思路有两个:
- 方式一:通过nginx反向代理,将https配置在nginx,内部的MinIO还是使用HTTP;
- 方式二:MinIO服务端直接配置成HTTPS;
注意:
私钥需要命名为:private.key
公钥需要命名为:public.crt (如果公钥是以pem格式结尾,可直接改为crt格式)
一、制作证书(方式二)
(一)、之前对外暴露接口地址为https://ymzn.com
(二)、home目录下新建new_cert目录用于存放证书以及相关文件
[root@localhost home]# mkdir new_cert
(三)、使用openssl分别生成服务端和客户端的公钥及私钥
1、生成服务端私钥
(base) [root@localhost ~]# mkdir new_cert
(base) [root@localhost ~]# cd new_cert/
(base) [root@localhost new_cert]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.......................+++++
............+++++
e is 65537 (0x010001)
2、生成服务端公钥
(base) [root@localhost new_cert]# openssl rsa -in server.key -pubout -out server.pem
writing RSA key
(base) [root@localhost new_cert]# openssl genrsa -out client.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.........................+++++
..........+++++
e is 65537 (0x010001)
3、生成客户端私钥
(base) [root@localhost new_cert]# openssl rsa -in client.key -pubout -out client.pem
writing RSA key
4、生成客户端公钥
(base) [root@localhost new_cert]# ll
total 16
-rw------- 1 root root 887 Apr 6 14:44 client.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 client.pem
-rw------- 1 root root 887 Apr 6 14:43 server.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 server.pem
(base) [root@localhost new_cert]#
(四)、生成CA证书
1、生成CA私钥
(base) [root@localhost new_cert]# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..........+++++
.........................+++++
e is 65537 (0x010001)
(base) [root@localhost new_cert]#
2、生成CA证书签名请求文件CSR
(base) [root@localhost new_cert]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ymzn_ca
Organizational Unit Name (eg, section) []:ymzn_sms_ca
Common Name (e.g. server FQDN or YOUR name) []:ymzn.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
(base) [root@localhost new_cert]#
3、使用私钥KEY文件和CSR文件签名生成CRT证书
(base) [root@localhost new_cert]# openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_ca, OU = hlhk_sms_ca, CN = ymzn.com
Getting Private key
(base) [root@localhost new_cert]#
(五)、生成服务器端和客户端CRT证书
1、生成服务端签名请求CSR文件
(base) [root@localhost new_cert]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ymzn_serve
Organizational Unit Name (eg, section) []:ymzn_sms_serve
Common Name (e.g. server FQDN or YOUR name) []:ymzn.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
(base) [root@localhost new_cert]#
2、生成客户端签名请求CSR文件
(base) [root@localhost new_cert]# openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ymzn_client
Organizational Unit Name (eg, section) []:ymzn_sms_client
Common Name (e.g. server FQDN or YOUR name) []:ymzn.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
(base) [root@localhost new_cert]#
这里服务端和客户端的Organization Name (eg, company)以及Organizational Unit Name都必须要和CA的不一样才可以
3、向刚才生成的自己的CA机构申请签名CRT证书(服务端和客户端)
(base) [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_serve, OU = hlhk_sms_serve, CN = ymzn.com
Getting CA Private Key
(base) [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_client, OU = hlhk_sms_client, CN = ymzn.com
Getting CA Private Key
(base) [root@localhost new_cert]#
(base) [root@localhost new_cert]# ll
total 48
-rw-r--r-- 1 root root 891 Apr 6 14:46 ca.crt
-rw-r--r-- 1 root root 737 Apr 6 14:46 ca.csr
-rw------- 1 root root 891 Apr 6 14:44 ca.key
-rw-r--r-- 1 root root 41 Apr 6 14:50 ca.srl
-rw-r--r-- 1 root root 904 Apr 6 14:50 client.crt
-rw-r--r-- 1 root root 749 Apr 6 14:49 client.csr
-rw------- 1 root root 887 Apr 6 14:44 client.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 client.pem
-rw-r--r-- 1 root root 899 Apr 6 14:49 server.crt
-rw-r--r-- 1 root root 712 Apr 6 14:47 server.csr
-rw------- 1 root root 887 Apr 6 14:43 server.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 server.pem
(base) [root@localhost new_cert]#
(六)、最后生成需要的key和crt文件
(base) [root@localhost new_cert]# openssl rsa -in server.key -out private.key
writing RSA key
(base) [root@localhost new_cert]# openssl x509 -req -days 3650 -in server.csr -signkey private.key -out public.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_serve, OU = hlhk_sms_serve, CN = ymzn.com
Getting Private key
(base) [root@localhost new_cert]#
报错:
1. x509: certificate relies on legacy Common Name field, use SANs instead
- 检查并删除旧的证书和私钥
在重新生成证书之前,确保删除旧的证书和私钥文件,以避免混淆。
# 删除旧的证书和私钥
rm -f server.key server.csr server.crt
- 创建新的证书配置文件
确保新的配置文件中包含正确的Common Name和Subject Alternative Name。
创建一个名为openssl.cnf的新文件,内容如下:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no[req_distinguished_name]
C = cn
ST = beijing
L = chaoyang
O = ymzn_client
OU = ymzn_sms_client
CN = ymzn.com # 确保填写的是域名[v3_req]
subjectAltName = @alt_names[alt_names]
DNS.1 = ymzn.com # 声明支持的域名
- 重新生成私钥、证书请求(CSR)和证书
# 生成新的私钥和证书请求
openssl req -new -nodes -newkey rsa:2048 \-keyout server.key -out server.csr \-config openssl.cnf# 生成新的自签名证书
openssl x509 -req -days 3650 -in server.csr \-signkey server.key -out server.crt \-extensions v3_req -extfile openssl.cnf
- 验证证书内容
确认新生成的证书中包含正确的域名。
openssl x509 -in public.crt -text -noout | grep -E "Subject:|DNS:"
输出应包含:
Subject: C=cn, ST=beijing, L=chaoyang, O=ymzn_client, OU=ymzn_sms_client, CN=ymzn.com DNS:ymzn.com
二、docker-compose中minio配置
minio:image: minio/minio:RELEASE.2022-05-26T05-48-41Zcontainer_name: miniorestart: unless-stoppedports:# api 端口- "9000:9000"# 控制台端口- "9001:9001"environment:# 时区上海TZ: Asia/Shanghai# 管理后台用户名MINIO_ACCESS_KEY: admin#MINIO_ROOT_USER: admin# 管理后台密码,最小8个字符MINIO_SECRET_KEY: MiNio@tp&eWz#MINIO_ROOT_PASSWORD: MiNio@tp&eWz# https需要指定域名MINIO_SERVER_URL: "https://ymzn.com:9000"MINIO_BROWSER_REDIRECT_URL: "https://ymzn.com:9001"# 添加以下两行#MINIO_SSL_CERT_FILE: /root/.minio/certs/public.crt#MINIO_SSL_KEY_FILE: /root/.minio/certs/private.key# 开启压缩 on 开启 off 关闭MINIO_COMPRESS: "off"# 扩展名 .pdf,.doc 为空 所有类型均压缩MINIO_COMPRESS_EXTENSIONS: ""# mime 类型 application/pdf 为空 所有类型均压缩MINIO_COMPRESS_MIME_TYPES: ""volumes:# 映射当前目录下的data目录至容器内/data目录- /home/emp_cloud/minio/data:/data# 映射配置目录- /home/emp_cloud/minio/config:/root/.minio/command: server --address 'ymzn.com:9000' --console-address 'ymzn.com:9001' /data # 指定容器中的目录 /dataprivileged: truenetwork_mode: "host"
三、linux上配置
1.将文件private.key和public.crt文件拷贝到/home/emp_cloud/minio/config/certs中
2.制作minio镜像并启动容器
docker-compose up -d --build --force-recreate minio
三、浏览器https://ymzn.com:9001登录
)
)
)
)
-- 第六部分:JS集合与映射在 WPS 的应用)