Keywords: nginx, docker, cannot load certificate, ssl
1. Download the latest docker image of nginx
$ docker pull nginx:latest
2. Start nginx container
Run the following command to start nginx container
docker run --detach \ --name wx-nginx \ -p 443:443\ -p 80:80 \ -v /home/nginx/data:/usr/share/nginx/html:rw\ -v /home/nginx/config/nginx.conf:/etc/nginx/nginx.conf/:rw\ -v /home/nginx/config/conf.d/default.conf:/etc/nginx/conf.d/default.conf:rw\ -v /home/nginx/logs:/var/log/nginx/:rw\ -v /home/nginx/ssl:/ssl/:rw\ -d nginx
- Mapping port 443 for https requests
- Mapping port 80 for http requests;
- The storage directory of the default homepage html of nginx is mapped to the directory of the host disk, / home/evan/workspace/wxserver/nginx/data
- The configuration file of nginx is mapped to the file on the host disk, / home/evan/workspace/wxserver/nginx/config/nginx.conf
Here we need to prepare the following documents,
- Configuration file for nginx
The first is the nginx.conf file. The default configuration file is as follows
#Users running nginx user nginx; #The startup process is set equal to the number of CPU s worker_processes 1; #Location of global error logs and PID files error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; #Working mode and upper limit of connections events { #The maximum concurrent number of a single background work process is set to 1024 worker_connections 1024; } http { #Set mime type include /etc/nginx/mime.types; default_type application/octet-stream; #Set log format log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; #Set the connection timeout event keepalive_timeout 65; #Turn on GZIP compression #gzip on; include /etc/nginx/conf.d/*.conf; }
You can see that the last line also contains another configuration file conf.d/default.conf, which is used to configure the server field
server { listen 80; #Listen on port 80. If all accesses are forced to be HTTPs, this line needs to be logged off server_name www.buagengen.com; #domain name #charset koi8-r; #access_log /var/log/nginx/host.access.log main; # Define the index directory and name of the first page location / { root /usr/share/nginx/html; index index.html index.htm; } #Define error prompt page #error_page 404 /404.html; #Redirect error page to /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } }
- The html file of the default home page of nginx
This html can define one by itself, any.
At this time, you can access the html file defined by nginx directly through the IP address. However, the access at this time is only http, but https access is still not available. You need to add a certificate to the nginx server.
3. Generate certificate through openssl
- To set server.key, you need to set the password twice:
openssl genrsa -des3 -out server.key 1024
- For parameter setting, you need to enter the previously set password here first:
openssl req -new -key server.key -out server.csr
Then you need to enter the following information and fill it out. It's for testing anyway
Country Name (2 letter code) [AU]: Country name State or Province Name (full name) [Some-State]: province Locality Name (eg, city) []: city Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company name Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Website domain name Email Address []: mailbox Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: A password is required here An optional company name []:
- Write the RSA secret key (the password set previously is also required here):
openssl rsa -in server.key -out server_nopwd.key
- Get private key:
openssl x509 -req -days 365 -in server.csr -signkey server_nopwd.key -out server.crt
After completing this step, we will get the certificate file and private key we need
- server.crt
- server.key
4. Configure nginx server to support https access
Copy the files generated in the previous step to the ssl directory on the host, / home/evan/workspace/wxserver/nginx/ssl.
Then modify the configuration file default.conf to add ssl support
server { listen 80; #Listen on port 80. If all accesses are forced to be HTTPs, this line needs to be logged off listen 443 ssl; server_name www.buagengen.com; #domain name # Add ssl #ssl on; #If HTTPs access is forced, this line should be opened ssl_certificate /ssl/server.crt; ssl_certificate_key /ssl/server.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; # Specifies that the password is in a format supported by openssl ssl_protocols SSLv2 SSLv3 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; # Password encryption method ssl_prefer_server_ciphers on; # Server passwords that rely on SSLv3 and TLSv1 protocols will take precedence over client passwords # Define the index directory and name of the first page location / { root /usr/share/nginx/html; index index.html index.htm; } #Redirect error page to /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } }
Restart the nginx container, and now you can access the nginx server through https.
Here is a key point. The directory of the certificate must be under / ssl. Other directories may report an error that the certificate cannot be found!
[emerg] 1#1: cannot load certificate "/home/nginx/ssl/1_hxt.yszku.com_bundle.crt": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/home/nginx/ssl/1_hxt.yszku.com_bundle.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
If you report the error "cannot load certificate" above, just move the certificate to the / ssl directory, whether it is a self generated certificate or a certificate generated by Alibaba cloud / Tencent cloud