Fatal编程技术网
  • macos/
  • Macos 在Mac OS X上为Xampp Apache设置SSL以解决Chrome上缺少的_subjectAltName

Macos 在Mac OS X上为Xampp Apache设置SSL以解决Chrome上缺少的_subjectAltName

macos apache google-chrome ssl

Macos 在Mac OS X上为Xampp Apache设置SSL以解决Chrome上缺少的_subjectAltName,macos,apache,google-chrome,ssl,ssl-certificate,Macos,Apache,Google Chrome,Ssl,Ssl Certificate,我正试图在MacOSXYosemite上为Apache(通过XAMPP安装)设置SSL 假设我已经设置了一个名为“我的本地主机”的本地主机名。我按照说明运行以下命令设置证书: # 1. Create host key sudo ssh-keygen -f my-local-host.key # 2. Create SSL certificate sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout my-local-h

我正试图在MacOSXYosemite上为Apache(通过XAMPP安装)设置SSL

假设我已经设置了一个名为“我的本地主机”的本地主机名。我按照说明运行以下命令设置证书:

# 1. Create host key
sudo ssh-keygen -f my-local-host.key

# 2. Create SSL certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout my-local-host.key -out my-local-host.crt

# 3. Create nopass Host Key
sudo openssl rsa -in my-local-host.key -out my-local-host.nopass.key

sudo openssl genrsa -des3 -out rootCA.key 2048
sudo openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl req -new -sha256 -nodes -out my-local-host.csr -newkey rsa:2048 -keyout my-local-host.key -config <( cat my-local-host.csr.cnf )
sudo openssl x509 -req -in my-local-host.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-local-host.crt -days 500 -sha256 -extfile my-local-host.v3.ext
注意:所有这些都是在
/Applications/XAMPP/xamppfiles/apache2/ssl
目录中完成的

在此之后,我将虚拟主机列表添加到
httpd vhosts.conf

<VirtualHost *:443>
    ServerName my-local-host
    DocumentRoot "/path/to/my-local-host/files"

    SSLEngine on
    SSLCertificateFile "/Applications/XAMPP/xamppfiles/apache2/ssl/my-local-host.crt"
    SSLCertificateKeyFile "/Applications/XAMPP/xamppfiles/apache2/ssl/my-local-host.key"

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/Applications/XAMPP/xamppfiles/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    <Directory "/path/to/my-local-host/files">
        ServerSignature Off
        Options Indexes FollowSymLinks Includes execCGI
        AllowOverride All
        Require all granted
    </Directory>
    ErrorLog "logs/my_local_host_log"
</VirtualHost>
然后我重新启动Apache并尝试在Chrome浏览器中加载。以下是我收到的错误:

This server could not prove that it is my-local-host; its security certificate is from [missing_subjectAltName].
在线搜索后,这似乎是一个与Chrome从Chrome 58中删除CommonName支持相关的问题

我发现这篇贴切的标题文章:它展示了一个创建兼容证书的命令:

sudo openssl req -newkey rsa:2048 -x509 -nodes -keyout my-local-host.key -new -out my-local-host.crt -subj /CN=my-local-host -reqexts SAN -extensions SAN -config <(cat /System/Library/OpenSSL/openssl.cnf ; printf '[SAN]\nsubjectAltName=DNS:my-local-host') -sha256 -days 3650
是否有其他不那么麻烦的方法可以创建一个兼容的证书来解决Chrome上缺少
主题名的问题?
我刚刚从这篇文章中找到了一个解决方法:。非常感谢作者

以下是我所做的工作:

首先,我们将删除以前创建的所有文件

其次,我们在工作目录
/Applications/XAMPP/xamppfiles/apache2/ssl
中创建这两个文件:

第一个文件-
my local host.csr.cnf
,包含以下内容:


[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=NG
ST=Lagos
L=Ikeja
O=Local, LLC
OU=Tech
emailAddress=admin@yourdomain.com
CN = my-local-host



authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = my-local-host


注意:确保所有字段都有一个值,即没有空白条目

第二个文件-
my local host.v3.ext
,包含以下内容:


[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn

[dn]
C=NG
ST=Lagos
L=Ikeja
O=Local, LLC
OU=Tech
emailAddress=admin@yourdomain.com
CN = my-local-host



authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = localhost
DNS.2 = my-local-host


第三,运行以下命令:


# 1. Create host key
sudo ssh-keygen -f my-local-host.key

# 2. Create SSL certificate
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout my-local-host.key -out my-local-host.crt

# 3. Create nopass Host Key
sudo openssl rsa -in my-local-host.key -out my-local-host.nopass.key



sudo openssl genrsa -des3 -out rootCA.key 2048
sudo openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
openssl req -new -sha256 -nodes -out my-local-host.csr -newkey rsa:2048 -keyout my-local-host.key -config <( cat my-local-host.csr.cnf )
sudo openssl x509 -req -in my-local-host.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out my-local-host.crt -days 500 -sha256 -extfile my-local-host.v3.ext


最后,重新启动Apache


我希望这有助于解决您的SSL问题。
CN=my local host
可能是错误的。主机名总是在SAN中。如果它存在于CN中,那么它也必须存在于SAN中(在这种情况下,您必须列出它两次)。有关更多规则和原因,请参阅,您还需要将自签名证书放置在相应的trust store.OS X中,并且OpenSSL 0.9.8太旧。它缺少大多数EC装备,无法完成TLS1.2。另见,,,等。