nginx 的https 功能基于模块ngx_http_ssl_module实现,因此如果是编译安装的nginx要使用参数 ngx_http_ssl_module开启ssl功能,
但是作为nginx的核心功能,yum安装的nginx默认就是开启的,编译安装的nginx需要指定编译参数--with-http_ssl_module开启。
可以用nginx -V查看编译安装的模块。
[root@rocky8 ~]#nginx -V nginx version: nginx/1.22.0 built by gcc 8.5.0 20210514 (Red Hat 8.5.0-10) (GCC) built with OpenSSL 1.1.1k FIPS 25 Mar 2021 TLS SNI support enabled configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module-master
[root@rocky8 ~]#cd /apps/nginx/ [root@rocky8 nginx]# mkdir certs [root@rocky8 nginx]# cd certs/ [root@rocky8 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt #自签名CA证书 Generating a RSA private key .............................................................................................++++ .....................................++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家代码 State or Province Name (full name) []:beijing #省份 Locality Name (eg, city) [Default City]:beijing #城市 Organization Name (eg, company) [Default Company Ltd]:guanyu #公司名称 Organizational Unit Name (eg, section) []:gy #部门 Common Name (eg, your name or your server's hostname) []:ca.gy.org #通用名称 Email Address []: #邮箱 (可不填)
查看CA证书和私钥文件
[root@rocky8 certs]#ll total 8 -rw-r--r-- 1 root root 2021 Sep 17 15:46 ca.crt -rw------- 1 root root 3272 Sep 17 15:45 ca.key
自制key和csr文件
[root@rocky8 certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.guanyu.org.key -out www.guanyu.org.csr Generating a RSA private key ......++++ ........................................................................................................................................................................................................................................................................................................................++++ writing new private key to 'www.guanyu.org' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:guanyu.org Organizational Unit Name (eg, section) []:guanyu.org Common Name (eg, your name or your server's hostname) []:www.guanyu.org Email Address []:1532105108@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional c