Έχω κάνει το script αυτό που κάνει issue ένα CA sert και ένα SSL CERΤ υπογεγραμμένο με το CA:
#/usr/bin/env bash
# Absolute path to this script, e.g. /home/user/bin/foo.sh
SCRIPT=$(readlink -f "${BASH_SOURCE}")
# Absolute path this script is in, thus /home/user/bin
BASEDIR=$(dirname ${SCRIPT})
FINAL_CERTPATH=${BASEDIR}
CA_CERT=${BASEDIR}/ca.cert
CA_KEY=${BASEDIR}/ca.key
if [[ ! -f ${CA_CERT} ]] || [[ ! -f ${CA_KEY} ]]; then
echo "GENERATING CA CERTIFICATE"
openssl genrsa -out ${CA_KEY} 2048
openssl req -x509 -new -nodes \
-key ${CA_KEY} -subj "/CN=example.local/C=GR/L=ATTICA" \
-days 1825 -out ${CA_CERT}
echo "DONE"
ls -l
echo "#####################################################"
fi
CERT_BASENAME="www"
CERTIFICATE_PATH=${BASEDIR}/${CERT_BASENAME}.crt
KEY_PATH=${BASEDIR}/${CERT_BASENAME}.key
SIGNING_REQUEST=${BASEDIR}/${CERT_BASENAME}.csr
echo "CREATING CERTIFICATE"
openssl req -new -sha512 -keyout ${KEY_PATH} -nodes -out ${SIGNING_REQUEST} -config ${BASEDIR}/ssl_config
echo "SIGNING CERTIFICATE using CA"
openssl x509 -req -days 9000 -sha512 -in ${SIGNING_REQUEST} -CAkey ${CA_KEY} -CA ${CA_CERT} -CAcreateserial -out ${CERTIFICATE_PATH}
rm -rf ${SIGNING_REQUEST}
echo "#######################################"
echo "IMPORT these cert into your system as CA cert:"
echo ${CA_CERT}
Και έχω αυτό το config:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt=no
[ req_distinguished_name ]
countryName = GR
stateOrProvinceName = Attica
localityName = Echarnes
organizationName = PC_MAGAS
commonName = example.local
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.local
DNS.2 = example2.local
IP.1=172.21.0.6
και τα φορτώνω στο Nginx μέσω docker:
events {
worker_connections 768;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset utf-8;
gzip on;
gzip_disable "msie6";
client_max_body_size 10000M;
server_tokens off;
error_log /dev/stdout debug;
#misc
server {
listen 80 default;
server_name _;
return 308 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/www.crt;
ssl_certificate_key /etc/nginx/www.key;
server_name example.local;
root /usr/share/nginx/html/example.local;
index index.html;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/www.crt;
ssl_certificate_key /etc/nginx/www.key;
server_name example2.local;
root /usr/share/nginx/html/example2.local;
index index.html;
}
}
version: "3"
services:
nginx:
image: nginx
volumes:
- .:/usr/share/nginx/html
- "./nginx.conf:/etc/nginx/nginx.conf:ro"
- "./certs/www.crt:/etc/nginx/www.crt:ro"
- "./certs/www.key:/etc/nginx/www.key:ro"
networks:
frontend:
ipv4_address: 172.21.0.6
networks:
frontend:
ipam:
config:
- subnet: 172.21.0.0/24
Αλλά ο firefox μου βγάζει το κάτωθι σφάλμα:
Ενώ το έχω εγκαταστήσει σαν CA:
O κώδικας είναι στο GitHub - pc-magas/dev_ssl: Test ssl withj custom CA
Έχετε ιδέα τις πταίει - τι κάμνω λάθος;