如何获得在本地 Laravel Homestead 站点上工作的 https 证书
How to get https certificate working on local Laravel Homestead site
我遇到了这个问题:
我在 Windows 10 Chrome 版本 65.0.3325.181(官方构建)(64 位)中看到的错误是:
Your connection is not private
Attackers might be trying to steal your
information from ((mysite)) (for example, passwords,
messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID
This page is not secure (broken HTTPS).
Certificate - missing
This
site is missing a valid, trusted certificate
(net::ERR_CERT_AUTHORITY_INVALID).
Firefox Quantum 59.0.2(64 位)说:
Your connection is not secure
The owner of ((mysite)) has configured their website
improperly. To protect your information from being stolen, Firefox has
not connected to this website.
Connection is Not Secure
Could not verify this certificate because the
issuer is unknown.
我已经试过了:
vboxmanage --version
5.2.6r120293
vagrant -v
Vagrant 2.0.2
git branch
* (HEAD detached at v7.3.0)
vagrant box list
laravel/homestead (virtualbox, 5.2.0)
vagrant box update
==> vboxHomestead: Checking for updates to 'laravel/homestead'
vboxHomestead: Latest installed version: 5.2.0
vboxHomestead: Version constraints: >= 5.2.0
vboxHomestead: Provider: virtualbox
==> vboxHomestead: Box 'laravel/homestead' (v5.2.0) is running the latest version.
我想知道这是否意味着我还没有使用 release 7.1.0(在其变更日志中有“使用自定义根证书签署 SSL 证书”),我想知道这是否就是我拥有此 SSL 的原因HTTPS 问题。
我现在应该尝试哪些后续步骤才能使证书正常工作?
您的问题是发行者未知。正如您在错误中提到的;
"This site is missing a valid, trusted certificate"
要么
"This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID)"
先了解一下为什么会出现这个错误。浏览器具有受信任的证书颁发机构列表。您可以从不同浏览器的 setting/preferences 部分看到此列表。如果您的证书不是由这些机构之一颁发的,那么您将收到上述错误。
在本地主机上修复它
我可以想到两种可能的解决方案;
- 手动将证书添加到浏览器,它将开始以 https 打开。
或
- 使用已信任的授权机构签署证书。在本地服务器上安装证书。在 /etc/hosts 文件中使用与您签署证书的域相同的名称配置主机。
我希望它能解决这个问题。
不幸的是,我没有在 Windows 上检查它的简单方法,所以我将在 Linux 上使用 VirtualBox 运行ning。安装 vagrant,然后:
$ vagrant box add laravel/homestead
$ git clone https://github.com/laravel/homestead.git
$ cd homestead
$ git checkout v7.3.0
$ bash init.sh
我稍微简化了 Homestead.yaml(您可能更喜欢使用默认值):
---
ip: "192.168.10.10"
provider: virtualbox
folders:
- map: /home/yuri/_/la1
to: /home/vagrant/code
sites:
- map: homestead.test
to: /home/vagrant/code/public
然后:
$ mkdir -p ~/_/la1/public
$ echo '<?php echo "it works";' > ~/_/la1/public/index.php
$ vagrant up
$ vagrant ssh -c 'ls /etc/nginx/sites-enabled'
homestead.test
$ vagrant ssh -c 'cat /etc/nginx/sites-enabled/homestead.test'
server {
listen 80;
listen 443 ssl http2;
server_name .homestead.test;
root "/home/vagrant/code/public";
...
ssl_certificate /etc/nginx/ssl/homestead.test.crt;
ssl_certificate_key /etc/nginx/ssl/homestead.test.key;
}
我们可以看到它有 /etc/nginx/ssl:
中的证书
$ vagrant ssh -c 'ls -1 /etc/nginx/ssl'
ca.homestead.homestead.cnf
ca.homestead.homestead.crt
ca.homestead.homestead.key
ca.srl
homestead.test.cnf
homestead.test.crt
homestead.test.csr
homestead.test.key
我尝试在系统范围内信任服务器证书,但没有成功。它出现在 Firefox 证书管理器的服务器选项卡上,但这并没有让 Firefox 信任它。我可能已经添加了一个例外,但信任 CA 证书看起来是一个更好的选择。信任 CA 证书使浏览器信任他们颁发的任何证书(Homestead 下的新站点 运行ning)。所以我们要在这里使用 CA 证书:
$ vagrant ssh -c 'cat /etc/nginx/ssl/ca.homestead.homestead.crt' > ca.homestead.homestead.crt
$ sudo trust anchor ca.homestead.homestead.crt
$ trust list | head -n 5
pkcs11:id=%4c%f9%25%11%e5%8d%ad%5c%2a%f3%63%b6%9e%53%c4%70%fa%90%4d%77;type=cert
type: certificate
label: Homestead homestead Root CA
trust: anchor
category: authority
然后,我将 192.168.10.10 homestead.test 添加到 /etc/hosts,重新启动了 Chromium,它起作用了:
P.S。我 运行 正在使用 Chromium 65.0.3325.162 和 Firefox 59.0。
Windows
显然,Windows 没有 trust 实用程序。在 Windows 下有 two stores: Local Machine and Current User Certificate stores. No point in using Local Machine Certificate Store, since we're making it work just for our current user. Then, there are substores. With two predefined of them being of most interest: Trusted Root Certification Authorities and Intermediate Certification Authorities Stores. Commonly referred in command line as root and CA.
您可以访问 Chrome 的证书管理器,方法是访问 chrome://settings/?search=Manage%20certificates,然后单击管理证书。最感兴趣的是受信任的根证书颁发机构和中间证书颁发机构选项卡。
管理证书的一种方法是通过 command line:
>rem list Current User > Trusted Root Certification Authorities store
>certutil.exe -store -user root
>rem list Local Machine > Intermediate Certification Authorities store
>certutil.exe -store -enterprise CA
>rem GUI version of -store command
>certutil.exe -viewstore -user CA
>rem add certificate to Current User > Trusted Root Certification Authorities store
>certutil.exe -addstore -user root path\to\file.crt
>rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number
>certutil.exe -delstore -user root 03259fa1
>rem GUI version of -delstore command
>certutil.exe -viewdelstore -user CA
结果如下(对于本地计算机和当前用户证书存储):
root
homestead.test.crt
error
ca.homestead.homestead.crt
appears in Trusted Root Certification Authorities tab
CA
homestead.test.crt
doesn't work, appears in Other People tab
ca.homestead.homestead.crt
doesn't work, appears in Intermediate Certification Authorities tab
其他选项是 double-clicking 在 Explorer 中的证书上,从 Chrome 的证书管理器导入证书,使用 Certificates MMC Snap-in (运行 certmgr.msc), 或者使用 CertMgr.exe.
对于安装了 grep 的用户,以下是快速检查证书位置的方法:
>certutil.exe -store -user root | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -user CA | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -enterprise root | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -enterprise CA | grep "homestead\|^root\|^CA"
因此,将 CA 证书安装到当前用户 > 受信任的根证书颁发机构存储中似乎是最佳选择。 确保不要忘记。
有关其工作原理的更多 in-depth 解释
在 Vagrantfile 中需要 scripts/homestead.rb, then runs Homestead.configure。这就是配置 vagrant 以进行所有必要准备的方法。
我们可以see:
if settings.include? 'sites'
settings["sites"].each do |site|
# Create SSL certificate
config.vm.provision "shell" do |s|
s.name = "Creating Certificate: " + site["map"]
s.path = scriptDir + "/create-certificate.sh"
s.args = [site["map"]]
end
...
config.vm.provision "shell" do |s|
...
s.path = scriptDir + "/serve-#{type}.sh"
...
end
...
end
end
因此,这些 two files 分别创建证书和 nginx 配置。
进一步阅读
显然您必须将您的证书添加到受信任的 CA 存储区。我让它自动决定,但没有用。我还把它添加到我的个人商店,但也没有用。
所以步骤是(如果您使用 windows)是按下 windows 键并输入 "Internet Options" 并打开您的 Internet 选项。然后单击 "content" 选项卡。从这里单击中间按钮 "certificates"。
然后单击“导入”和“下一步”。浏览到保存证书的位置。
然后单击 "Place all certificates in the following store" 并单击浏览和 select "Trusted Root Certificate Authorities"。
你应该会看到一个弹出窗口,要求你确认并警告你和所有爵士乐。
然后确保重新启动浏览器。在 chrome 上,您可以在 URL 栏中输入:chrome://restart。 Boom 我希望这对你有帮助!
我遇到了这个问题:
我在 Windows 10 Chrome 版本 65.0.3325.181(官方构建)(64 位)中看到的错误是:
Your connection is not private
Attackers might be trying to steal your information from ((mysite)) (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID
This page is not secure (broken HTTPS).
Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).
Firefox Quantum 59.0.2(64 位)说:
Your connection is not secure
The owner of ((mysite)) has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Connection is Not Secure
Could not verify this certificate because the issuer is unknown.
我已经试过了:
vboxmanage --version
5.2.6r120293
vagrant -v
Vagrant 2.0.2
git branch
* (HEAD detached at v7.3.0)
vagrant box list
laravel/homestead (virtualbox, 5.2.0)
vagrant box update
==> vboxHomestead: Checking for updates to 'laravel/homestead'
vboxHomestead: Latest installed version: 5.2.0
vboxHomestead: Version constraints: >= 5.2.0
vboxHomestead: Provider: virtualbox
==> vboxHomestead: Box 'laravel/homestead' (v5.2.0) is running the latest version.
我想知道这是否意味着我还没有使用 release 7.1.0(在其变更日志中有“使用自定义根证书签署 SSL 证书”),我想知道这是否就是我拥有此 SSL 的原因HTTPS 问题。
我现在应该尝试哪些后续步骤才能使证书正常工作?
您的问题是发行者未知。正如您在错误中提到的; "This site is missing a valid, trusted certificate" 要么 "This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID)"
先了解一下为什么会出现这个错误。浏览器具有受信任的证书颁发机构列表。您可以从不同浏览器的 setting/preferences 部分看到此列表。如果您的证书不是由这些机构之一颁发的,那么您将收到上述错误。
在本地主机上修复它 我可以想到两种可能的解决方案;
- 手动将证书添加到浏览器,它将开始以 https 打开。
或
- 使用已信任的授权机构签署证书。在本地服务器上安装证书。在 /etc/hosts 文件中使用与您签署证书的域相同的名称配置主机。
我希望它能解决这个问题。
不幸的是,我没有在 Windows 上检查它的简单方法,所以我将在 Linux 上使用 VirtualBox 运行ning。安装 vagrant,然后:
$ vagrant box add laravel/homestead
$ git clone https://github.com/laravel/homestead.git
$ cd homestead
$ git checkout v7.3.0
$ bash init.sh
我稍微简化了 Homestead.yaml(您可能更喜欢使用默认值):
---
ip: "192.168.10.10"
provider: virtualbox
folders:
- map: /home/yuri/_/la1
to: /home/vagrant/code
sites:
- map: homestead.test
to: /home/vagrant/code/public
然后:
$ mkdir -p ~/_/la1/public
$ echo '<?php echo "it works";' > ~/_/la1/public/index.php
$ vagrant up
$ vagrant ssh -c 'ls /etc/nginx/sites-enabled'
homestead.test
$ vagrant ssh -c 'cat /etc/nginx/sites-enabled/homestead.test'
server {
listen 80;
listen 443 ssl http2;
server_name .homestead.test;
root "/home/vagrant/code/public";
...
ssl_certificate /etc/nginx/ssl/homestead.test.crt;
ssl_certificate_key /etc/nginx/ssl/homestead.test.key;
}
我们可以看到它有 /etc/nginx/ssl:
$ vagrant ssh -c 'ls -1 /etc/nginx/ssl'
ca.homestead.homestead.cnf
ca.homestead.homestead.crt
ca.homestead.homestead.key
ca.srl
homestead.test.cnf
homestead.test.crt
homestead.test.csr
homestead.test.key
我尝试在系统范围内信任服务器证书,但没有成功。它出现在 Firefox 证书管理器的服务器选项卡上,但这并没有让 Firefox 信任它。我可能已经添加了一个例外,但信任 CA 证书看起来是一个更好的选择。信任 CA 证书使浏览器信任他们颁发的任何证书(Homestead 下的新站点 运行ning)。所以我们要在这里使用 CA 证书:
$ vagrant ssh -c 'cat /etc/nginx/ssl/ca.homestead.homestead.crt' > ca.homestead.homestead.crt
$ sudo trust anchor ca.homestead.homestead.crt
$ trust list | head -n 5
pkcs11:id=%4c%f9%25%11%e5%8d%ad%5c%2a%f3%63%b6%9e%53%c4%70%fa%90%4d%77;type=cert
type: certificate
label: Homestead homestead Root CA
trust: anchor
category: authority
然后,我将 192.168.10.10 homestead.test 添加到 /etc/hosts,重新启动了 Chromium,它起作用了:
P.S。我 运行 正在使用 Chromium 65.0.3325.162 和 Firefox 59.0。
Windows
显然,Windows 没有 trust 实用程序。在 Windows 下有 two stores: Local Machine and Current User Certificate stores. No point in using Local Machine Certificate Store, since we're making it work just for our current user. Then, there are substores. With two predefined of them being of most interest: Trusted Root Certification Authorities and Intermediate Certification Authorities Stores. Commonly referred in command line as root and CA.
您可以访问 Chrome 的证书管理器,方法是访问 chrome://settings/?search=Manage%20certificates,然后单击管理证书。最感兴趣的是受信任的根证书颁发机构和中间证书颁发机构选项卡。
管理证书的一种方法是通过 command line:
>rem list Current User > Trusted Root Certification Authorities store
>certutil.exe -store -user root
>rem list Local Machine > Intermediate Certification Authorities store
>certutil.exe -store -enterprise CA
>rem GUI version of -store command
>certutil.exe -viewstore -user CA
>rem add certificate to Current User > Trusted Root Certification Authorities store
>certutil.exe -addstore -user root path\to\file.crt
>rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number
>certutil.exe -delstore -user root 03259fa1
>rem GUI version of -delstore command
>certutil.exe -viewdelstore -user CA
结果如下(对于本地计算机和当前用户证书存储):
root
homestead.test.crt
error
ca.homestead.homestead.crt
appears in Trusted Root Certification Authorities tab
CA
homestead.test.crt
doesn't work, appears in Other People tab
ca.homestead.homestead.crt
doesn't work, appears in Intermediate Certification Authorities tab
其他选项是 double-clicking 在 Explorer 中的证书上,从 Chrome 的证书管理器导入证书,使用 Certificates MMC Snap-in (运行 certmgr.msc), 或者使用 CertMgr.exe.
对于安装了 grep 的用户,以下是快速检查证书位置的方法:
>certutil.exe -store -user root | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -user CA | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -enterprise root | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -enterprise CA | grep "homestead\|^root\|^CA"
因此,将 CA 证书安装到当前用户 > 受信任的根证书颁发机构存储中似乎是最佳选择。 确保不要忘记
有关其工作原理的更多 in-depth 解释
在 Vagrantfile 中需要 scripts/homestead.rb, then runs Homestead.configure。这就是配置 vagrant 以进行所有必要准备的方法。
我们可以see:
if settings.include? 'sites'
settings["sites"].each do |site|
# Create SSL certificate
config.vm.provision "shell" do |s|
s.name = "Creating Certificate: " + site["map"]
s.path = scriptDir + "/create-certificate.sh"
s.args = [site["map"]]
end
...
config.vm.provision "shell" do |s|
...
s.path = scriptDir + "/serve-#{type}.sh"
...
end
...
end
end
因此,这些 two files 分别创建证书和 nginx 配置。
进一步阅读
显然您必须将您的证书添加到受信任的 CA 存储区。我让它自动决定,但没有用。我还把它添加到我的个人商店,但也没有用。
所以步骤是(如果您使用 windows)是按下 windows 键并输入 "Internet Options" 并打开您的 Internet 选项。然后单击 "content" 选项卡。从这里单击中间按钮 "certificates"。
然后单击“导入”和“下一步”。浏览到保存证书的位置。
然后单击 "Place all certificates in the following store" 并单击浏览和 select "Trusted Root Certificate Authorities"。
你应该会看到一个弹出窗口,要求你确认并警告你和所有爵士乐。
然后确保重新启动浏览器。在 chrome 上,您可以在 URL 栏中输入:chrome://restart。 Boom 我希望这对你有帮助!