apt-get install nginx-full
cd /etc/nginx/
# CA a generovani certifikatu:
apt-get install easy-rsa
cp -R /usr/share/easy-rsa/ /etc/nginx/
chmod 0700 /etc/nginx/easy-rsa/
# editovat "vars"
. ./vars
./clean-all
./build-ca
./build-dh
./build-key-server localhost
# upravit localhost na platny hostname!
#Sign the certificate? [y/n]:y !!!
#1 out of 1 certificate requests certified, commit? [y/n]y !!!
./build-key client
#Sign the certificate? [y/n]:y !!!
#1 out of 1 certificate requests certified, commit? [y/n]y !!!
service nginx restart
# vytvoreni PFX formatu certifikatu, ktery jde importovat do Google Chrome
openssl pkcs12 -export -out /tmp/client.pfx -inkey /etc/nginx/easy-rsa/keys/client.key -in /etc/nginx/easy-rsa/keys/client.crt
Pokud budu generovat certifikaty pro dalsi klienty:
cd /etc/nginx/easy-rsa/
. ./vars
# spusteni vars je dulezite!!!
./build-key clientABC
#Sign the certificate? [y/n]:y !!!
#1 out of 1 certificate requests certified, commit? [y/n]y !!!
cp /etc/nginx/easy-rsa/keys/{ca.crt,clientABC.crt,clientABC.key} /tmp/
Po otevreni https://localhost/ (a odsouhlaseni neduveryhodneho certifikatu) v Chrome dostanu:
400 Bad Request
No required SSL certificate was sent
nginx/1.9.3 (Ubuntu)
Po naimportovani /tmp/client.pfx do Chromu dostanu stranku (HTTP 200 OK):
Welcome to nginx!
If you see this page, the nginx web server is successfully installed and working....
apt-get install apt-transport-https
Do /etc/apt/sources.list.d/test.list dam:
deb https://localhost/ ./
root@martin:# apt-get update
Hit http://cz.archive.ubuntu.com wily InRelease
...
Hit http://cz.archive.ubuntu.com wily/restricted amd64 Packages
Hit http://cz.archive.ubuntu.com wily/universe amd64 Packages
Hit http://cz.archive.ubuntu.com wily-updates/restricted Sources
Err https://localhost ./ Packages
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
Hit http://cz.archive.ubuntu.com wily-updates/universe Sources
W: Failed to fetch https://localhost/./Packages server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
E: Some index files failed to download. They have been ignored, or old ones used instead.
root@martin:/etc/nginx#
Do /etc/apt/apt.conf.d/90test dam:
#Acquire::https::test.com {
Acquire::https::localhost {
Verify-Peer "true";
Verify-Host "false";
CaInfo "/etc/apt/ca.crt";
SslCert "/etc/apt/client.crt";
SslKey "/etc/apt/client.key";
};
Pro self-signed certifikaty je potreba mit Verify-Host=false. Pokud je true, muzou nastavat chyby:
certificate subject name (localhost) does not match target host name 'example.net'
Kazdy PC musi mit certifikat ca a svuj certifikat a svuj klic:
cp /etc/nginx/easy-rsa/keys/{ca.crt,client.crt,client.key} /etc/apt/
vraci HTTP 404, protoze na webserveru nejsou zadne balicky
root@martin:# apt-get update
Get:1 https://localhost ./ InRelease [177 B]
Ign https://localhost ./ InRelease
Get:2 https://localhost ./ Release.gpg [177 B]
Ign https://localhost ./ Release.gpg
Get:3 https://localhost ./ Release [177 B]
Ign https://localhost ./ Release
Get:4 https://localhost ./ Packages [177 B]
Get:5 https://localhost ./ Translation-en [177 B]
Get:6 https://localhost ./ Translation-cs [177 B]
Get:7 https://localhost ./ Packages [177 B]
Get:8 https://localhost ./ Translation-en [177 B]
Get:9 https://localhost ./ Translation-cs [177 B]
Get:10 https://localhost ./ Packages [177 B]
Get:11 https://localhost ./ Translation-en [177 B]
Get:12 https://localhost ./ Translation-cs [177 B]
Hit http://cz.archive.ubuntu.com wily InRelease
Get:13 https://localhost ./ Packages [177 B]
Get:14 https://localhost ./ Translation-en [177 B]
Get:15 https://localhost ./ Translation-cs [177 B]
Get:16 https://localhost ./ Packages [177 B]
Err https://localhost ./ Packages
HttpError404
Get:17 https://localhost ./ Translation-en [177 B]
Ign https://localhost ./ Translation-en
Get:18 https://localhost ./ Translation-cs [177 B]
Ign https://localhost ./ Translation-cs
Hit http://security.ubuntu.com wily-security/universe Translation-en
W: Failed to fetch https://localhost/./Packages HttpError404
E: Some index files failed to download. They have been ignored, or old ones used instead.
root@martin:#
Testovano na:
root@martin:/# uname -a
Linux martin 4.2.0-34-generic #39-Ubuntu SMP Thu Mar 10 22:13:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
root@martin:/# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 15.10
Release: 15.10
Codename: wily
root@martin:/#