微信小程序与服务器通信必须使用https协议,所以如果能在本地搭建一个https服务器,对于开发调试都是一件很不错的事,接下就介绍一下本地https服务搭建的方法:
一、首先下载带ssl模块的Apache, 比如我的apache版本是:
Apache/2.0.65 (Win32) mod_ssl/2.0.65 OpenSSL/0.9.8y
二、安装好Apache之后,进入安装目录,比如我的安装路径是:
C:\Program Files\Apache Group\Apache2
在此目录下有两个目录conf和bin,马上就要用到。
接下来是用Apache自带的openssl.exe生成服务器证书:
三、在conf目录,可以看到有一个openssl.cnf的文件,这个文件是生成证书时需要用到的,我们把这个文件复制到bin目录,让它跟openssl.exe处在同一级目录,方便操作。
四、openssl.cnf复制过来之后,我们用记事本打开它,找到证书保存路径配置项:
[ CA_default ]
dir = ./demoCA
我改成了dir = ./ssl 之后,在bin目录下创建了一个ssl目录
当然你不改也行,但要保证bin目录下有demoCA目录。
同时,在openssl.cnf中有几个配置项需要我们注意一下:
database = $dir/index.txt
new_certs_dir = $dir/newcerts
serial = $dir/serial
针对以上三个配置项,我们首先要在ssl目录下创建一个newcerts目录,
然后在ssl目录下再创建两个文件index.txt和serial(注意没有任何扩展名)
index.txt里面不要写任何数据,serial里面输入01即可。
五、经过前面几步将基本配置准备好之后,就可以进入证书生成阶段了,我们在bin目录下打开命令提示符。
1、生成CA private key, 输入命令: openssl genrsa -des3 -out ssl/ca.key 1024
出现提示,并要求输入一个密码,这个密码后面步骤都需要用到,所以务必先记下来,后面的每一步都需要输入此密码:
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
...........................................++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for ssl/ca.key:
Verifying - Enter pass phrase for ssl/ca.key:
2、生成CA require cert, 输入命令:openssl req -config openssl.cnf -new -key ssl/ca.key -out ssl/ca.csr
出现提示,要求输入一些基本信息,包括国家,地区,组织及域名,
这个域名(Common Name (e.g. server FQDN or YOUR name) 很关键,必须输入跟apache虚拟域名一模一样的,据说如果填写的是127.0.0.1,那么访问localhost也是可以的,没有验证。):
Enter pass phrase for ssl/ca.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YQP
Organizational Unit Name (eg, section) []:YQP
Common Name (e.g. server FQDN or YOUR name) []:demo.yqp.com
Email Address []:yqp@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:888888
An optional company name []:YQP
3、生成CA public cert, 输入命令: openssl x509 -days 3650 -req -signkey ssl/ca.key -in ssl/ca.csr -out ssl/ca.crt
提示:
Loading 'screen' into random state - done
Signature ok
subject=/C=CH/ST=GD/L=SZ/O=YQP/OU=YQP/CN=demo.yqp.com/emailAddress=yqp@qq.com
Getting Private key
Enter pass phrase for ssl/ca.key:
4、生成Server Private Key, 输入命令: openssl genrsa -out ssl/server.key 1024
提示:
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........................++++++
.......++++++
e is 65537 (0x10001)
5、生成Server require cert, 输入命令: openssl req -config openssl.cnf -new -key ssl/server.key -out ssl/server.csr
提示:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YQP
Organizational Unit Name (eg, section) []:YQP
Common Name (e.g. server FQDN or YOUR name) []:demo.yqp.com
Email Address []:yqp@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:888888
An optional company name []:YQP
6、生成Server public key, 输入命令: openssl ca -config openssl.cnf -days 3650 -cert ssl/ca.crt -keyfile ssl/ca.key -in ssl/server.csr -out ssl/server.crt
提示:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ssl/ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 17 15:52:48 2016 GMT
Not After : Nov 15 15:52:48 2026 GMT
Subject:
countryName = CH
stateOrProvinceName = GD
organizationName = YQP
organizationalUnitName = YQP
commonName = demo.yqp.com
emailAddress = yqp@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B5:C2:CA:1C:05:19:92:6E:C3:A3:46:EA:A9:0B:9E:5F:C0:AC:20:FF
X509v3 Authority Key Identifier:
DirName:/C=CH/ST=GD/L=SZ/O=YQP/OU=YQP/CN=demo.yqp.com/emailAddress=yqp@qq.com
serial:BA:F9:87:82:4F:6C:27:22
Certificate is to be certified until Nov 15 15:52:48 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以上步骤运行结束后,我们可以在ssl目录看到生成了一些文件,其中就有我们服务器所需要的证书文件:ca.crt, server.crt, server.key
我们切换到conf目录,在此目录下新建两个目录:ssl.crt和ssl.key,
将bin/ssl目录中的ca.crt和server.crt复制到ssl.crt目录,
将server.key复制到ssl.key目录。
配置apache,打开httpd.conf,打开ssl模块:
LoadModule ssl_module modules/mod_ssl.so
然后我们看到conf目录有一个ssl.conf文件,此文件是用来配置https监听端口和证书路径的,然而事实却是,如果用了此ssl.conf,发现一直配置不成功,不知道问题出在哪。
于是直接屏蔽了ssl.conf, 在httpd.conf中单独配置https。
将以下配置加入到httpd.conf中:
Listen 443
<VirtualHost *:443>
ServerAdmin yqp
DocumentRoot "F:/website/2016_11_youdezhe/demo.yqp.com"
ServerName demo.yqp.com:443 #这个地方很关键,要配置成证书生成时输入的那个域名,并跟上443端口
ServerAdmin yqp@qq.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "C:/Program Files/Apache Group/Apache2/conf/ssl.crt/server.crt" #证书路径,根据实际证书的路径填写
SSLCertificateKeyFile "C:/Program Files/Apache Group/Apache2/conf/ssl.key/server.key" #证书路径,根据实际证书的路径填写
SSLCertificateChainFile "C:/Program Files/Apache Group/Apache2/conf/ssl.crt/ca.crt" #证书路径,根据实际证书的路径填写
<Directory "F:/website/2016_11_youdezhe/demo.yqp.com">
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Apache24版本中,可以复制一份httpd-ahssl.conf(位于conf/extra/下), 改名为httpd-ahssl-my.conf, 并编辑此文件,将所有虚拟域名的配置去掉,添加自己的虚拟域名:
<VirtualHost *:443>
ServerAdmin joey
SSLEngine on
ServerName choujiang.we555.com:443
SSLCertificateFile "C:/Apache24/conf/ssl.crt/server.crt"
SSLCertificateKeyFile "C:/Apache24/conf/ssl.key/server.key"
DocumentRoot "F:/website/2016_11_youdezhe/weapp/wechatmini.we555.com/web"
CustomLog "${SRVROOT}/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "F:/website/2016_11_youdezhe/weapp/wechatmini.we555.com/web">
Options Indexes Includes FollowSymLinks
AllowOverride AuthConfig Limit FileInfo
Require all granted
</Directory>
</VirtualHost>
再编辑主配置文件httpd.conf, 找到这一行:Include conf/extra/httpd-ahssl.conf
改为:Include conf/extra/httpd-ahssl-my.conf
重启即可。
然后重启apache,配置一下hosts就可以了。
一、首先下载带ssl模块的Apache, 比如我的apache版本是:
Apache/2.0.65 (Win32) mod_ssl/2.0.65 OpenSSL/0.9.8y
二、安装好Apache之后,进入安装目录,比如我的安装路径是:
C:\Program Files\Apache Group\Apache2
在此目录下有两个目录conf和bin,马上就要用到。
接下来是用Apache自带的openssl.exe生成服务器证书:
三、在conf目录,可以看到有一个openssl.cnf的文件,这个文件是生成证书时需要用到的,我们把这个文件复制到bin目录,让它跟openssl.exe处在同一级目录,方便操作。
四、openssl.cnf复制过来之后,我们用记事本打开它,找到证书保存路径配置项:
[ CA_default ]
dir = ./demoCA
我改成了dir = ./ssl 之后,在bin目录下创建了一个ssl目录
当然你不改也行,但要保证bin目录下有demoCA目录。
同时,在openssl.cnf中有几个配置项需要我们注意一下:
database = $dir/index.txt
new_certs_dir = $dir/newcerts
serial = $dir/serial
针对以上三个配置项,我们首先要在ssl目录下创建一个newcerts目录,
然后在ssl目录下再创建两个文件index.txt和serial(注意没有任何扩展名)
index.txt里面不要写任何数据,serial里面输入01即可。
五、经过前面几步将基本配置准备好之后,就可以进入证书生成阶段了,我们在bin目录下打开命令提示符。
1、生成CA private key, 输入命令: openssl genrsa -des3 -out ssl/ca.key 1024
出现提示,并要求输入一个密码,这个密码后面步骤都需要用到,所以务必先记下来,后面的每一步都需要输入此密码:
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
...........................................++++++
..........++++++
e is 65537 (0x10001)
Enter pass phrase for ssl/ca.key:
Verifying - Enter pass phrase for ssl/ca.key:
2、生成CA require cert, 输入命令:openssl req -config openssl.cnf -new -key ssl/ca.key -out ssl/ca.csr
出现提示,要求输入一些基本信息,包括国家,地区,组织及域名,
这个域名(Common Name (e.g. server FQDN or YOUR name) 很关键,必须输入跟apache虚拟域名一模一样的,据说如果填写的是127.0.0.1,那么访问localhost也是可以的,没有验证。):
Enter pass phrase for ssl/ca.key:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YQP
Organizational Unit Name (eg, section) []:YQP
Common Name (e.g. server FQDN or YOUR name) []:demo.yqp.com
Email Address []:yqp@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:888888
An optional company name []:YQP
3、生成CA public cert, 输入命令: openssl x509 -days 3650 -req -signkey ssl/ca.key -in ssl/ca.csr -out ssl/ca.crt
提示:
Loading 'screen' into random state - done
Signature ok
subject=/C=CH/ST=GD/L=SZ/O=YQP/OU=YQP/CN=demo.yqp.com/emailAddress=yqp@qq.com
Getting Private key
Enter pass phrase for ssl/ca.key:
4、生成Server Private Key, 输入命令: openssl genrsa -out ssl/server.key 1024
提示:
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........................++++++
.......++++++
e is 65537 (0x10001)
5、生成Server require cert, 输入命令: openssl req -config openssl.cnf -new -key ssl/server.key -out ssl/server.csr
提示:
Loading 'screen' into random state - done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:GD
Locality Name (eg, city) []:SZ
Organization Name (eg, company) [Internet Widgits Pty Ltd]:YQP
Organizational Unit Name (eg, section) []:YQP
Common Name (e.g. server FQDN or YOUR name) []:demo.yqp.com
Email Address []:yqp@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:888888
An optional company name []:YQP
6、生成Server public key, 输入命令: openssl ca -config openssl.cnf -days 3650 -cert ssl/ca.crt -keyfile ssl/ca.key -in ssl/server.csr -out ssl/server.crt
提示:
Using configuration from openssl.cnf
Loading 'screen' into random state - done
Enter pass phrase for ssl/ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Nov 17 15:52:48 2016 GMT
Not After : Nov 15 15:52:48 2026 GMT
Subject:
countryName = CH
stateOrProvinceName = GD
organizationName = YQP
organizationalUnitName = YQP
commonName = demo.yqp.com
emailAddress = yqp@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B5:C2:CA:1C:05:19:92:6E:C3:A3:46:EA:A9:0B:9E:5F:C0:AC:20:FF
X509v3 Authority Key Identifier:
DirName:/C=CH/ST=GD/L=SZ/O=YQP/OU=YQP/CN=demo.yqp.com/emailAddress=yqp@qq.com
serial:BA:F9:87:82:4F:6C:27:22
Certificate is to be certified until Nov 15 15:52:48 2026 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
以上步骤运行结束后,我们可以在ssl目录看到生成了一些文件,其中就有我们服务器所需要的证书文件:ca.crt, server.crt, server.key
我们切换到conf目录,在此目录下新建两个目录:ssl.crt和ssl.key,
将bin/ssl目录中的ca.crt和server.crt复制到ssl.crt目录,
将server.key复制到ssl.key目录。
配置apache,打开httpd.conf,打开ssl模块:
LoadModule ssl_module modules/mod_ssl.so
然后我们看到conf目录有一个ssl.conf文件,此文件是用来配置https监听端口和证书路径的,然而事实却是,如果用了此ssl.conf,发现一直配置不成功,不知道问题出在哪。
于是直接屏蔽了ssl.conf, 在httpd.conf中单独配置https。
将以下配置加入到httpd.conf中:
Listen 443
<VirtualHost *:443>
ServerAdmin yqp
DocumentRoot "F:/website/2016_11_youdezhe/demo.yqp.com"
ServerName demo.yqp.com:443 #这个地方很关键,要配置成证书生成时输入的那个域名,并跟上443端口
ServerAdmin yqp@qq.com
ErrorLog logs/error_log
TransferLog logs/access_log
SSLEngine on
SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "C:/Program Files/Apache Group/Apache2/conf/ssl.crt/server.crt" #证书路径,根据实际证书的路径填写
SSLCertificateKeyFile "C:/Program Files/Apache Group/Apache2/conf/ssl.key/server.key" #证书路径,根据实际证书的路径填写
SSLCertificateChainFile "C:/Program Files/Apache Group/Apache2/conf/ssl.crt/ca.crt" #证书路径,根据实际证书的路径填写
<Directory "F:/website/2016_11_youdezhe/demo.yqp.com">
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Apache24版本中,可以复制一份httpd-ahssl.conf(位于conf/extra/下), 改名为httpd-ahssl-my.conf, 并编辑此文件,将所有虚拟域名的配置去掉,添加自己的虚拟域名:
<VirtualHost *:443>
ServerAdmin joey
SSLEngine on
ServerName choujiang.we555.com:443
SSLCertificateFile "C:/Apache24/conf/ssl.crt/server.crt"
SSLCertificateKeyFile "C:/Apache24/conf/ssl.key/server.key"
DocumentRoot "F:/website/2016_11_youdezhe/weapp/wechatmini.we555.com/web"
CustomLog "${SRVROOT}/logs/ssl_request.log" \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "F:/website/2016_11_youdezhe/weapp/wechatmini.we555.com/web">
Options Indexes Includes FollowSymLinks
AllowOverride AuthConfig Limit FileInfo
Require all granted
</Directory>
</VirtualHost>
再编辑主配置文件httpd.conf, 找到这一行:Include conf/extra/httpd-ahssl.conf
改为:Include conf/extra/httpd-ahssl-my.conf
重启即可。
然后重启apache,配置一下hosts就可以了。