的文件,生成方式如下:
cat 证书.crt 私钥.key >> /opt/xxx.cer #公钥在前面 私钥在后面,这里的公钥就是证书crt