Nginx 如何安裝 Namecheap Comodo PositiveSSL 憑證
這篇是自己使用 Namecheap Comodo PositiveSSL 的購買與安裝流程~~<br><br>專有名詞:<br>DV: Domain Validation<br>OV: Organization Validation<br>EV: Extended Validation<br><br>1. 確認網域資訊<br><br>在購買 SSL 之前,必須先擁有一個認證的網域。我們可以使用 whois 來查詢網域的申請資料。whois 查詢出來的資料,請確定 “Administrative Contact Email” 的電子信箱是正確的。因為 SSL 會以此信箱為對象寄發。<br><br>首先我們要先在CentOS 上面產生兩個檔案 server.key 跟 server.csr<br><font color="Blue"><font color="Black">#</font> openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr</font><br><br>Country Name (2 letter code) [AU]: <font color="Red">TW</font><br>State or Province Name (full name) [Some-State]: <font color="Red">Taiwan</font><br>Locality Name (eg, city) []: <font color="Red">Taichung</font><br>Organization Name (eg, company) [Internet Widgits Pty Ltd]: <font color="Red">NA</font><br>Organizational Unit Name (eg, section) []: <font color="Red">NA</font><br>Common Name (eg, YOUR name) []: <your-domain> <font color="Red">(這裡一定要輸入正確的網域)</font><br>Email Address []: <font color="Red">(網域註冊的信箱)</font><br><br>Please enter the following 'extra' attributes to be sent with your certificate request<br>A challenge password []: <font color="Red">(可不填)</font><br>An optional company name []: <font color="Red">(可不填)</font><br><br>2.到 Namecheap 申請 Comodo PositiveSSL 認證<br>身請時 Namecheap 會要求你提供 CSR (Certificate signing request) ,請將先前產生的 server.csr 的內容全部貼上。<br>[attach]12154[/attach]<br><br>設定完成後,Namecheap 會寄發 whois 提供的電子信箱,裡面附著認證碼。唯有通過認證後,SSL 才會由 “Pending Request” 變更為 “Certificates"。<br><br>3. 收到認證檔後序處理:<br><br>你會從Comodo 收到 crt的認證檔如下:<br>yourdomain_com.crt<br>yourdomain_com.ca-bundle<br><br>接著在系統下組合:<br># cat yourdomain_com.crt yourdomain_com.ca-bundle > mysite_com.crt<br><br>由於 comodo 寄出的認證都沒提供 root 憑證..所以這部份要自己加<br><br># vi mysite_com.crt<br>在最後面加上 comodo 的根憑證:<br>[quote]<br>-----BEGIN CERTIFICATE-----<br>MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU<br>MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs<br>IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290<br>MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux<br>FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h<br>bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v<br>dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt<br>H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9<br>uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX<br>mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX<br>a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN<br>E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0<br>WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD<br>VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0<br>Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU<br>cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx<br>IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN<br>AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH<br>YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5<br>6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC<br>Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX<br>c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a<br>mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=<br>-----END CERTIFICATE-----<br>[/quote]<br><br>4. 在Nginx 下設定 SSL<br>Example of an SSL configured Virtual Host for nginx<br><br>[quote] <br>server {<br> listen 443;<br> server_name mysite.com;<br><br> ssl on;<br> ssl_certificate /etc/nginx/certs/mysite_com.crt;<br> ssl_certificate_key /etc/nginx/certs/server.key;<br><br> #enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.<br> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;<br><br> #Disables all weak ciphers<br>
ssl_ciphers
"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";<br><br> ssl_prefer_server_ciphers on;<br> }<br>[/quote]<br><br>最後將Nginx 重啟就可以看到SSL認證的網站囉~~<br><br>這時你也可以使用 command 指令check是否正常:<br># openssl s_client -showcerts -connect www.adj.com.tw:443<br><br>如果最後出現 ok 的訊息...就代表沒問題了~<br>[quote]<br>SSL-Session:<br> Protocol : TLSv1<br> Cipher : DHE-RSA-AES256-SHA<br> Session-ID: 067D516F10A75EA8325AD71E866A85CF1E172B69CF7E194240DD66EB0D89A92C<br> Session-ID-ctx: <br> Master-Key: 70ECDC0D12E8A28C00D2943D5357C6A7E2C499C6BD45DE6BA24F24123DCF63F63477A9CCD9FE5B3D6757DF2BFB5C6AA8<br> Key-Arg : None<br> Start Time: 1447806637<br> Timeout : 300 (sec)<br> Verify return code: 0 (ok)<br>[/quote]<br><br>你也可以到這邊檢視一下 SSL 的分數:<br><a href="https://www.ssllabs.com/ssltest/index.html" target="_blank">https://www.ssllabs.com/ssltest/index.html</a><br><br>設定參考說明:<br>https://support.comodo.com/index.php?/Knowledgebase/Article/View/789/37/certificate-installation-nginx<br>https://www.namecheap.com/support/knowledgebase/article.aspx/9419/0/nginx<br>