测试SSL证书不需要验证域名权限
执行 pip install cryptography
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives.serialization import Encoding, PrivateFormat, NoEncryption
import datetime#pip install cryptography# Generate RSA key pair
key = rsa.generate_private_key(public_exponent=65537,key_size=2048,
)domain="你的域名"# Create a self-signed certificate
subject = issuer = x509.Name([x509.NameAttribute(NameOID.COUNTRY_NAME, u"US"),x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, u"California"),x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"Company"),x509.NameAttribute(NameOID.COMMON_NAME, u""+domain+""),
])
cert = x509.CertificateBuilder().subject_name(subject
).issuer_name(issuer
).public_key(key.public_key()
).serial_number(x509.random_serial_number()
).not_valid_before(datetime.datetime.utcnow()
).not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365)
).add_extension(x509.SubjectAlternativeName([x509.DNSName(u""+domain+"")]),critical=False,
).sign(key, hashes.SHA256())# Write the private key and certificate to files
with open("key.pem", "wb") as f:f.write(key.private_bytes(encoding=Encoding.PEM,format=PrivateFormat.TraditionalOpenSSL,encryption_algorithm=NoEncryption()))with open("cert.pem", "wb") as f:f.write(cert.public_bytes(Encoding.PEM))
生成可信任的SSL证书 需要在域名服务器执行
ubutu sudo apt-get install certbot
centos yum isntall certbot
import subprocess#sudo apt-get install certbot
#默认生成证书路径 /etc/letsencrypt/live/yourdomain.com/def generate_ssl_cert(domain, email, webroot_path, cert_path):try:command = ["sudo", "certbot", "certonly","--webroot","--webroot-path", webroot_path,"--cert-path", cert_path,"--non-interactive","--agree-tos","--email", email,"-d", domain]subprocess.run(command, check=True)print(f"SSL 证书已为 {domain} 生成,保存在 {cert_path} 中")except subprocess.CalledProcessError as e:print(f"生成 SSL 证书时出错: {e}")# 示例使用
generate_ssl_cert("yourdomain.com", "yourdomain.com@163.com", "域名指向的路径", "证书生成路径/cert.pem")
NGINX配置
server {listen 80;listen 443 ssl http2;server_name example.com www.example.com;#强制跳转到httpsif ($server_port !~ 443){rewrite ^(/.*)$ https://$host$1 permanent;}#证书配置ssl_certificate /www/server/cert/example.com/fullchain.pem;ssl_certificate_key /www/server/cert/example.com/privkey.pem;ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;ssl_prefer_server_ciphers on;ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;add_header Strict-Transport-Security "max-age=31536000";error_page 497 https://$host$request_uri;#一键申请SSL证书验证目录相关设置location ~ \.well-known{allow all;}#禁止在证书验证目录放入敏感文件if ( $uri ~ "^/\.well-known/.*\.(php|jsp|py|js|css|lua|ts|go|zip|tar\.gz|rar|7z|sql|bak)$" ) {return 403;}access_log /www/wwwlogs/example.log;error_log /www/wwwlogs/example.error.log;
}
OpenFeign)
)
)
)
