XAMPP 中跨 LAN 的 localhost 自签名证书

【问题标题】:localhost self-signed certificate across LAN in XAMPPXAMPP 中跨 LAN 的 localhost 自签名证书
【发布时间】:2019-08-27 07:43:31
【问题描述】:

我有带 ssl 的 localhost 并且在我的本地电脑上工作正常,但 ssl 不能跨 LAN 工作。因为我使用的是自签名证书,所以我必须在我将打开站点的每台 PC 上安装证书,但它只能在托管网站的 PC 上运行,而不能在 LAN 上的其他 PC 上运行。

我不想在线托管我的网站,因为我处于开发模式。

我的本地电脑:

主机文件:

127.0.0.1 gofashion_chat.test

httpd-xampp.conf

<VirtualHost *:80>
    DocumentRoot "C:/xampp/htdocs/gofashion"
    ServerName gofashion_chat.test
    ServerAlias *.gofashion_chat.test
</VirtualHost>
<VirtualHost *:443>
    DocumentRoot "C:/xampp/htdocs/gofashion"
    ServerName gofashion_chat.test
    ServerAlias *.gofashion_chat.test
    SSLEngine on
    SSLCertificateFile "C:/xampp/htdocs/gofashion/cert/gofashion_chat.test/server.crt"
    SSLCertificateKeyFile "C:/xampp/htdocs/gofashion/cert/gofashion_chat.test/server.key"
</VirtualHost>

浏览器中的证书:

局域网上的电脑:

主机文件:

192.168.10.7 gofashion_chat.test

局域网PC浏览器中的证书:

在两台PC上都安装了server.crt

如何解决跨局域网的 ssl 问题?

编辑:

这是我用来生成证书的bat文件

@echo off

set /p domain="Enter Domain without TLD (E.g 'facebook', 'google'): "
set /p com_tld="Enter Domain TLD (E.g 'com', 'test'): "

SET HOSTNAME=%domain%
SET DOT=%com_tld%
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET FULL_DOMAIN=%HOSTNAME%.%DOT%
SET EMAIL=webmaster@%FULL_DOMAIN%

SET OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf

if not exist .\%HOSTNAME%.%DOT% mkdir .\%FULL_DOMAIN%

(
echo [req]
echo default_bits = 2048
echo prompt = no
echo default_md = sha256
echo req_extensions      = v3_req
echo x509_extensions     = x509_ext
echo distinguished_name  = dn
echo:
echo [dn]
echo C = %COUNTRY%
echo ST = %STATE%
echo L = %CITY%
echo O = %ORGANIZATION%
echo OU = %ORGANIZATION_UNIT%
echo emailAddress = %EMAIL%
echo CN = %FULL_DOMAIN%
echo:
echo [v3_req]
echo subjectAltName         = @alt_names
echo subjectKeyIdentifier   = hash
echo authorityKeyIdentifier = keyid:always, issuer:always
echo basicConstraints       = critical, CA:TRUE, pathlen:1
echo keyUsage               = critical, cRLSign, digitalSignature, keyCertSign
echo nsComment              = "OpenSSL Generated Certificate"
echo:
echo [x509_ext]
echo subjectAltName         = @alt_names
echo subjectKeyIdentifier   = hash
echo authorityKeyIdentifier = keyid:always, issuer:always
echo basicConstraints       = critical, CA:TRUE, pathlen:1
echo keyUsage               = critical, cRLSign, digitalSignature, keyCertSign
echo nsComment              = "OpenSSL Generated Certificate"
echo:
echo [alt_names]
echo DNS.1 = *.%FULL_DOMAIN%
echo DNS.2 = %FULL_DOMAIN%
)>%FULL_DOMAIN%\%HOSTNAME%.cnf

C:\xampp\apache\bin\openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %FULL_DOMAIN%\server.key -days 356 -out %FULL_DOMAIN%\server.crt -config %FULL_DOMAIN%\%HOSTNAME%.cnf

echo.
echo -----
echo The certificate was provided.
echo.
pause

这是我用来生成证书的另一个。

@echo off

set /p domain="Enter Domain without TLD (E.g 'facebook', 'google'): "
set /p com_tld="Enter Domain TLD (E.g 'com', 'test'): "

SET HOSTNAME=%domain%
SET DOT=%com_tld%
SET COUNTRY=US
SET STATE=KS
SET CITY=Olathe
SET ORGANIZATION=IT
SET ORGANIZATION_UNIT=IT Department
SET FULL_DOMAIN=%HOSTNAME%.%DOT%
SET EMAIL=webmaster@%FULL_DOMAIN%

SET OPENSSL_CONF=C:\xampp\apache\conf\openssl.cnf

if not exist .\%HOSTNAME%.%DOT% mkdir .\%FULL_DOMAIN%

(
echo [ req ]
echo default_bits        = 2048
echo default_keyfile     = server-key.pem
echo distinguished_name  = subject
echo req_extensions      = req_ext
echo x509_extensions     = x509_ext
echo string_mask         = utf8only
echo:
echo [ subject ]
echo countryName                 = Country Name ^(2 letter code^)
echo countryName_default         = %COUNTRY%
echo stateOrProvinceName         = State or Province Name ^(full name^)
echo stateOrProvinceName_default = %STATE%
echo localityName                = Locality Name ^(eg, city^)
echo localityName_default        = %CITY%
echo organizationName            = Organization Name ^(eg, company^)
echo organizationName_default    = %ORGANIZATION%
echo commonName                  = Common Name ^(e.g. server FQDN or YOUR name^)
echo commonName_default          = %HOSTNAME%.%DOT%
echo emailAddress                = Email Address
echo emailAddress_default        = %EMAIL%
echo:
echo [ x509_ext ]
echo subjectKeyIdentifier   = hash
echo authorityKeyIdentifier = keyid,issuer
echo basicConstraints       = CA:FALSE
echo keyUsage               = digitalSignature, keyEncipherment
echo subjectAltName         = @alternate_names
echo nsComment              = "OpenSSL Generated Certificate"
echo:
echo [ req_ext ]
echo subjectKeyIdentifier = hash
echo basicConstraints     = CA:FALSE
echo keyUsage             = digitalSignature, keyEncipherment
echo subjectAltName       = @alternate_names
echo nsComment            = "OpenSSL Generated Certificate"
echo:
echo [ alternate_names ]
echo:
echo DNS.1 = *.%HOSTNAME%.%DOT%
echo DNS.2 = %HOSTNAME%.%DOT%
)>%FULL_DOMAIN%\%HOSTNAME%.cnf

C:\xampp\apache\bin\openssl req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout %FULL_DOMAIN%\server.key -days 356 -out %FULL_DOMAIN%\server.crt -config %FULL_DOMAIN%\%HOSTNAME%.cnf

echo.
echo -----
echo The certificate was provided.
echo.
pause

【问题讨论】:

    标签: ssl xampp localhost lan


    【解决方案1】:

    您的屏幕截图显示,使用的证书是允许的

    • 所有发行政策
    • 所有应用程序策略

    但您想将其用作 Web 服务器证书,因此该证书需要以下用途:

    • 确保远程计算机的身份

    我假设它在您的计算机上工作,因为网络浏览器识别出服务器正在本地网络接口上运行 - 因此它不是“远程计算机”,因此它在证书中不允许此目的的情况下工作。

    【讨论】:

    • 我对这些细节一无所知。我是第一次。你能提供一个解决方案吗?我应该怎么做才能从 LAN 上的 PC 中消除此错误?
    • @Faizan 证书签署后,其数据将无法更改。因此,您必须生成并签署新证书 - 参见例如这里stackoverflow.com/a/10176685/150978
    • 但是您如何使用“确保远程计算机的身份”自签名证书? openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 不会在证书中添加“确保远程计算机的身份”
    • @Faizan 看起来你必须通过配置文件配置keyUsagesuperuser.com/questions/738612/openssl-ca-keyusage-extension
    • 我已经在上面添加了我的 bat 文件代码。看看这个。我已经使用了你描述的配置,但仍然无法从局域网或远程计算机获取证书来访问 ssl
    【解决方案2】:

    这可能会晚,但值得一试^_^

    不要使用 gofashion_chat.test 指定您的本地主机,只需使用 computername.domain。这将节省您编辑要访问网站的每台计算机的主机的时间。

    在 apache 中创建一个文件夹。文件夹名称:crt

    创建一个名为 cert-template.conf 的文件,并将其保存在 crt 文件夹中。下面是 cert-template.conf 的命令。

    [ req ]

default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

[ subject ]

countryName                 = Country Name (2 letter code)
countryName_default         = TE

stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = TEST

localityName                = Locality Name (eg, city)
localityName_default        = TEST

organizationName            = Organization Name (eg, company)
organizationName_default    = TEST

commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = computername.domain

emailAddress                = Email Address
emailAddress_default        = test@example.com

[ x509_ext ]

subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer

basicConstraints       = CA:FALSE
keyUsage               = digitalSignature, keyEncipherment
subjectAltName         = @alternate_names
nsComment              = "OpenSSL Generated Certificate"

[ req_ext ]

subjectKeyIdentifier = hash

basicConstraints     = CA:FALSE
keyUsage             = digitalSignature, keyEncipherment
subjectAltName       = @alternate_names
nsComment            = "OpenSSL Generated Certificate"

[ alternate_names ]

DNS.1       = computername.domain

    还要创建此文件:make-cert.bat 并将其保存在 crt 文件夹中。下面是make-cert.bat的命令。

    @echo off
set /p domain="Domain Name: "
set OPENSSL_CONF=../conf/openssl.cnf

REM
REM Read the "cert-template.conf" file and replace all {{DOMAIN}} placeholders by the entered domain.
REM Write the result into a new file called "cert.conf".
REM
REM @see https://stackoverflow.com/questions/5273937/how-to-replace-substrings-in-windows-batch-file#20227248
REM
setlocal enabledelayedexpansion
set INTEXTFILE=cert-template.conf
set OUTTEXTFILE=cert.conf
set SEARCHTEXT={{DOMAIN}}
set REPLACETEXT=%domain%

if exist %OUTTEXTFILE% del /F %OUTTEXTFILE%
for /f "tokens=1,* delims=¶" %%A in ( '"findstr /n ^^ %INTEXTFILE%"') do (
   SET string=%%A
   for /f "delims=: tokens=1,*" %%a in ("!string!") do set "string=%%b"
   if  "!string!" == "" (
       echo.>>%OUTTEXTFILE%
   ) else (
      SET modified=!string:%SEARCHTEXT%=%REPLACETEXT%!
      echo !modified! >> %OUTTEXTFILE%
  )
)


REM
REM Create the target directory.
REM
if not exist .\%domain% mkdir .\%domain%


REM
REM Create the certificate and key files.
REM
..\bin\openssl req -config %OUTTEXTFILE% -new -sha256 -newkey rsa:2048 -nodes -keyout %domain%\server.key -x509 -days 365 -out %domain%\server.crt


REM
REM Delete the written file "cert.conf" as this file would only be used to create the certificate.
REM
if exist %OUTTEXTFILE% del /F %OUTTEXTFILE%


echo.
echo -----
echo The certificate was provided.
echo.
pause

    运行 make-cert.bat,将显示命令提示符并要求您输入域名。您的域名是您的计算机名.域。之后,您需要回答一些问题,最重要的问题是通用名称。通用名称 = Computername.domain。

    安装您在 crt/computername.domain/server.crt 中创建的证书。安装证书>本地机器>将所有证书放在以下存储中>浏览>受信任的根证书颁发机构>下一步>完成。

    将此脚本插入到 httpd-xampp.conf 的底部

     <VirtualHost computername.domain:8080>
     DocumentRoot "C:/xampp/htdocs"
 </VirtualHost>

 <VirtualHost computername.domain:4433>
     DocumentRoot "C:/xampp/htdocs"
     SSLEngine on
     SSLCertificateFile "crt/computername.domain/server.crt"
     SSLCertificateKeyFile "crt/computername.domain/server.key"
 </VirtualHost>

    重新启动 XAMPP 并尝试使用 https://computername.domain:4433 访问您的本地主机。

    就是这样。我希望你能完成所有步骤。

    【讨论】:

      猜你喜欢
      • 2017-04-18
      • 2021-08-07
      • 2011-12-31
      • 2021-06-26
      • 1970-01-01
      • 2018-03-03
      • 2018-05-11
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode