[root@server1 ~]# ls
anaconda-ks.cfg  minio  mkcert-v1.4.4-linux-amd64
[root@server1 ~]# mv mkcert-v1.4.4-linux-amd64 mkcert
[root@server1 ~]# ls
anaconda-ks.cfg  minio  mkcert
[root@server1 ~]# chmod +x mkcert 
[root@server1 ~]# mv mkcert /usr/local/bin/ 
[root@server1 ~]# mkcert -version
v1.4.4
[root@server1 ~]# cd /etc/nginx/
[root@server1 nginx]# mkdir ssl
[root@server1 nginx]# ls
conf.d  fastcgi_params  mime.types  modules  nginx.conf  scgi_params  ssl  uwsgi_params
[root@server1 nginx]# mkcert -cert-file /etc/nginx/ssl/server.crt -key-file /etc/nginx/ssl/server.key 172.31.10.251 rmfit.cn localhost 127.0.0.1 ::1
Note: the local CA is not installed in the system trust store.
Note: the local CA is not installed in the Firefox and/or Chrome/Chromium trust store.
Run "mkcert -install" for certificates to be trusted automatically ⚠️ 

Created a new certificate valid for the following names 📜

- "172.31.10.251"
- "rmfit.cn"
- "localhost"
- "127.0.0.1"
- "::1"

The certificate is at "/etc/nginx/ssl/server.crt" and the key at "/etc/nginx/ssl/server.key" ✅

It will expire on 9 December 2024 🗓

[root@server1 nginx]#cd ssl
[root@server1 ssl]# ls
server.crt  server.key

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;
server {

        listen 443 ssl;
        server_name 172.31.10.251;

        #ssl on;


        root /usr/share/nginx/html;

        index index.html index.htm;
                
                ssl_certificate  /etc/nginx/ssl/server.crt;
                ssl_certificate_key /etc/nginx/ssl/server.key;

        ssl_session_timeout 5m;

        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_prefer_server_ciphers on;
}


    include /etc/nginx/conf.d/*.conf;
}

执行以下命令将 mkcert 的认证机构安装到服务器上：

[root@server1 ~]#  mkcert -install 
The local CA is now installed in the system trust store! ⚡️ 
The local CA is now installed in the Firefox and/or Chrome/Chromium trust store (requires browser restart)! 🦊

CA 证书的位置可以通过以下命令查看：

[root@server1 ~]# mkcert -CAROOT
/root/.local/share/mkcert
[root@server1 ~]# cd /root/.local/share/mkcert
[root@server1 mkcert]# ls
rootCA-key.pem  rootCA.pem
[root@server1 mkcert]#

该目录中有两个文件：rootCA-key.pem 和 rootCA.pem。将 rootCA.pem 复制到 PC 上，并将其后缀改为 .crt。


双击 rootCA.crt，根据提示安装证书

重启浏览器再次访问，可以看到连接已经变为安全