共计 11338 个字符,预计需要花费 29 分钟才能阅读完成。
想折腾一个自签的 HTTPS,IOS 上安装了 CA 证书访问依然爆错,我感觉没有设置错误啊。
my-openssl.cnf 文件如下
复制代码 CA 签名指令:
复制代码 证书签名指令:
复制代码 相关的文件放在附件里了,因为后面我还要再重新弄,所以发也没啥问题,请懂得 MJJ 能帮忙指点一下,看了好几个 HTTPS 原理视频了,总找不到问题所在。 最后不管你知不知道问题在哪,感谢你看到这里。 |
-
5.36 KB, 下载次数: 0
网友回复:
注册 : 这个问题很简单,看头像
xixi3: 还真是贫穷问题,买不起一年的 SSL 用在 NAS 上,想着不如自己签一个。
表妹 : 要买啥啊,Let’s Encrypt 免费的,虽然证书只有 90 天,但是配个 acme.sh/lego 就能自动续期
xixi3: 反正各种问题纠结在一起,最后还是直接导入长期证书是最优解。
这是最好的年代 : 因为威联通只能导入证书,如果设置 Acme 的话因为官方没有 CLI 导入,只能在再装个 nginx 反代,但装那么多东西的话,内存就会吃紧(会很卡),所以还是一次性导入个长期的证书最方便。
xixi3: 然后威联通官方可以用 Acme,但是只能用 80 443 验证,这些端口被运营商封了,想用 DNS 验证因为没有官方的证书导入 API,就要装一堆东西反代,又回到了内存困局上。
xixi3: 需要附带扩展密钥用法 serverAuth
xixi3: 好,感谢。
iks: 我给你签了一张 公钥 —–BEGIN CERTIFICATE—– MIIG6jCCBNKgAwIBAgIRANayZRXFZA4TMWfMhLYTrkgwDQYJKoZIhvcNAQELBQAw SzELMAkGA1UEBhMCQ04xFjAUBgNVBAoMDVlvdW5nZG8sIEluYy4xJDAiBgNVBAMM G1lvdW5nZG8gU2VjdXJlIFNpdGUgQ0EgLSBSMjAeFw0yMjA1MDYxMDQ1NTJaFw0y MzA2MDYxMDQ1NTJaMGUxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhEZWxhd2FyZTEq MCgGA1UECgwhQU1BWklORyBNaXNha2EgVGVjaG5vbG9naWVzLCBJbmMuMRcwFQYD VQQDDA4qLnFpbmdtdWh5LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAJ+O/C6hu07sjvJFKOmCMXX9vTtRwhV2Z2darWFnJB/Kl6BH2MSQCaFNsh4T I/+bauf2zDatc2LJQYWDl/t3zy3gb+tzU+bRrhtuvqpexpziTea7dnPTMHHW4V2d ExjJYD9w1tISBoUIDfwssUgEArYhFn7mWxCrgGL859EdOgjiV5PRn+Fxh+1dnYle 6iyvqmEipP/5ORzzvNT5fXX2Dk/hQEbYTp2+SmO3hqJuT1oAvkeCQehwdJxL2c7p cmjttZafoyKcvhEcPd1QxDhOuXAXgcb7AaYAi7WErp/UUVKsYSYKIfo5wW0C68iP jWRmKq0JA3j59TIx3y/EzEjnKqcCAwEAAaOCAq0wggKpMB0GA1UdDgQWBBSqD3QU 扶墙 36u1lt74JW3Bevi6o0jAfBgNVHSMEGDAWgBR429ZwKHzCaYdSYX6gfdxitrBD izAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIBhjB5BggrBgEFBQcBAQRtMGsw IwYIKwYBBQUHMAGGF2h0dHA6Ly9wa2kuaWtzLm1vZS9vY3NwMEQGCCsGAQUFBzAC hjhodHRwOi8vcGtpLmlrcy5tb2Uvc3RhdGljL2NlcnQvWW91bmdkb1NlY3VyZVNp dGVDQVIyLmNydDCCAToGA1UdIASCATEwggEtMIIBKQYGZ4EMAQICMIIBHTA4Bggr BgEFBQcCARYsaHR0cHM6Ly9wa2kuaWtzLm1vZS9DUFMvWW91bmdkb1RydXN0U2Vy dmljZXMwgeAGCCsGAQUFBwICMIHTMBEWDVlvdW5nZG8sIEluYy4wABqBvVRoaXMg ZGlnaXRhbCBjZXJ0aWZpY2F0ZSBpcyBpc3N1ZWQgYnkgWW91bmdkbyBUcnVzdCBT ZXJ2aWNlcy4gRm9yIG1vcmUgaW5mb3JtYXRpb24sIHBsZWFzZSB2aXNpdCBodHRw czovL3BraS5pa3MubW9lL0NQUy9Zb3VuZ2RvVHJ1c3RTZXJ2aWNlczsgZm9yIGFi dXNlIHJlcG9ydHMsIHBsZWFzZSBlbWFpbCBhYnVzZUBpa3MubW9lLjBIBgNVHR8E QTA/MD2gO6A5hjdodHRwOi8vcGtpLmlrcy5tb2Uvc3RhdGljL2NybC9Zb3VuZ2Rv U2VjdXJlU2l0ZUNBUjIuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD AjAnBgNVHREEIDAegg4qLnFpbmdtdWh5LmNvbYIMcWluZ211aHkuY29tMA0GCSqG SIb3DQEBCwUAA4ICAQDFgJmV2D2LF2dr8CCHmlaOHyVhqBvciCMEFnnh9AttJ64B OkEjOowmZ4NuIN1hr//3310ZP3PvBk5r5W6e8pnLE6zbacnsBxf5ZGLK96jy67p7 bVPMwApVZcvsWhob7LhyNqSN53VorlP0iQgn7CNJofGkFvscNNlJnK2xOl5IUDgR xUCrL4kP/JN6dHxVbHU5DzZXQNICXsrP9jADlMkTkxcUhUYcsXSB2e9zzIlcxcdO ys+hRA5Ga0j1KYfM+kvL2cU+SgjHVA2DK3JbujqyDXctT4i6qYYmM9UeVoy4CBND 1bFoyqJjEmHegp/6dbrDiSmP02n**3rXA8GN3iC+3rt7LBslcTB+Zxh38pAKWr3 8Nrr2khG1Yq+G42wx4H2Z2xT9WGE8227bP43I8eT5WLTeU7+XS3bC0yMVujlsjyB VNSUL3Tt8c7yr34ftfwtIYzX4Kr4tWr/SUo9j6T+syfGT06pb16tX+79fxhCkWw3 uXZDy4VV1AxN+Pluuxnbh0UBKhq+ndJ6/+yvDuosB3xQMqGYqp5g7fobz3VGQxCy dgyP0rpMZ3LO6SKBxAvKhZp09unYra3O3geVXvKXVAr1YNvgsGEii4CUalQfkXNm stLxLr9q2nl63QKRX8UsBzmT5hb2cznm3TexTfoV6M4aSzvdWd1c667FQc46fA== —–END CERTIFICATE—– —–BEGIN CERTIFICATE—– MIIHuzCCBaOgAwIBAgIRANayZRXFZA4TMWfMhLYTrk4wDQYJKoZIhvcNAQELBQAw azELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMRYwFAYDVQQKDA1Zb3Vu Z2RvLCBJbmMuMRcwFQYDVQQLDA5UcnVzdCBTZXJ2aWNlczEYMBYGA1UEAwwPWW91 bmdkbyBSb290IENBMB4XDTIxMDIxMTEwMzcxN1oXDTMxMDIwOTEwMzcxN1owSzEL MAkGA1UEBhMCQ04xFjAUBgNVBAoMDVlvdW5nZG8sIEluYy4xJDAiBgNVBAMMG1lv dW5nZG8gU2VjdXJlIFNpdGUgQ0EgLSBSMjCCAiIwDQYJKoZIhvcNAQEBBQADggIP ADCCAgoCggIBANkIWsGg0ETDp8CwQA6XvqI0xfaSSsHvnUPiehxFzIGQeERUmVzo yHVBwFl0pPpUb5DLvimG9cIEAiQditD+tvXGJbLdg/LCmkXdl2JLtGnqEhQYi30C UoOJsP63DPPCV7YmdNRsqz8vGGw1ou5zELT9RyPjHRz+UMjZ+det4lGSMRPatEgu KLGQcj1VWN+3uqQCWFsggkc+uyXbaAigP4kp0lewsAKFgan+R9LPh0sm4FHBcdZs /TBsIMsLzQnArRVhgo3+ZZhkc9XQ/oZFvx/ZjCDiRyNsGr/brWqThdpvQ3l1GfI2 vKClriaLFT1bGVUoetR3XAlJrd1Mm0+9ywdGyBbzaGdTPZYxWWHqPbLCvz48k0VP 4EQ2Bii56BjEb4UPDWL/WjFUJGt24yYEWpIcGphqmgT+hlXN7Dwj5HHLFiKQyhM2 ji8TmSrc8nlNGvUH2HOLulBId1HX9d6ZztotmtgfNLu2Cq7SXkRpyVIQoBL2Z6EK bW08cn5x4N14uZDQAeNAxTlolbFm6BnAtSIiFWk3Kgm8wYK17OMss6m5klgTRZnF QnnQosu1KBhq/tXTe+U36Zf+LkuKZdMp7pefay3HIf84khxsEXYyRPiGwE2v/3jo tmKdMvIZYwShzH/cYA51mYkXhnFlaZqlMKbLioihN3hRQ1oWLqenlEE/AgMBAAGj ggJ4MIICdDAdBgNVHQ4EFgQUeNvWcCh8wmmHUmF+oH3cYrawQ4swHwYDVR0jBBgw FoAUQ35wjNOg9dKOQ6P1MWhyvoZsTZYwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNV HQ8BAf8EBAMCAYYwcQYIKwYBBQUHAQEEZTBjMCMGCCsGAQUFBzABhhdodHRwOi8v cGtpLmlrcy5tb2Uvb2NzcDA8BggrBgEFBQcwAoYwaHR0cDovL3BraS5pa3MubW9l L3N0YXRpYy9jZXJ0L1lvdW5nZG9Sb290Q0EuY3J0MIIBOAYDVR0gBIIBLzCCASsw ggEnBgRVHSAAMIIBHTA4BggrBgEFBQcCARYsaHR0cHM6Ly9wa2kuaWtzLm1vZS9D UFMvWW91bmdkb1RydXN0U2VydmljZXMwgeAGCCsGAQUFBwICMIHTMBEWDVlvdW5n ZG8sIEluYy4wABqBvVRoaXMgZGlnaXRhbCBjZXJ0aWZpY2F0ZSBpcyBpc3N1ZWQg YnkgWW91bmdkbyBUcnVzdCBTZXJ2aWNlcy4gRm9yIG1vcmUgaW5mb3JtYXRpb24s IHBsZWFzZSB2aXNpdCBodHRwczovL3BraS5pa3MubW9lL0NQUy9Zb3VuZ2RvVHJ1 c3RTZXJ2aWNlczsgZm9yIGFidXNlIHJlcG9ydHMsIHBsZWFzZSBlbWFpbCBhYnVz ZUBpa3MubW9lLjBABgNVHR8EOTA3MDWgM6Axhi9odHRwOi8vcGtpLmlrcy5tb2Uv c3RhdGljL2NybC9Zb3VuZ2RvUm9vdENBLmNybDAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAFeYRaXPMh4Plnu7Y6h4NNSg IEAlJia372lixbySbmh6hUpQeJITi/PNM9u1t1iBwoAJMuGYmje/Xl3lkPxZFIWC m1EykKaFAJHZnIy8zLVi2k1Ie6QhGGokRqAEP18czcwaIXAOPb42v4k8GTL6Cm5B vTRpY7NPaJHLDer6mjdgfSdE9/TR6J5X9UyWjrs65EDkVJL+xCggXEs6M+fpCv7W wtGM82KBphkqDryrJE/RPc6mkNbcos8wq2rsphmIGxgKwck0D**kINLm1/g1Y0V mPqK5GGKywKwEmpG5aLUAY4fVH4kAq1gXxNvaMwTrjSKqD5XQPXFH/DhTAS0hfVg m016QOIpTr8se6sbm5DLGpltuA2nOS/yaFSMy0aTMX32aMoVDRhFzrfLVEpCO7Hn DFRxa829LbQP8mr12EfcYbljpWi74I6NC3AsdDRAxlk0KEVf3QrvX6OMAGEPa2NG Nl2vGvywO2w5aT+hvNtvpwsHGtxWnIC7iPIQ+KAkAemS1T0w+3X2U8T/Fpeu2uyJ 3rmH7Wu6lijsTB96+X7CXtkplt+j6B1jcnNUX+KVeCH6ntSwcm1TJbYz7chs6kCG SskN3OMdUYy6zExaTMgg9Q6Y8/ztjhrG8vVHM9OKaGgbyZSJPopZBX9fjNHPvh5J dVbSJ+q4yHNCu3hmn/Ew —–END CERTIFICATE—– 复制代码 私钥 —–BEGIN RSA PRIVATE KEY—– MIIEpAIBAAKCAQEAn478LqG7TuyO8kUo6YIxdf29O1HCFXZnZ1qtYWckH8qXoEfY xJAJoU2yHhMj/5tq5/bMNq1zYslBhYOX+3fPLeBv63NT5tGuG26+ql7GnOJN5rt2 c9MwcdbhXZ0TGMlgP3DW0hIGhQgN/CyxSAQCtiEWfuZbEKuAYvzn0R06COJXk9Gf 4XGH7V2diV7qLK+qYSKk//k5HPO81Pl9dfYOT+FARthOnb5KY7eGom5PWgC+R4JB 6HB0nEvZzulyaO21lp+jIpy+ERw93VDEOE65cBeBxvsBpgCLtYSun9RRUqxhJgoh +jnBbQLryI+NZGYqrQkDePn1MjHfL8TMSOcqpwIDAQABAoIBAGNxTPCPMdr9ihWq TtZBoyvjaWWoDesscUOz+u0CyDvcGuX1AT94edgDQWiHC1+J8HYDlcDaF1jRD7nz iuxZ/lCcWYSHyxnHQtisC77I9MXgMScFXMzRKZc5khmzBKzlDMxdOjWQsGmG3Jh3 DkJQ5ZO3SXrrfIQGLy0CbEQjEAFqe4T0j8vTpsjB1zwOipa4d84JKKpna2WOM8W5 Q4c/vZGTYFTb20HDDi8Zdx77hp9PAk3DJD6N82o13VURenVdPS62XpM3F2hn2//U yjsm7IDokLfkN+by3sw83FiQ8Ki6yIv/2qDYzVTa0/mB6h67DQKS7aaHe73e8MU+ X+9qtwECgYEA0lFL3Cpuj4vQdZ00+pULaJ5E7CQxBegoeFeoopVL8rT5vfo5+mst 4EZHKZ73+osbwnU/h0wxwWkuKCHwcXaSCwoadFKkUy3mbindmrI6Uxjoesrs1wo7 rF8eyivk38U24Efm9GKIBNOvkV7Ab6Fmra4qiFjUXyVOmeVx/g1mNycCgYEAwjc7 69Ztonfyp0l4jxHYzRYzRtQfW8UwflIzaIJxJ8Mi6fHwDSaCc11whmB5v+W6yU/s VhrknbNn2ukeIsrv0PUA/1geAbU3hq93CQIAa7tTse/L20dIgyjFpSQlo1gs5dcP DIUzwcP89jE9CI+HBTliPKqFoQw5s/zK2QbLoIECgYEAyF6FXFLclEuKpZLJV3ZJ sTkfxq3QOqVscQJqecKs4aUDTbgoJmiYA1RRFdkKvZpsLv4PMTIpMO+o9rkm3qIt DvFoNKxLO6e+IfQm2Ou131canWnY7CImqdjRd6EL4xh7aH94DBoXJioa2O8hfPiS 3yLQCKhAZAkh8kKDMJvJZv8CgYEAsGZEmZdAKvHxRro3sxLNrLD+T9W4ybyXqBR3 NvRLXIcjfgNOOlOA5tG2s4aK7p31AoYCLc7tWMMrkCxuP8G9AjiV+FaLopd64G0c m+Tihvc1NIeNzBO5q89rfOwQ94TN+tBTjdaqRNMDPoVIXy8lvrv5Gwrypm0ZN/5i K669YoECgYBY8Z9pjWFrLtsTHIKbjhPEg+tpZXhEWacb0dbDA2UP6zUMe9cmG6Wq LG0t5ZvYX5R2zHKiQEPg36+nrGukWKxACI9x47he6cB1gG1Q0j6rTDcjzWLwUYfv 8H85p4schCDc+y4CgzQB7R/xYUDDLgwwKsun+K6JMw9R6ZubWdbuEw== —–END RSA PRIVATE KEY—– 复制代码 根证书 —–BEGIN CERTIFICATE—– MIIFxDCCA6ygAwIBAgIRAPwZO7Rj1ncIbo5p7yBWa7gwDQYJKoZIhvcNAQELBQAw azELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMRYwFAYDVQQKDA1Zb3Vu Z2RvLCBJbmMuMRcwFQYDVQQLDA5UcnVzdCBTZXJ2aWNlczEYMBYGA1UEAwwPWW91 bmdkbyBSb290IENBMB4XDTIwMDIxNzE1NDQ1OFoXDTQwMDIxMjE1NDQ1OFowazEL MAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMRYwFAYDVQQKDA1Zb3VuZ2Rv LCBJbmMuMRcwFQYDVQQLDA5UcnVzdCBTZXJ2aWNlczEYMBYGA1UEAwwPWW91bmdk byBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAkvc+wAAg ujW2Ce8ub4TgZeDtjkMIcz0xZ5qgNLsI5X/zVvaF3hSi+IlQQqqh0vebvy4+R/pK 5suQkz+ITWfbARwnUcxvTEmqSiWcLNCgcggUhRRcBKlVww3Rx97ALKDspejU/n1H O6KYAVfbyMMW/wW0z++xABczL5GZGT3R3E3rIkc5YqhpMnrl6yPrcZWvvjvqYvVm seh0DBd0CuLwOoc3TetIJqrELagGajtvzydhUHaa5+6pAwaFrYTG+fTVhnyeVMRf hs7by3YaF61ARvAVYTECxZMhVOdrX41KYVuL4FPAflbhkK6gz2ny7vj/69JLP13F Ib0bQV7ihrkomZOAmkQmwRKjOQdjgBwbTSBj0lhJ8hc0reEfrp+Kz/Zv+qSuQ3xD tw6gZ9F9/FW734tCY3qw5owgBioL6cmEUdliodBm2EeMXvfne1vApZfd+UCDCG9c Ctu46kDLvbaP+ahMYAU/MnButZfGUQxz/4XFcLoqCq0GeUhosesYnhMORWqKJTSI 3XOSWqWr/++EiCYtDJUS7sSTsROD+Xxdepd2BNNpUNyK+GlEBsSOYdj14s7stJhS wRIfoFYr+wxxZvdZ2+vIlhzWlPbnV47ms7cwxtPhcVQveIgn7egZkWyiyXu1PUAd 64mYPXW/1MgmUb0GjYTblF2NPYLPTCb2JpkCAwEAAaNjMGEwHQYDVR0OBBYEFEN+ cIzToPXSjkOj9TFocr6GbE2WMB8GA1UdIwQYMBaAFEN+cIzToPXSjkOj9TFocr6G bE2WMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB CwUAA4ICAQAoRHxiCErR6tpN7ZZfM8VriaByunWwSOvTCvZ7zgRbC7XORHpYDz1+ GBpVTc8KxK 扶墙 MtFx5sXBs6wN35P6VRLc9nYQufNJ2vcM92RCbxtV+AXYdyykrnm CbaP/fNOdYLWcwWrA+vKRzTIRaxFHn9jEULb5afE2wUlmLhDoK+tXCeZdK1MnpqZ T6zgglRdVVn+Mk0pgDSOZ8kgO0UzIxBpK1erGuCRDrOa5xh9iYz5X1TTeiDLharB KiM8NqQQkdeYg3zxVM8GkbX77bWzvXaIrbPjcSkp8v5xck5+so9r8vkPVkssJx+C O/2z/M4tteEBwNpIMUwb6iiznMM/40JX/ZRFVn0RvWT13KCPvR31U8st90TA899C h/wwOIufYzTPEuLIhwOB4mF9qNwTAuXEiDxz0eWkSkECW5IXg2Y39UZ8uJApwMvy ZRx4cJol+fOe+meDQ1U/kswm1wKuLLvam7q1tStpsP9A1FFRP3N+FodhZHOkFHzl Bh60m4qep0IUPSo3h8HgsmTLIaMqIOs7ddG+OlgFXLSdeECImujX3LLNXL7pB04E C6crNrGpSXfjqfDF4tzd9NkyobKzHHddDFAX504f2QLxfshFby5u9EIqz5Sb6Ors nFnQSHpUWrAl0o+R1IC01utvqX8Sn7hPqo7p+vmu+yZDnb0GGFR0iA== —–END CERTIFICATE—– 复制代码
注册 : 卧槽,不胜感激。
注册 : 感谢老哥,我对比了几个字段,悟了,自己也成功签出成功的了。俗套一点:好人一生平安!
xixi3: nnd 和谐了一堆东西,证书公钥原文见 https://static.gmx0.cn/files/other/qingmuhy.com.cert.txt
xixi3: 主要就这个 extendedKeyUsage = serverAuth, clientAuth 复制代码 [server_cert] # Extensions for a typical cross CA (`man x509v3_config`). subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, cRLSign, keyCertSign authorityInfoAccess = OCSP;URI:http://pki.iks.moe/ocsp, caIssuers;URI:http://pki.iks.moe/static/cert/YoungdoSecureSiteCAR2.crt certificatePolicies = ia5org, @pl_section crlDistributionPoints = URI:http://pki.iks.moe/static/crl/YoungdoSecureSiteCAR2.crl extendedKeyUsage = serverAuth, clientAuth [pl_section] policyIdentifier = 2.23.140.1.2.2 CPS.1 = https://pki.iks.moe/CPS/YoungdoTrustServices 复制代码
iks: 推荐这个 https://github.com/FiloSottile/mkcert
iks: 感谢老哥,是个不错的项目,相见恨晚。