如何获取在本地 Laravel Homestead 站点上工作的 https 证书
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/48969083/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to get https certificate working on local Laravel Homestead site
提问by Ryan
I'm getting this problem:
我遇到了这个问题:
The error that I'm seeing in Windows 10 Chrome Version 65.0.3325.181 (Official Build) (64-bit) is:
我在 Windows 10 Chrome 版本 65.0.3325.181(官方版本)(64 位)中看到的错误是:
Your connection is not private
Attackers might be trying to steal your information from ((mysite)) (for example, passwords, messages, or credit cards). Learn more NET::ERR_CERT_AUTHORITY_INVALID
This page is not secure (broken HTTPS).
Certificate - missing
This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID).
你的连接不是私人的
攻击者可能试图从 ((mysite)) 窃取您的信息(例如,密码、消息或信用卡)。了解更多 NET::ERR_CERT_AUTHORITY_INVALID
此页面不安全(损坏的 HTTPS)。
证书 - 缺失
此站点缺少有效的受信任证书 (net::ERR_CERT_AUTHORITY_INVALID)。
Firefox Quantum 59.0.2 (64-bit) says:
Firefox Quantum 59.0.2(64 位)说:
Your connection is not secure
The owner of ((mysite)) has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Connection is Not Secure
Could not verify this certificate because the issuer is unknown.
您的连接不安全
((mysite)) 的所有者错误地配置了他们的网站。为保护您的信息不被盗用,Firefox 未连接到本网站。
连接不安全
无法验证此证书,因为颁发者未知。
I have already tried: https://stackoverflow.com/a/47755133/470749
我已经试过了:https: //stackoverflow.com/a/47755133/470749
vboxmanage --version
5.2.6r120293
vagrant -v
Vagrant 2.0.2
git branch
* (HEAD detached at v7.3.0)
vagrant box list
laravel/homestead (virtualbox, 5.2.0)
vagrant box update
==> vboxHomestead: Checking for updates to 'laravel/homestead'
vboxHomestead: Latest installed version: 5.2.0
vboxHomestead: Version constraints: >= 5.2.0
vboxHomestead: Provider: virtualbox
==> vboxHomestead: Box 'laravel/homestead' (v5.2.0) is running the latest version.
I wonder if this means that I'm not yet using release 7.1.0(which has in its changelog "sign SSL certificates with a custom root certificate"), and I wonder if that's why I have this SSL HTTPS problem.
我想知道这是否意味着我还没有使用7.1.0 版(它的更新日志中有“使用自定义根证书签署 SSL 证书”),我想知道这是否就是我遇到 SSL HTTPS 问题的原因。
What are the next steps I should try now to get the certificate working?
我现在应该尝试哪些后续步骤才能使证书生效?
回答by x-yuri
Unfortunately, I don't have an easy way of checking it on Windows, so I'm going to use VirtualBox running on Linux here. Install vagrant, then:
不幸的是,我没有在 Windows 上检查它的简单方法,所以我将在这里使用在 Linux 上运行的 VirtualBox。安装vagrant,然后:
$ vagrant box add laravel/homestead
$ git clone https://github.com/laravel/homestead.git
$ cd homestead
$ git checkout v7.3.0
$ bash init.sh
I've simplified Homestead.yamla bit (you might prefer to stick with the defaults):
我已经简化Homestead.yaml了一点(您可能更愿意坚持使用默认值):
---
ip: "192.168.10.10"
provider: virtualbox
folders:
- map: /home/yuri/_/la1
to: /home/vagrant/code
sites:
- map: homestead.test
to: /home/vagrant/code/public
Then:
然后:
$ mkdir -p ~/_/la1/public
$ echo '<?php echo "it works";' > ~/_/la1/public/index.php
$ vagrant up
$ vagrant ssh -c 'ls /etc/nginx/sites-enabled'
homestead.test
$ vagrant ssh -c 'cat /etc/nginx/sites-enabled/homestead.test'
server {
listen 80;
listen 443 ssl http2;
server_name .homestead.test;
root "/home/vagrant/code/public";
...
ssl_certificate /etc/nginx/ssl/homestead.test.crt;
ssl_certificate_key /etc/nginx/ssl/homestead.test.key;
}
As we can see it has the certificates in /etc/nginx/ssl:
正如我们所看到的,它的证书位于/etc/nginx/ssl:
$ vagrant ssh -c 'ls -1 /etc/nginx/ssl'
ca.homestead.homestead.cnf
ca.homestead.homestead.crt
ca.homestead.homestead.key
ca.srl
homestead.test.cnf
homestead.test.crt
homestead.test.csr
homestead.test.key
I tried to trust server certificate systemwide, but it didn't work out. It appeared on Servers tab in Firefox' Certificate Manager, but that didn't make Firefox trust it. I could probably have added an exception, but trusting CA certificates looks like a better option. Trusting CA certificate makes browser trust any certificate they issue (new sites running under Homestead). So we're going to go with CA certificate here:
我试图在系统范围内信任服务器证书,但没有成功。它出现在 Firefox 证书管理器的服务器选项卡上,但这并没有让 Firefox 信任它。我可能已经添加了一个例外,但信任 CA 证书看起来是一个更好的选择。信任 CA 证书使浏览器信任他们颁发的任何证书(在 Homestead 下运行的新站点)。所以我们将在这里使用 CA 证书:
$ vagrant ssh -c 'cat /etc/nginx/ssl/ca.homestead.homestead.crt' > ca.homestead.homestead.crt
$ sudo trust anchor ca.homestead.homestead.crt
$ trust list | head -n 5
pkcs11:id=%4c%f9%25%11%e5%8d%ad%5c%2a%f3%63%b6%9e%53%c4%70%fa%90%4d%77;type=cert
type: certificate
label: Homestead homestead Root CA
trust: anchor
category: authority
Then, I've added 192.168.10.10 homestead.testto /etc/hosts, restarted Chromium, and it worked:
然后,我添加192.168.10.10 homestead.test到/etc/hosts,重新启动 Chromium,它起作用了:
P.S. I'm running Chromium 65.0.3325.162, and Firefox 59.0.
PS 我正在运行 Chromium 65.0.3325.162 和 Firefox 59.0。
Windows
视窗
Apparently, Windows doesn't have trustutility. Under Windows one has two stores: Local Machine and Current User Certificate stores. No point in using Local Machine Certificate Store, since we're making it work just for our current user. Then, there are substores. With two predefined of them being of most interest: Trusted Root Certification Authorities and Intermediate Certification Authorities Stores. Commonly referred in command line as root and CA.
显然,Windows 没有trust实用程序。在 Windows 下,有两个存储区:本地计算机和当前用户证书存储区。使用本地机器证书存储没有意义,因为我们让它只为我们当前的用户工作。然后,有子商店。其中两个预定义最受关注:受信任的根证书颁发机构和中间证书颁发机构存储。通常在命令行中称为root 和 CA。
You can access Chrome's Certificate Manager by following chrome://settings/?search=Manage%20certificates, then clicking Manage certificates. Of most interest are Trusted Root Certification Authorities and Intermediate Certification Authorities tabs.
您可以按照 chrome://settings/?search=Manage%20certificates 访问 Chrome 的证书管理器,然后单击管理证书。最感兴趣的是受信任的根证书颁发机构和中间证书颁发机构选项卡。
One way to manager certificates is via command line:
管理证书的一种方法是通过命令行:
>rem list Current User > Trusted Root Certification Authorities store
>certutil.exe -store -user root
>rem list Local Machine > Intermediate Certification Authorities store
>certutil.exe -store -enterprise CA
>rem GUI version of -store command
>certutil.exe -viewstore -user CA
>rem add certificate to Current User > Trusted Root Certification Authorities store
>certutil.exe -addstore -user root path\to\file.crt
>rem delete certificate from Current User > Trusted Root Certification Authorities store by serial number
>certutil.exe -delstore -user root 03259fa1
>rem GUI version of -delstore command
>certutil.exe -viewdelstore -user CA
The results are as follows (for both Local Machine and Current User Certificate stores):
结果如下(对于本地机器和当前用户证书存储):
root
homestead.test.crt
error
ca.homestead.homestead.crt
appears in Trusted Root Certification Authorities tab
CA
homestead.test.crt
doesn't work, appears in Other People tab
ca.homestead.homestead.crt
doesn't work, appears in Intermediate Certification Authorities tab
Other options would be double-clicking on a certificate in Explorer, importing certificates from Chrome's Certificate Manager, using Certificates MMC Snap-in (run certmgr.msc), or using CertMgr.exe.
其他选项包括在资源管理器中双击证书、从 Chrome 的证书管理器导入证书、使用证书 MMC 管理单元(运行certmgr.msc)或使用CertMgr.exe.
For those who have grepinstalled, here's how to quickly check where is the certificate:
对于已经grep安装的人,这里是如何快速检查证书在哪里:
>certutil.exe -store -user root | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -user CA | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -enterprise root | grep "homestead\|^root\|^CA" ^
& certutil.exe -store -enterprise CA | grep "homestead\|^root\|^CA"
So, installing CA certificate into Current User > Trusted Root Certification Authorities store seems like the best option. And make surenot to forget to restart your browser.
因此,将 CA 证书安装到 Current User > Trusted Root Certification Authorities 商店似乎是最好的选择。并确保不要忘记重新启动浏览器。
more in-depth explanation of how it works
更深入地解释它是如何工作的
In Vagrantfileit requires scripts/homestead.rb, then runs Homestead.configure. That's the method, that configures vagrantto make all the needed preparations.
在Vagrantfile它需要scripts/homestead.rb,然后运行Homestead.configure。这就是方法,它配置vagrant为进行所有需要的准备。
There we can see:
在那里我们可以看到:
if settings.include? 'sites'
settings["sites"].each do |site|
# Create SSL certificate
config.vm.provision "shell" do |s|
s.name = "Creating Certificate: " + site["map"]
s.path = scriptDir + "/create-certificate.sh"
s.args = [site["map"]]
end
...
config.vm.provision "shell" do |s|
...
s.path = scriptDir + "/serve-#{type}.sh"
...
end
...
end
end
So, these twofilescreate certificate and nginxconfig respectively.
further reading
进一步阅读
回答by Umair Anwar
Your issue is that the issuer is unknown. As you mentioned in the errors; "This site is missing a valid, trusted certificate" or "This site is missing a valid, trusted certificate (net::ERR_CERT_AUTHORITY_INVALID)"
您的问题是发行人未知。正如你在错误中提到的;“此站点缺少有效的受信任证书”或“此站点缺少有效的受信任证书 (net::ERR_CERT_AUTHORITY_INVALID)”
Lets first understand why this error occurs. The browsers have list of trusted certificate authorities. You can see this list from setting/preferences section of different browsers. If your certificate is not issued by one of these authorities, then you will get the above error.
让我们首先了解为什么会出现此错误。浏览器具有受信任的证书颁发机构列表。您可以从不同浏览器的设置/首选项部分看到此列表。如果您的证书不是由这些机构之一颁发的,那么您将收到上述错误。
FIXING IT ON LOCALHOST I can think of two possible solutions;
在 LOCALHOST 上修复它我可以想到两种可能的解决方案;
- Add the certificate manually to the browser and it will start opening with https.
- 手动将证书添加到浏览器,它将开始使用 https 打开。
OR
或者
- Sign the certificate with a already trusted authority. Install the certificates on local server. Configure host in /etc/hosts file with the same name of your domain against which you have signed the certificate.
- 使用已经信任的机构签署证书。在本地服务器上安装证书。在 /etc/hosts 文件中使用与您签署证书的域相同的名称配置主机。
I hope it will fix the issue.
我希望它会解决这个问题。
回答by Radmation
Apparently you have to add your cert to the Trusted CA store. I let it auto decide and that did not work. Also I added it to my personal store which also did not work.
显然,您必须将您的证书添加到受信任的 CA 存储中。我让它自动决定,但没有用。我也将它添加到我的个人商店,这也不起作用。
So the steps are (if you are on windows) is to hit your windows key and type in "Internet Options" and open well your internet options. Then click the "content" tab. From here click on "certificates" which is the middle button.
所以步骤是(如果你在 Windows 上)是点击你的 Windows 键并输入“Internet 选项”并打开你的 Internet 选项。然后单击“内容”选项卡。从这里单击中间按钮的“证书”。
Then click Import and Next. Browse to where you saved the cert.
然后单击导入和下一步。浏览到您保存证书的位置。
Then click "Place all certificates in the following store" and click browse and select the "Trusted Root Certificate Authorities".
然后单击“将所有证书放入以下存储区”并单击浏览并选择“受信任的根证书颁发机构”。
And you should get a popup asking you to confirm and warning you and all that jazz.
你应该得到一个弹出窗口,要求你确认并警告你和所有爵士乐。
And then make sure you restart your browser. On chrome you can type this into the URL bar: chrome://restart. Boom I hoped this helped you!
然后确保重新启动浏览器。在Chrome浏览你可以输入到这个地址栏:chrome://restart。Boom 我希望这对你有帮助!
