折腾:
【未解决】Ubuntu部署已有Django项目
期间,nginx中配置:
server {
listen 80;
server_name asmp.xxx.com;
client_max_body_size 50m;
listen 443;
ssl on;
ssl_certificate /root/xxx/chained.pem;
ssl_certificate_key /root/xxx/xxx-ssl/2_asmp.xxx.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /root/xxx/xxx-ssl/1_asmp.xxx.com_bundle.crt;
...结果
# nginx -s reload
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7
nginx: [emerg] SSL_CTX_use_PrivateKey("/root/xxx/xxx-ssl/2_
asmp.xxx.com.key
") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)结果报错
nginx: [emerg] SSL_CTX_use_PrivateKey key failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
好像针对于pem,用openssl去重新生成对应格式pem即可?
好像是应该改为:
ssl_certificate /path/to/nginx_bundle.crt; ssl_certificate_key /path/to/your.key;
此处是:
ssl_certificate /root/xxx/xxx-ssl/1_ asmp.xxx.com_bundle.crt; ssl_certificate_key /root/xxx/xxx-ssl/2_ asmp.xxx.com.key;
或许就可以了?
ssl_certificate /var/www/sslkey/cacert.pem; ssl_certificate_key /var/www/sslkey/privkey.pem;
那先去搞清楚:
对于之前的两个文件
1_asmp.xxx.com_bundle.crt
2_asmp.xxx.com.key
好像是阿里云中拿到的,针对于nginx的。
要搞清楚如何使用。
以及参考别人的配置中的
ssl_trusted_certificate
是用用来干啥的,是不是此处可以去掉的?
之前配置都没用到:ssl_trusted_certificate
nginx https ssl_trusted_certificate
“ssl_trusted_certificate,包含PEM格式的可信CA证书列表(顺序是子证书在上、父证书在下),用于在开启ssl_stapling时验证客户端证书和OCSP Response.”
或许此处不开启 OCSP之类的stamping的东西,就不需要了
“Syntax:
ssl_trusted_certificate file;
Default:
—
Context:
http, server
This directive appeared in version 1.3.7.
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
In contrast to the certificate set by ssl_client_certificate, the list of these certificates will not be sent to clients.”
改成:
listen 443; ssl on; # ssl_certificate /root/xxx/chained.pem; ssl_certificate 1_asmp.xxx.com_bundle.crt; ssl_certificate_key /root/xxx/xxx-ssl/2_asmp.xxx.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; # ssl_stapling on; # ssl_stapling_verify on; # ssl_trusted_certificate /root/xxx/xxx-ssl/1_asmp.xxx.com_bundle.crt;
结果:
# nginx -s reload nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7 nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/xxx.conf:7
貌似没问题了。
转载请注明:在路上 » 【已解决】nginx的ssl证书报错:emerg SSL_CTX_use_PrivateKey key failed SSL error 0B080074 x509 certificate routines X509_check_private_key key values mismatch