思路有兩個:
- 方式一:通過nginx反向代理,將https配置在nginx,內部的MinIO還是使用HTTP;
- 方式二:MinIO服務端直接配置成HTTPS;
注意:
私鑰需要命名為:private.key
公鑰需要命名為:public.crt (如果公鑰是以pem格式結尾,可直接改為crt格式)
一、制作證書(方式二)
(一)、之前對外暴露接口地址為https://ymzn.com
(二)、home目錄下新建new_cert目錄用于存放證書以及相關文件
[root@localhost home]# mkdir new_cert
(三)、使用openssl分別生成服務端和客戶端的公鑰及私鑰
1、生成服務端私鑰
(base) [root@localhost ~]# mkdir new_cert
(base) [root@localhost ~]# cd new_cert/
(base) [root@localhost new_cert]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.......................+++++
............+++++
e is 65537 (0x010001)
2、生成服務端公鑰
(base) [root@localhost new_cert]# openssl rsa -in server.key -pubout -out server.pem
writing RSA key
(base) [root@localhost new_cert]# openssl genrsa -out client.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.........................+++++
..........+++++
e is 65537 (0x010001)
3、生成客戶端私鑰
(base) [root@localhost new_cert]# openssl rsa -in client.key -pubout -out client.pem
writing RSA key
4、生成客戶端公鑰
(base) [root@localhost new_cert]# ll
total 16
-rw------- 1 root root 887 Apr 6 14:44 client.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 client.pem
-rw------- 1 root root 887 Apr 6 14:43 server.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 server.pem
(base) [root@localhost new_cert]#
(四)、生成CA證書
1、生成CA私鑰
(base) [root@localhost new_cert]# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..........+++++
.........................+++++
e is 65537 (0x010001)
(base) [root@localhost new_cert]#
2、生成CA證書簽名請求文件CSR
(base) [root@localhost new_cert]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ymzn_ca
Organizational Unit Name (eg, section) []:ymzn_sms_ca
Common Name (e.g. server FQDN or YOUR name) []:ymzn.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
(base) [root@localhost new_cert]#
3、使用私鑰KEY文件和CSR文件簽名生成CRT證書
(base) [root@localhost new_cert]# openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_ca, OU = hlhk_sms_ca, CN = ymzn.com
Getting Private key
(base) [root@localhost new_cert]#
(五)、生成服務器端和客戶端CRT證書
1、生成服務端簽名請求CSR文件
(base) [root@localhost new_cert]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ymzn_serve
Organizational Unit Name (eg, section) []:ymzn_sms_serve
Common Name (e.g. server FQDN or YOUR name) []:ymzn.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(base) [root@localhost new_cert]#
2、生成客戶端簽名請求CSR文件
(base) [root@localhost new_cert]# openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ymzn_client
Organizational Unit Name (eg, section) []:ymzn_sms_client
Common Name (e.g. server FQDN or YOUR name) []:ymzn.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
(base) [root@localhost new_cert]#
這里服務端和客戶端的Organization Name (eg, company)以及Organizational Unit Name都必須要和CA的不一樣才可以
3、向剛才生成的自己的CA機構申請簽名CRT證書(服務端和客戶端)
(base) [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_serve, OU = hlhk_sms_serve, CN = ymzn.com
Getting CA Private Key
(base) [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_client, OU = hlhk_sms_client, CN = ymzn.com
Getting CA Private Key
(base) [root@localhost new_cert]#
(base) [root@localhost new_cert]# ll
total 48
-rw-r--r-- 1 root root 891 Apr 6 14:46 ca.crt
-rw-r--r-- 1 root root 737 Apr 6 14:46 ca.csr
-rw------- 1 root root 891 Apr 6 14:44 ca.key
-rw-r--r-- 1 root root 41 Apr 6 14:50 ca.srl
-rw-r--r-- 1 root root 904 Apr 6 14:50 client.crt
-rw-r--r-- 1 root root 749 Apr 6 14:49 client.csr
-rw------- 1 root root 887 Apr 6 14:44 client.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 client.pem
-rw-r--r-- 1 root root 899 Apr 6 14:49 server.crt
-rw-r--r-- 1 root root 712 Apr 6 14:47 server.csr
-rw------- 1 root root 887 Apr 6 14:43 server.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 server.pem
(base) [root@localhost new_cert]#
(六)、最后生成需要的key和crt文件
(base) [root@localhost new_cert]# openssl rsa -in server.key -out private.key
writing RSA key
(base) [root@localhost new_cert]# openssl x509 -req -days 3650 -in server.csr -signkey private.key -out public.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_serve, OU = hlhk_sms_serve, CN = ymzn.com
Getting Private key
(base) [root@localhost new_cert]#
報錯:
1. x509: certificate relies on legacy Common Name field, use SANs instead
- 檢查并刪除舊的證書和私鑰
在重新生成證書之前,確保刪除舊的證書和私鑰文件,以避免混淆。
# 刪除舊的證書和私鑰
rm -f server.key server.csr server.crt
- 創建新的證書配置文件
確保新的配置文件中包含正確的Common Name和Subject Alternative Name。
創建一個名為openssl.cnf的新文件,內容如下:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no[req_distinguished_name]
C = cn
ST = beijing
L = chaoyang
O = ymzn_client
OU = ymzn_sms_client
CN = ymzn.com # 確保填寫的是域名[v3_req]
subjectAltName = @alt_names[alt_names]
DNS.1 = ymzn.com # 聲明支持的域名
- 重新生成私鑰、證書請求(CSR)和證書
# 生成新的私鑰和證書請求
openssl req -new -nodes -newkey rsa:2048 \-keyout server.key -out server.csr \-config openssl.cnf# 生成新的自簽名證書
openssl x509 -req -days 3650 -in server.csr \-signkey server.key -out server.crt \-extensions v3_req -extfile openssl.cnf
- 驗證證書內容
確認新生成的證書中包含正確的域名。
openssl x509 -in public.crt -text -noout | grep -E "Subject:|DNS:"
輸出應包含:
Subject: C=cn, ST=beijing, L=chaoyang, O=ymzn_client, OU=ymzn_sms_client, CN=ymzn.com DNS:ymzn.com
二、docker-compose中minio配置
minio:image: minio/minio:RELEASE.2022-05-26T05-48-41Zcontainer_name: miniorestart: unless-stoppedports:# api 端口- "9000:9000"# 控制臺端口- "9001:9001"environment:# 時區上海TZ: Asia/Shanghai# 管理后臺用戶名MINIO_ACCESS_KEY: admin#MINIO_ROOT_USER: admin# 管理后臺密碼,最小8個字符MINIO_SECRET_KEY: MiNio@tp&eWz#MINIO_ROOT_PASSWORD: MiNio@tp&eWz# https需要指定域名MINIO_SERVER_URL: "https://ymzn.com:9000"MINIO_BROWSER_REDIRECT_URL: "https://ymzn.com:9001"# 添加以下兩行#MINIO_SSL_CERT_FILE: /root/.minio/certs/public.crt#MINIO_SSL_KEY_FILE: /root/.minio/certs/private.key# 開啟壓縮 on 開啟 off 關閉MINIO_COMPRESS: "off"# 擴展名 .pdf,.doc 為空 所有類型均壓縮MINIO_COMPRESS_EXTENSIONS: ""# mime 類型 application/pdf 為空 所有類型均壓縮MINIO_COMPRESS_MIME_TYPES: ""volumes:# 映射當前目錄下的data目錄至容器內/data目錄- /home/emp_cloud/minio/data:/data# 映射配置目錄- /home/emp_cloud/minio/config:/root/.minio/command: server --address 'ymzn.com:9000' --console-address 'ymzn.com:9001' /data # 指定容器中的目錄 /dataprivileged: truenetwork_mode: "host"
三、linux上配置
1.將文件private.key和public.crt文件拷貝到/home/emp_cloud/minio/config/certs中
2.制作minio鏡像并啟動容器
docker-compose up -d --build --force-recreate minio
三、瀏覽器https://ymzn.com:9001登錄
)
)
)
)
-- 第六部分:JS集合與映射在 WPS 的應用)