概述
本文主要介绍在 JumpServer V4 版本环境中,用户如何配置和替换自己的 SSL 证书,使用户能够通过 HTTPS 方式通过443端口正常访问 JumpServer。
一、证书配置
如果需要 JumpServer 开启 HTTPS 服务,则需要将自己的证书上传至部署堡垒机的服务器上,上传位置为 /opt/jumpserver/config/nginx/cert(该目录为默认映射目录不可修改。使用该目录的前提是 JumpServer 的安装目录为 /opt/jumpserver)。
要完成证书的配置和替换,可以通过下面这种方式完成。
1.上传文件,将证书放到 /opt/jumpserver/config/nginx/cert 目录下。为确保配置能正确识别,请确保证书文件和私钥文件的名称与配置中的指令保持一致。通常,证书文件命名为 server.crt,私钥文件命名为 server.key。
root@ubuntu-14-119:/opt/jumpserver/config/nginx/cert# pwd
/opt/jumpserver/config/nginx/cert
root@ubuntu-14-119:/opt/jumpserver/config/nginx/cert# ls
server.crt server.key2.修改配置文件前需要先关闭 JumpServer 服务。
root@ubuntu-14-119:/opt/jumpserver-ee-v4.10.6-x86_64# ./jmsctl.sh stop
[+] Running 13/13
✔ Container jms_celery Removed 14.0s
✔ Container jms_video Removed 11.1s
✔ Container jms_koko Removed 3.0s
✔ Container jms_magnus Removed 12.2s
✔ Container jms_razor Removed 11.8s
✔ Container jms_web Removed 12.1s
✔ Container jms_lion Removed 4.6s
✔ Container jms_core Removed 13.2s
✔ Container jms_facelive Removed 11.7s
✔ Container jms_chen Removed 3.0s
✔ Container jms_nec Removed 11.7s
✔ Container jms_panda Removed 11.6s
✔ Network jms_net Removed 0.3s3.修改 JumpServer 的配置文件(默认位于 /opt/jumpserver/config/config.txt)默认配置如下所示:
################################# HTTPS 配置 #################################
# 参考 https://docs.jumpserver.org/zh/v3/installation/proxy/ 配置
#
#HTTPS_PORT=443
#SERVER_NAME=your_domain_name
#SSL_CERTIFICATE=your_cert
#SSL_CERTIFICATE_KEY=your_cert_key4.修改配置,使 JumpServer 开启 HTTPS 服务。根据实际使用的证书名称修改 JumpServer 的配置文件中的 HTTPS 配置的相关部分。 修改如下所示:
################################# HTTPS 配置 #################################
# 参考 https://docs.jumpserver.org/zh/v3/installation/proxy/ 配置
#
HTTPS_PORT=443
SERVER_NAME=your_domain_name #替换为实际使用的域名或 IP 地址
SSL_CERTIFICATE=/opt/jumpserver/config/nginx/cert/server.crt
SSL_CERTIFICATE_KEY=/opt/jumpserver/config/nginx/cert/server.key5.重新启动 JumpServer。
root@ubuntu-14-119:/opt/jumpserver-ee-v4.10.6-x86_64# ./jmsctl.sh start
[+] Running 13/13
✔ Network jms_net Created 0.3s
✔ Container jms_facelive Started 3.3s
✔ Container jms_core Started 3.5s
✔ Container jms_video Started 3.3s
✔ Container jms_web Started 3.4s
✔ Container jms_nec Started 3.5s
✔ Container jms_chen Started 3.2s
✔ Container jms_razor Started 3.6s
✔ Container jms_panda Started 3.5s
✔ Container jms_koko Started 3.1s
✔ Container jms_lion Started 3.6s
✔ Container jms_magnus Started 3.4s
✔ Container jms_celery Started 6.重启 JumpServer 并查看启动结果。
root@ubuntu-14-119:/opt/jumpserver-ee-v4.10.6-x86_64# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a80a802e5a69 registry.fit2cloud.com/jumpserver/nec:v4.10.6-ee "./entrypoint.sh" 10 days ago Up 10 days (healthy) 0.0.0.0:15900->15900/tcp, :::15900->15900/tcp jms_nec
f0e91b676b64 registry.fit2cloud.com/jumpserver/core:v4.10.6-ee "./entrypoint.sh sta…" 10 days ago Up 10 days (healthy) 8080/tcp jms_celery
b153193d8beb registry.fit2cloud.com/jumpserver/panda:v4.10.6-ee "./entrypoint.sh" 10 days ago Up 10 days (healthy) 9001/tcp jms_panda
8222b7abeb1e registry.fit2cloud.com/jumpserver/video-worker:v4.10.6-ee "./entrypoint.sh" 10 days ago Up 10 days (healthy) 9000/tcp jms_video
0bd2e392e2f5 registry.fit2cloud.com/jumpserver/lion:v4.10.6-ee "./entrypoint.sh sup…" 10 days ago Up 10 days (healthy) 8081/tcp jms_lion
0d807abeebf2 registry.fit2cloud.com/jumpserver/magnus:v4.10.6-ee "./entrypoint.sh" 10 days ago Up 10 days (healthy) 0.0.0.0:14330->14330/tcp, :::14330->14330/tcp, 0.0.0.0:15210->15210/tcp, :::15210->15210/tcp, 0.0.0.0:27018->27018/tcp, :::27018->27018/tcp, 0.0.0.0:33061-33062->33061-33062/tcp, :::33061-33062->33061-33062/tcp, 0.0.0.0:54320->54320/tcp, :::54320->54320/tcp, 8088/tcp, 0.0.0.0:63790->63790/tcp, :::63790->63790/tcp jms_magnus
31851efce7d6 registry.fit2cloud.com/jumpserver/web:v4.10.6-ee "/docker-entrypoint.…" 10 days ago Up 10 days (healthy) 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp jms_web
5e30e66840a7 registry.fit2cloud.com/jumpserver/core:v4.10.6-ee "./entrypoint.sh sta…" 10 days ago Up 10 days (healthy) 8080/tcp jms_core
62b9af696285 registry.fit2cloud.com/jumpserver/chen:v4.10.6-ee "./entrypoint.sh wisp" 10 days ago Up 10 days (healthy) 8082/tcp jms_chen
18367b1db2a5 registry.fit2cloud.com/jumpserver/koko:v4.10.6-ee "./entrypoint.sh ./k…" 10 days ago Up 10 days (healthy) 0.0.0.0:2222->2222/tcp, :::2222->2222/tcp jms_koko
5f34c1c73373 registry.fit2cloud.com/jumpserver/razor:v4.10.6-ee "./entrypoint.sh" 10 days ago Up 10 days (healthy) 0.0.0.0:3389->3389/tcp, :::3389->3389/tcp jms_razor
18312d9c3e1f registry.fit2cloud.com/jumpserver/facelive:v4.10.6-ee "./entrypoint.sh" 10 days ago Up 10 days (healthy) 9999/tcp jms_facelive
fe7e44786f00 docker.elastic.co/elasticsearch/elasticsearch:7.17.6 "/bin/tini -- /usr/l…" 11 days ago Up 11 days 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp, 0.0.0.0:9300->9300/tcp, :::9300->9300/tcp jms1_es 7.登录 JumpServer,查看 HTTPS 是否正常开启,证书是否生效(登录页面无安全风险提示)。
二、证书替换
当证书到期需要更新、且使用的是同名证书(即 JumpServer 的配置文件无需修改时),可不停止JumpServer 服务替换证书。
1.进入/opt/jumpserver/config/nginx/cert 目录,备份旧证书
mv server.crt server.crt.backup
mv server.key server.key.backup2.上传新证书,将新的证书放到/opt/jumpserver/config/nginx/cert 目录
注:证书名称要与 JumpServer 的配置文件中的保持一致
mv xxx.crt server.crt
mv xxx.key server.key3.证书上传后,进入 web 容器平滑重启使服务生效
进入 web 容器
docker exec -it jms_web bash
平滑重启
nginx -s reload
退出容器
exit结束后刷新页面,查看证书已更新。