Ubuntu 14.04.5 LTS x64
Идём по инструкции.
Nginx запускаю от пользователя root
Из комментариев, создал файл сертификата:
# certmgr -export -store uMy -dest /etc/nginx/nginx.cer
Export complete
[ErrorCode: 0x00000000]
# openssl x509 -inform DER -outform PEM -in nginx.cer -out nginx.cer.pem
Тут ничего не сказал
Конфиг Nginx
# cat conf.d/ssl.conf# HTTPS server
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/cert.cer;
ssl_certificate_key engine:gost_capi:gost.worksimply.ru;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1;
ssl_ciphers HIGH:MEDIUM:+GOST2001-GOST89;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
При старте в логе:
[emerg] 17092#0: SSL_CTX_use_PrivateKey_file("/etc/nginx/engine:gost_capi:gost.worksimply.ru") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/engine:gost_capi:gost.worksimply.ru','r') error:20074002:BIO routines:FILE_CTRL:system lib error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib)
# openssl engine(rsax) RSAX engine support
(dynamic) Dynamic engine loading support
(gost_capi) CryptoPro ENGINE GOST CAPI ($Revision: 147820 $)
# certmgr -list -store uMyCertmgr 1.0 (c) "CryptoPro", 2007-2010.
program for managing certificates, CRLs and stores
=============================================================================
1-------
Issuer : E=support@cryptopro.ru, C=RU, L=Moscow, O=CRYPTO-PRO LLC, CN=CRYPTO-PRO Test Center 2
Subject : CN=gost.worksimply.ru
Serial : 0x12001A75F8D156B927B863FEFA0000001A75F8
SHA1 Hash : 0xb34a956762ba2d07d4e09112a6917f640c64b89f
SubjKeyID : 5d23895eb6470d1952dc83e014602ad7c85fcd87
Signature Algorithm : ГОСТ Р 34.11/34.10-2001
PublicKey Algorithm : ГОСТ Р 34.10-2001 (512 bits)
Not valid before : 13/03/2017 07:00:58 UTC
Not valid after : 13/06/2017 07:10:58 UTC
PrivateKey Link : Yes
Container : HDIMAGE\\testrcon.000\253E
Provider Name : Crypto-Pro GOST R 34.10-2001 KC2 CSP
Provider Info : ProvType: 75, KeySpec: 1, Flags: 0x0
CA cert URL :
http://testca.cryptopro....%20Test%20Center%202.crtOCSP URL :
http://testca.cryptopro.ru/ocsp/ocsp.srfCDP :
http://testca.cryptopro....%20Test%20Center%202.crlExtended Key Usage : 1.3.6.1.5.5.7.3.1
=============================================================================
[ErrorCode: 0x00000000]
При установке alien -kci cprocsp-cpopenssl-gost-64-4.0.0-4.x86_64.rpm устанавливается, но выдается с ошибкой
Warning, /var/opt/cprocsp/cp-openssl/openssl.cnf doesn't exist
На всякий случай поставил туда файл, идентичный поправленному /etc/ssl/openssl.cnf