Nginx配置免费SSL证书StartSSL,解决Firefox不信任问题

时间:2021-12-06 06:21:20

先在StartSSL上申请免费一年的SSL证书,具体过程网上很多教程。然后把申请到的key和crt文件上传到服务器,比如/usr/local/nginx/certs/.

Nginx配置SSL证书

直接贴上我的nginx的部分配置:

server {

        listen ;

    server_name   domain.com www.domain.com ;

        ssl on;

        ssl_certificate /usr/local/nginx/ssl/ssl.crt;

        ssl_certificate_key /usr/local/nginx/ssl/ssl.key; 

    if ($http_transfer_encoding ~* chunked) {

         return ;

      }

    gzip on;

    if (-d $request_filename) {

        rewrite ^/(.*)([^/])$ $scheme://$host/$1$2/ permanent;

     }

     root   /home/wwwroot/;

     ssi off;

     ssi_silent_errors off;

     ssi_types text/shtml;

     location / {

         index  index.html index.htm index.shtml index.php;

         autoindex    off;

     }

    location /nginx_status {

        stub_status on;

        access_log off;

    }

     location ~ (favicon.ico) {

         log_not_found off;

         access_log   off;

     }

     location ~* \.(gif|jpg|jpeg|png|bmp|swf)$ {

         expires 1y;

     }

     location ~* \.(js|css)$ {

         expires 7d;

     }

    #------------

     location ~* ^(.+)\.(php[-]?|phtm[l]?)(\/.*)*$ {

         set $real_script_name $.$;

         set $path_info $;

         if (!-f $document_root$real_script_name) {

             return ;

         }

          fastcgi_pass 127.0.0.1:;

          fastcgi_param HTTPS on;

          include enable_php.conf;

     }

}

现在重启Nginx,Chrome应该能正常显示Https.如果只想使用Https连接,可以再添加一个server,然后跳转到https

server {

        listen ;

    server_name   liuzhichao.com www.liuzhichao.com ;

        rewrite     ^   https://$server_name$request_uri? permanent;

}

解决Firefox不信任StartSSL证书问题

wget http://cert.startssl.com/certs/ca.pem

wget http://cert.startssl.com/certs/sub.class1.server.ca.pem

cat ca.pem sub.class1.server.ca.pem >> ca-certs.crt

cat ca-certs.crt >> ssl.crt

再次重启Nginx,本想这下Firefox也应该能正常识别证书了,但是重启Nginx遇到了SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error错误。

[emerg]: SSL_CTX_use_certificate_chain_file("/usr/local/nginx/certs/ssl.crt")

 failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib)

configuration file /usr/local/nginx/conf/nginx.conf test failed

这个的意思就是server.crt读取到意外错误行.这是因为我们在合并StartSSL提供的crt证书时,直接cat到了ssl.crt里。使用vi或者nano命令打开并编辑ssl.crt,找到:

-----END CERTIFICATE----------BEGIN CERTIFICATE-----

修改为:

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

保存这个crt文件,再次重启Nginx服务,输入申请证书时私钥的密码,启动成功后,现在使用Firefox访问网站也能信任证书了。

相关文章