Macos 在Mac OS X上为Xampp Apache设置SSL以解决Chrome上缺少的_subjectAltName
我正试图在MacOSXYosemite上为Apache(通过XAMPP安装)设置SSL 假设我已经设置了一个名为“我的本地主机”的本地主机名。我按照说明运行以下命令设置证书:Macos 在Mac OS X上为Xampp Apache设置SSL以解决Chrome上缺少的_subjectAltName,macos,apache,google-chrome,ssl,ssl-certificate,Macos,Apache,Google Chrome,Ssl,Ssl Certificate,我正试图在MacOSXYosemite上为Apache(通过XAMPP安装)设置SSL 假设我已经设置了一个名为“我的本地主机”的本地主机名。我按照说明运行以下命令设置证书: # 1. Create host key sudo ssh-keygen -f my-local-host.key # 2. Create SSL certificate sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout my-local-h
# 1. Create host key
sudo ssh-keygen -f my-local-host.key
# 2. Create SSL certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout my-local-host.key -out my-local-host.crt
# 3. Create nopass Host Key
sudo openssl rsa -in my-local-host.key -out my-local-host.nopass.key
sudo openssl genrsa -des3 -out rootCA.key 2048
sudo openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl req -new -sha256 -nodes -out my-local-host.csr -newkey rsa:2048 -keyout my-local-host.key -config <( cat my-local-host.csr.cnf )
sudo openssl x509 -req -in my-local-host.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-local-host.crt -days 500 -sha256 -extfile my-local-host.v3.ext
注意:所有这些都是在/Applications/XAMPP/xamppfiles/apache2/ssl
目录中完成的
在此之后,我将虚拟主机列表添加到httpd vhosts.conf
<VirtualHost *:443>
ServerName my-local-host
DocumentRoot "/path/to/my-local-host/files"
SSLEngine on
SSLCertificateFile "/Applications/XAMPP/xamppfiles/apache2/ssl/my-local-host.crt"
SSLCertificateKeyFile "/Applications/XAMPP/xamppfiles/apache2/ssl/my-local-host.key"
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/Applications/XAMPP/xamppfiles/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
<Directory "/path/to/my-local-host/files">
ServerSignature Off
Options Indexes FollowSymLinks Includes execCGI
AllowOverride All
Require all granted
</Directory>
ErrorLog "logs/my_local_host_log"
</VirtualHost>
然后我重新启动Apache并尝试在Chrome浏览器中加载。以下是我收到的错误:
This server could not prove that it is my-local-host; its security certificate is from [missing_subjectAltName].
在线搜索后,这似乎是一个与Chrome从Chrome 58中删除CommonName支持相关的问题
我发现这篇贴切的标题文章:它展示了一个创建兼容证书的命令:
sudo openssl req -newkey rsa:2048 -x509 -nodes -keyout my-local-host.key -new -out my-local-host.crt -subj /CN=my-local-host -reqexts SAN -extensions SAN -config <(cat /System/Library/OpenSSL/openssl.cnf ; printf '[SAN]\nsubjectAltName=DNS:my-local-host') -sha256 -days 3650
是否有其他不那么麻烦的方法可以创建一个兼容的证书来解决Chrome上缺少
主题名的问题?我刚刚从这篇文章中找到了一个解决方法:。非常感谢作者
以下是我所做的工作:
首先,我们将删除以前创建的所有文件
其次,我们在工作目录/Applications/XAMPP/xamppfiles/apache2/ssl
中创建这两个文件:
第一个文件-my local host.csr.cnf
,包含以下内容:
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=NG
ST=Lagos
L=Ikeja
O=Local, LLC
OU=Tech
emailAddress=admin@yourdomain.com
CN = my-local-host
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = my-local-host
注意:确保所有字段都有一个值,即没有空白条目
第二个文件-my local host.v3.ext
,包含以下内容:
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[dn]
C=NG
ST=Lagos
L=Ikeja
O=Local, LLC
OU=Tech
emailAddress=admin@yourdomain.com
CN = my-local-host
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = my-local-host
第三,运行以下命令:
# 1. Create host key
sudo ssh-keygen -f my-local-host.key
# 2. Create SSL certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout my-local-host.key -out my-local-host.crt
# 3. Create nopass Host Key
sudo openssl rsa -in my-local-host.key -out my-local-host.nopass.key
sudo openssl genrsa -des3 -out rootCA.key 2048
sudo openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl req -new -sha256 -nodes -out my-local-host.csr -newkey rsa:2048 -keyout my-local-host.key -config <( cat my-local-host.csr.cnf )
sudo openssl x509 -req -in my-local-host.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-local-host.crt -days 500 -sha256 -extfile my-local-host.v3.ext
最后,重新启动Apache
我希望这有助于解决您的SSL问题。CN=my local host
可能是错误的。主机名总是在SAN中。如果它存在于CN中,那么它也必须存在于SAN中(在这种情况下,您必须列出它两次)。有关更多规则和原因,请参阅,您还需要将自签名证书放置在相应的trust store.OS X中,并且OpenSSL 0.9.8太旧。它缺少大多数EC装备,无法完成TLS1.2。另见,,,等。