嗟嗟嗟http://www.startssl.com/?app=42
首先要说明的是我拿到的是class2证书,ssl.crt和ssl.key 都是从官网生成的
1.将你的key解密
openssl rsa -in ssl.key -out /usr/local/nginx/ssl/ssl.key
2.Fetch the Root CA and Class 1 Intermediate Server CA certificates:
红色部分是要替换的,官网上有说明,因为我的是class2
wget http://www.startssl.com/certs/ca.pem
wget http://www.startssl.com/certs/sub.class2.server.ca.pem
3. 我的在下面这一步会出错
cat ssl.crt sub.class1.server.ca.pem ca.pem > /usr/local/nginx/conf/ssl.crt
service nginx restart
Restarting nginx: nginx: [emerg] SSL_CTX_use_certificate_chain_file("/usr/local/nginx/ssl/ssl.crt") failed (SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib)
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
试了好多次发现在ssl.crt 与sub.class1.server.ca.pem之间少了个换行符,加上就好了,不用cat命令也好,直接vim复制粘贴到ssl.crt的末尾即可
4.在nginx配置文件添加如下一段配置
server {
listen 443;
root /home/wwwroot/default/
ssl on;
ssl_certificate /usr/local/nginx/ssl/ssl.crt;
ssl_certificate_key /usr/local/nginx/ssl/ssl.key;
ssl_session_timeout 5m;
}
现在应该已经正常工作了。