2015年7月

StartSSL部署记录[Apache]

申请流程请移步OSC相关文章

我这边是给开发机申请https,使用的过程中有遇到安卓部分版本的操作系统无法验证证书从而导致请求被挂起的现象。

补救方法就是在apache配置文件中将StartSSL的CA一并带进去

  1. 访问StartSSL相关下载页面并下载sub.class1.server.ca.pem传送门
  2. 部署CA证书
  3. 重启apache,完事收工~

两个测试https的网站

https://www.sslshopper.com/ssl-checker.html
https://www.ssllabs.com/ssltest/analyze.html

PositiveSSL 部署记录[Apache]

前段时间在namecheap购买了PositiveSSL(便宜),今天在开发机上部署的时候出了些幺蛾子,几经周则总算部署上去了。下面直接记录步骤

申请

  • 生成csr和key,用于生成证书
[skidu@localhost ~]# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
Generating a 2048 bit RSA private key
.........................+++
.....................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                       # CN
State or Province Name (full name) []:Beijing              # 地区
Locality Name (eg, city) [Default City]:Beijing            # 地区
Organization Name (eg, company) [Default Company Ltd]:     # 公司、组织名称等
Organizational Unit Name (eg, section) []:                 # 部门名称,也可以和前一项一样
Common Name (eg, your name or your server's hostname) []:  # 证书对应的域名,如 www.skidu.me 
                                                           # 如果是Wildcard Certificate则可以用通配符,如 *.skidu.me
Email Address []:                                          # 管理员邮箱,一般是 postmaster@domain.com 格式

lease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:                        # 管理密码,根据需要设置或者流寇
An optional company name []:                    # 
  • 将server.csr的内容在namecheap页面提交后会收到一封来自comodo.com的确认信,然后拿着信中提供的验证码到指定的地方去完成验证。
  • 接着就会收到一封带有附件的邮件了,附件内容列表大致如下
Root CA Certificate - AddTrustExternalCARoot.crt
Intermediate CA Certificate - COMODORSAAddTrustCA.crt
Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt
Your PositiveSSL Wildcard Certificate -www_skidu_me.crt
  • 至此申请步骤结束

部署

  • 上传邮件附件至服务器任意位置(假设是/path/to/ssl)
  • 提取CA证书(以前他家是会直接提供一个叫PositiveCA的证书的,现在貌似没有了)
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >> ca.crt
  • 编辑httpd.conf,打开下列module的引用
mod_socache_shmcb.so
mod_ssl.so
  • 让apache监听443端口
Listen 443
  • 配置虚拟主
<VirtualHost *:443>
    ServerName www.skidu.me
    DocumentRoot /data/skidume
    DirectoryIndex index.php index.html
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile    "/path/to/ssl/www_skidu_me.crt"
    SSLCertificateKeyFile "/path/to/ssl/server.key"
    SSLCertificateChainFile "/path/to/ssl/ca.crt"

    BrowserMatch MSIE \
        nokeepalive \
        ssl-unclean-shutdown \
        downgrade-1.0 \
        force-response-1.0

    <Directory /data/skidume>
        Options FollowSymLinks
        AllowOverride All
        Order deny,allow
        Allow from all
        Require all granted
        php_admin_value open_basedir /data/skidume:/data/tmp
    </Directory>
</VirtualHOst>
  • 重启apache,大功告成