如何获取在本地Laravel Homestead站点上运行的https证书
Rya*_*yan 12 ssl https ssl-certificate laravel homestead
我遇到了这个问题:
我在Windows 10 Chrome版本65.0.3325.181(官方版本)(64位)中看到的错误是:
你的连接不是私人的
攻击者可能试图从((mysite))窃取您的信息(例如,密码,消息或信用卡).了解更多NET :: ERR_CERT_AUTHORITY_INVALID
此页面不安全(HTTPS已损坏).
证书 - 遗失
此站点缺少有效的可信证书(net :: ERR_CERT_AUTHORITY_INVALID).
Firefox Quantum 59.0.2(64位)说:
您的连接不安全
((mysite))的所有者已经不正确地配置了他们的网站.为防止您的信息被盗,Firefox尚未连接到此网站.
连接不安全
无法验证此证书,因为颁发者未知.
我已经尝试过:https://stackoverflow.com/a/47755133/470749
vboxmanage --version
5.2.6r120293
vagrant -v
Vagrant 2.0.2
git branch
* (HEAD detached at v7.3.0)
vagrant box list
laravel/homestead (virtualbox, 5.2.0)
vagrant box update
==> vboxHomestead: Checking for updates to 'laravel/homestead'
vboxHomestead: Latest installed version: 5.2.0
vboxHomestead: Version constraints: >= 5.2.0
vboxHomestead: Provider: virtualbox
==> vboxHomestead: Box 'laravel/homestead' (v5.2.0) is running the latest version.
我想知道这是否意味着我还没有使用版本7.1.0(在其更新日志中"使用自定义根证书签署SSL证书"),我想知道这是否是我有这个SSL HTTPS问题的原因.
我现在应该尝试使用证书的后续步骤是什么?
x-y*_*uri 15
不幸的是,我没有简单的方法在Windows上检查它,所以我将在这里使用在Linux上运行的VirtualBox.安装vagrant,然后:
$ vagrant box add laravel/homestead
$ git clone https://github.com/laravel/homestead.git
$ cd homestead
$ git checkout v7.3.0
$ bash init.sh
我简化Homestead.yaml了一点(您可能更喜欢坚持默认值):
---
ip: "192.168.10.10"
provider: virtualbox
folders:
- map: /home/yuri/_/la1
to: /home/vagrant/code
sites:
- map: homestead.test
to: /home/vagrant/code/public
然后:
$ mkdir -p ~/_/la1/public
$ echo '<?php echo "it works";' > ~/_/la1/public/index.php
$ vagrant up
$ vagrant ssh -c 'ls /etc/nginx/sites-enabled'
homestead.test
$ vagrant ssh -c 'cat /etc/nginx/sites-enabled/homestead.test'
server {
listen 80;
listen 443 ssl http2;
server_name .homestead.test;
root "/home/vagrant/code/public";
...
ssl_certificate /etc/nginx/ssl/homestead.test.crt;
ssl_certificate_key /etc/nginx/ssl/homestead.test.key;
}
我们可以看到它有以下证书/etc/nginx/ssl:
$ vagrant ssh -c 'ls -1 /etc/nginx/ssl'
ca.homestead.homestead.cnf
ca.homestead.homestead.crt
ca.homestead.homestead.key
ca.srl
homestead.test.cnf
homestead.test.crt
homestead.test.csr
homestead.test.key
我试图在系统范围内信任服务器证书,但它没有成功.它出现在Firefox的证书管理器的"服务器"选项卡上,但这并没有让Firefox信任它.我可能已经添加了一个例外,但信任CA证书看起来是一个更好的选择.信任CA证书使浏览器信任他们发布的任何证书(在Homestead下运行的新站点).所以我们将在这里使用CA证书:
$ vagrant ssh -c 'cat /etc/nginx/ssl/ca.homestead.homestead.crt' > ca.homestead.homestead.crt
$ sudo trust anchor ca.homestead.homestead.crt
$ trust list | head -n 5
pkcs11:id=%4c%f9%25%11%e5%8d%ad%5c%2a%f3%63%b6%9e%53%c4%70%fa%90%4d%77;type=cert
type: certificate
label: Homestead homestead Root CA
trust: anchor
category: authority
然后,我添加192.168.10.10 homestead.test了/etc/hosts,重新启动Chromium,它工作:
PS我正在运行Chromium 65.0.3325.162和Firefox 59.0.
视窗
显然,Windows没有trust实用程序.在Windows下,有一个存储:本地计算机和当前用户证书存储.没有必要使用本地机器证书存储,因为我们只为我们当前的用户工作.然后,有子库.其中最受关注的是两个预定义的:受信任的根证书颁发机构和中间证书颁发机构商店.在命令行通常称为根和CA.
您可以按照chrome:// settings /?search = Manage%20certificates,然后点击管理证书来访问Chrome的证书管理器.最感兴趣的是受信任的根证书颁发机构和中间证书颁发机构选项卡.
管理证书的一种方法是通过命令行:
>rem list Current User > Trusted Root Certification Authorities store
>certutil.exe -store -user root
>rem list Local Machine > Intermediate Certification Authorities store
>certutil.exe -store -enterprise CA
>rem GUI version of -store command
>certutil.exe -viewstore -user CA
>rem add certificate to Current User > Trusted Root Certification Authorities store
>certutil.exe -addstore -user root path\to\file.crt
>rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number
>certutil.exe -delstore -user root 03259fa1
>rem GUI version of -delstore command
>certutil.exe -viewdelstore -user CA
结果如下(对于本地计算机和当前用户证书存储):
root
homestead.test.crt
error
ca.homestead.homestead.crt
appears in Trusted Root Certification Authorities tab
CA
homestead.test.crt
doesn't work, appears in Other People tab
ca.homestead.homestead.crt
doesn't work, appears in Intermediate Certification Authorities tab
其他选项包括在资源管理器中双击证书,从Chrome的证书管理器导入证书,使用证书MMC管理单元(运行certmgr.msc)或使用CertMgr.exe.
对于已grep安装的用户,以下是如何快速检查证书的位置:
>certutil.exe -store -user root | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -user CA | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -enterprise root | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -enterprise CA | grep "homestead\|^root\|^CA"
因此,将CA证书安装到当前用户>受信任的根证书颁发机构存储中似乎是最佳选择.并确保不要忘记重新启动浏览器.
更深入地解释它是如何工作的
在Vagrantfile它需要scripts/homestead.rb,然后运行Homestead.configure.这是方法,配置vagrant为做所有需要的准备.
在那里我们可以看到:
if settings.include? 'sites'
settings["sites"].each do |site|
# Create SSL certificate
config.vm.provision "shell" do |s|
s.name = "Creating Certificate: " + site["map"]
s.path = scriptDir + "/create-certificate.sh"
s.args = [site["map"]]
end
...
config.vm.provision "shell" do |s|
...
s.path = scriptDir + "/serve-#{type}.sh"
...
end
...
end
end