Trace 坑
从网上搜索教程, 然后配置环境时常遇如下问题:
- chrome 不识别
- traefik 不使用
- android 手机无法导入
又摸索了一个下午,得到一个结论 —— 参数配置不正确
Chrome 58+
需要 subjectAltName 匹配
参考链接: serverfault.com/questions/8…
traefik 证书
生成时候如果填写 email 则无法使用
android 安装证书
keyword:
private key required to install certificate
需要私钥才能安装证书
生成证书时 extensions 未配置为机构(采用搜索到的命令,可能会忽略默认的配置参数)
终结:
var fs = require("fs");
var selfsigned = require("selfsigned");
const SITE_PATTERN = "*.local.dev";
var attrs = [
{ name: "commonName", value: SITE_PATTERN },
{ name: "countryName", value: "cn" },
{ name: "localityName", value: "sz" },
{ name: "stateOrProvinceName", value: "gd" },
{ name: "organizationName", value: "x.y.f.g.z" },
{ name: "organizationalUnitName", value: "ooooo" }
// 添加 emailAddress, 会导致 traefik 使用无效
// { name: "emailAddress", value: "xxx@ccc.com" }
];
var opts = {
days: 3650,
keySize: 2048,
algorithm: "sha256",
// 前两个为默认的 extension 配置
extensions: [
{
name: "basicConstraints",
cA: true // 非 cA, 则 android 无法导入
},
{
name: "keyUsage",
keyCertSign: true,
digitalSignature: true,
nonRepudiation: true,
keyEncipherment: true,
dataEncipherment: true
},
{
name: "subjectAltName",
altNames: [
{
type: 2,
value: SITE_PATTERN
}
]
}
]
};
var pems = selfsigned.generate(attrs, opts);
const { public, private, cert, fingerprint } = pems;
fs.writeFileSync("dev.pub", public);
fs.writeFileSync("dev.key", private);
fs.writeFileSync("dev.crt", cert);
fs.writeFileSync("dev.fingerprint", fingerprint);
