完成 keystone 证书加密的 HTTPS 服务提升

2021-04-12 13:26

阅读:1531

标签:local   shm   let   rest   check   输入   ber   log   int   

通过yum来安装mod_ssl
[root@controller ~]# yum install -y mod_ssl             //在线安装mod_ssl
已加载插件:fastestmirror
centos                                                                                                           | 3.6 kB  00:00:00     
iaas                                                                                                             | 2.9 kB  00:00:00     
Loading mirror speeds from cached hostfile
正在解决依赖关系
--> 正在检查事务
---> 软件包 mod_ssl.x86_64.1.2.4.6-40.el7.centos.4 将被 安装
--> 解决依赖关系完成

依赖关系解决

========================================================================================================================================
 Package                      架构                        版本                                          源                         大小
========================================================================================================================================
正在安装:
 mod_ssl                      x86_64                      1:2.4.6-40.el7.centos.4                       iaas                      104 k

事务概要
========================================================================================================================================
安装  1 软件包

总下载量:104 k
安装大小:224 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  正在安装    : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64                                                                              1/1 
  验证中      : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64                                                                              1/1 

已安装:
  mod_ssl.x86_64 1:2.4.6-40.el7.centos.4                                                                                                

完毕!

HTTP 服务器上配置mod_ssl

1.建立服务器密钥

[root@controller ~]#  cd /etc/pki/tls/certs/    //进入HTTP服务器配置文件所在目录
[root@controller ~]#  make server.key       //建立服务器密钥
umask 77 ; /usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase:                          //在这里输入口令
Verifying - Enter pass phrase:              //确认口令,再次输入
[root@controller ~]#  openssl rsa -in server.key -out server.key        //从密钥中删除密码(以避免系统启动后被询问口令)
Enter pass phrase for server.key:           //输入口令
writing RSA key

2.建立服务器公钥

[root@controller ~]#  make server.csr       //建立服务器密钥
umask 77 ; 
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN            //输入国名

State or Province Name (full name) [Berkshire]:Xinjiang     //输入省名

Locality Name (eg, city) [Newbury]:Shihezi              //输入城市名

Organization Name (eg, company) [My Company Ltd]:www.msdn.com       //输入组织名(任意)

Organizational Unit Name (eg, section) []:  //不输入,直接回车

Common Name (eg, your name or your server‘s hostname) []:www.msdn.com  ← 输入通称(任意)

Email Address []:zq@qq.com              //输入电子邮箱地址

Please enter the following ’extra‘ attributes

to be sent with your certificate request

A challenge password []:                //不输入,直接回车

An optional company name []:            //不输入,直接回车

3.建立服务器证书

[root@controller ~]#  openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365                //建立服务器证书
Signature ok
subject=/C=CN/ST=Xinjiang/L=Shihezi/O=www.51cto.com/emailAddress=xiandian@qq.com
Getting Private key
Enter pass phrase for server.key:
140645233670048:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
[root@controller ~]#  chmod 400 server.*        //修改权限为400

4.设置SSL

[root@controller ~]#  vi /etc/httpd/conf.d/ssl.conf     //修改SSL的设置文件
#DocumentRoot "/var/www/html"       //找到这一行,将行首的“#”去掉
Ⅴ
DocumentRoot "/var/www/html"        //变为此状态

5.重新启动HTTP服务,让SSL生效

[root@controller]#  systemctl restart httpd.service     //重新启动HTTP服务器

本地配置文件/etc/httpd/conf.d/ssl_saturn.conf:

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

DocumentRoot "/var/www/html"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

    SSLOptions +StdEnvVars

    SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-5]"          nokeepalive ssl-unclean-shutdown          downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

完成 keystone 证书加密的 HTTPS 服务提升

标签:local   shm   let   rest   check   输入   ber   log   int   

原文地址:https://blog.51cto.com/14308623/2475023


评论


亲,登录后才可以留言!