在windows下制作https证书

June 15, 2018
https证书

字数:4214

引子

certbot官网带我来到这里:
https://community.letsencrypt.org/t/list-of-client-implementations/2103/3

然后找到这个开源项目:
https://github.com/PKISharp/win-acme

然后从这里下载程序:
https://github.com/PKISharp/win-acme/releases

内网主机安装失败

运行程序即可,制作证书过程如下:

N: Create new certificate
M: Create new certificate with advanced options
L: List scheduled renewals
R: Renew scheduled
S: Renew specific
A: Renew *all*
V: Revoke certificate
C: Cancel scheduled renewal
X: Cancel *all* scheduled renewals
Q: Quit

Please choose from the menu: m

[INFO] Running in Advanced mode

1: Single binding of an IIS site
2: SAN certificate for all bindings of an IIS site
3: SAN certificate for all bindings of multiple IIS sites
4: Manually input host names
C: Cancel

Which kind of certificate would you like to create?: 4

Enter comma-separated list of host names, starting with the primary one: xltx.com

[INFO] Plugin Manual generated target [Manual] [1 binding - bank.xltx.com]

1: [dns-01] Azure DNS
2: [dns-01] Run external program/script to create and update records
3: [http-01] Save file on local (network) path
4: [http-01] Self-host verification files (recommended)
5: [http-01] Upload verification file to FTP(S) server
6: [http-01] Upload verification file to WebDav path
C: Cancel

How would you like to validate this certificate?: 3

Enter a site path (the web root of the host for http authentication): D:\dev\workspace\4.7.2\xltx_bankserv\webapp

Copy default web.config before validation? (y/n): - yes

1: Create or update ftps bindings in IIS
2: Create or update https bindings in IIS
3: Do not run any installation steps
4: Run a custom script
C: Cancel

Which installer should run for the certificate?: 3

[INFO] Authorize identifier: bank.xltx.com
[INFO] Authorizing bank.xltx.com using http-01 validation (FileSystem)
[INFO] Answer should now be browsable at http://bank.xltx.com/.well-known/acme-challenge/AHTsVFBYcgcIuCZYl72MYMDRqi8hZOWGMoasXr90Udo
[EROR] Authorization result: invalid
[EROR] ACME server reported:
[EROR] [type] urn:acme:error:unknownHost
[EROR] [detail] No valid IP addresses found for bank.xltx.com
[EROR] [status] 400
[EROR] Create certificate failed

只有10次试错机会,不然等下一个3小时吧。一直不成功,猜测是域名解析的IP与主机IP不一致

云主机OK

在云服务器上再试一下,顺畅地就通过了,生成了一堆文件:

bank.xltx.com.history.json
bank.xltx.com-all.pfx
bank.xltx.com-chain.pem
bank.xltx.com-crt.der
bank.xltx.com-crt.pem
bank.xltx.com-csr.pem
bank.xltx.com-gen-csr.json
bank.xltx.com-gen-key.json
bank.xltx.com-key.pem
ca-bank.xltx.com-crt.der
ca-bank.xltx.com-crt.pem
Registration
Renewals
Signer

找个tomcat,新建一个程序,xltx_bank,然后配置一下web.xml和tomcat的server.xml。

server.xml里加这一段(参考自https://blog.csdn.net/reaper1022/article/details/52196378),选两个pem文件试试居然可以:

<Connector  
          protocol="org.apache.coyote.http11.Http11AprProtocol"  
          port="8443" maxThreads="200"  
           scheme="https" secure="true" SSLEnabled="true"  
          SSLCertificateFile="C:/ProgramData/win-acme/httpsacme-v01.api.letsencrypt.org/bank.xltx.com-crt.pem"  
          SSLCertificateKeyFile="C:/ProgramData/win-acme/httpsacme-v01.api.letsencrypt.org/bank.xltx.com-key.pem"  
         SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"  />

还要加一个host配置:

<Host name="bank.xltx.com"  appBase=""
            unpackWARs="true" autoDeploy="true"
            xmlValidation="false" xmlNamespaceAware="false">
            <Context path="" docBase="C:\dev\apache-tomcat-8.0.52\webapps\xltx_bank" debug="0" reloadable="true"/>
</Host>

WEB-INF\web.xml内容如下:

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaeehttp://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
  <display-name>xltx_bank</display-name>
  </web-app>

总结

(1)安装证书的程序可能会验证两个东西:主机IP和域名IP,两者指向要一致;这个结论没有去找官方说法,只是推论。因此花生壳通过主机转发的形式,安装证书不成功
(2)能不能将可用的证书拷贝到另外的主机?(第二个主机域名访问OK)。答案是:内网的不行,https可能会直接找域名指向的主机的证书而非最终主机


loading