$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ~/nginx-selfsigned.key -out ~/nginx-selfsigned.crt
Generating a 2048 bit RSA private key
.................................................................................................................................+++
........+++
writing new private key to '/home/tigergraph/nginx-selfsigned.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Redwood City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:TigerGraph Inc.
Organizational Unit Name (eg, section) []:GLE
Common Name (e.g. server FQDN or YOUR name) []: my.ip.addr.num
Email Address []:engineer@tigergraph.com
$ gadmin --configure ssl
Enter new values or accept defaults in brackets with Enter.
Enable SSL with all HTTP responses (SSL Cert required): default False
Nginx.SSL.Enable [False]: True
True
Path to SSL cert bundle (domain cert, intermediate cert and root cert)
Nginx.SSL.Cert []: /home/tigergraph/nginx-selfsigned.crt
/home/tigergraph/nginx-selfsigned.crt
Path to SSL key
Nginx.SSL.Key []: /home/tigergraph/nginx-selfsigned.key
/home/tigergraph/nginx-selfsigned.key
...
Test servers with supplied settings? [Y/n] Y
...
Success. All settings are valid
Save settings? [y/N] y
保存设定之后,需要激活该配置。
$ gadmin config-apply
[FAB ][2017-12-12 18:48:16] check_config
[FAB ][2017-12-12 18:48:16] update_config_all
Local config modification Found, will restart dict server and update configures.
[FAB ][2017-12-12 18:48:21] launch_zookeepers
[FAB ][2017-12-12 18:48:31] gsql_mon_alert_on
[FAB ][2017-12-12 18:48:31] launch_zookeepers
[FAB ][2017-12-12 18:48:42] launch_gsql_subsystems:DICT
[FAB ][2017-12-12 18:48:42] gsql_mon_alert_on
Local config modification sync to dictionary successfully!
随后重启所有对外服务:gsql,nginx,vis
$ gadmin restart gsql nginx vis -y
测试SSL连接
现在用户可以测试连接了。
未指定证书而直接向服务器发送的curl请求会由于证书验证失败而告终:
$ curl https://localhost:14240
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
