Centos

配置客戶端身份驗證後無法啟動 Apache 伺服器

  • May 1, 2019

美分作業系統 7 | 阿帕奇 2.4.6


我已經建立了一個私有證書頒發機構 (CA) 和兩個證書(一個用於伺服器,一個用於客戶端)。

然後,我將 Apache 配置為使用證書 X.509 來響應 HTTPS 連接,一切正常(我在瀏覽器中看到了)。

然後,當我配置客戶端身份驗證時,重新啟動伺服器並收到以下錯誤:

httpd.service 的作業失敗,因為控制程序以錯誤程式碼退出。有關詳細資訊,請參閱“systemctl status httpd.service”和“journalctl -xe”。

現在它出現“語法正常”,但我仍然無法啟動伺服器,出現以下錯誤,使用命令:

. systemctl 狀態 httpd.service

[root@localhost ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
  Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
  Active: failed (Result: exit-code) since Wed 2019-05-01 18:35:40 WEST; 2min 3s ago
    Docs: man:httpd(8)
          man:apachectl(8)
 Process: 12292 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
 Process: 12288 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 12288 (code=exited, status=1/FAILURE)

May 01 18:35:37 src_ca systemd[1]: Starting The Apache HTTP Server...
May 01 18:35:40 src_ca systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 01 18:35:40 src_ca kill[12292]: kill: cannot find process ""
May 01 18:35:40 src_ca systemd[1]: httpd.service: control process exited, code=exited status=1
May 01 18:35:40 src_ca systemd[1]: Failed to start The Apache HTTP Server.
May 01 18:35:40 src_ca systemd[1]: Unit httpd.service entered failed state.
May 01 18:35:40 src_ca systemd[1]: httpd.service failed.

.“journalctl -xe”

May 01 18:39:16 src_ca polkitd[2607]: Registered Authentication Agent for unix-process:12474:9099194 (system bus name :1.157 [/usr/bin/pkttyagent --notify-fd 5 --fallba
May 01 18:39:16 src_ca systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
May 01 18:39:18 src_ca systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 01 18:39:18 src_ca kill[12483]: kill: cannot find process ""
May 01 18:39:18 src_ca systemd[1]: httpd.service: control process exited, code=exited status=1
May 01 18:39:18 src_ca systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
May 01 18:39:18 src_ca systemd[1]: Unit httpd.service entered failed state.
May 01 18:39:18 src_ca systemd[1]: httpd.service failed.
May 01 18:39:18 src_ca polkitd[2607]: Unregistered Authentication Agent for unix-process:12474:9099194 (system bus name :1.157, object path /org/freedesktop/PolicyKit1/

我將留下我用來配置客戶端身份驗證的過程。我會在問題的底部留下一些有用的文件。


配置客戶端身份驗證的過程

  1. 首先在文件“/etc/httpd/conf.d/ssl.conf”中找到選項“SSLCACertificateFile”:vi +/SSLCACertificateFile /etc/httpd/conf.d/ssl.conf
  2. 將路徑更新為:/etc/pki/CA/certs/ca.crt

這是 CA 證書的位置。

注意:客戶端的證書在文件夾 /etc/pki/CA/certs 中。我不確定這在配置客戶端身份驗證時是否會導致任何問題。(更新:編輯 1

  1. 刪除了指令“SSLVerifyClient require”上的“#”。
  2. 保存更改並退出文件,:wq然後重新啟動伺服器:systemctl restart httpd

用於調試的有用文件

. “etc/hosts”(添加 IP + 主機)

等/主機

. “/etc/hostname” (可以用hostnamectl set-hostname new-hostname)

/etc/主機名

. “等/httpd/conf/httpd.conf”

等/httpd/conf/httpd.conf

. “/etc/httpd/conf.d/ssl.conf”

/etc/httpd/conf.d/ssl.conf

. “/var/log/httpd/error_log”

[Wed May 01 18:18:13.050768 2019] [core:notice] [pid 11416] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed May 01 18:18:13.053282 2019] [suexec:notice] [pid 11416] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[We May 01 18:18:16.238779 2019] [ssl:emerg] [pid 11416] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/ssl_error_log for more information

. “ /var/log/httpd/ssl_error_log”

[Wed May 01 18:18:16.238749 2019] [ssl:emerg] [pid 11416] AH01895: Unable to configure verify locations for client authentication

我使用了基於另一個上下文建構的證書,重新啟動了 Apache,錯誤沒有顯示。

這意味著錯誤必須與證書有關。

鑑於此,我重新仔細查看了用於建構 CA 的過程(我將在此答案的底部添加該過程)並發現了錯誤。

我使用的是“臨時”證書而不是cacert.pem.


創建 CA 的過程:

  1. openssl genrsa -des3 -out /etc/pki/CA/private/cakey.pem
  2. openssl req -new -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/ca.crt
  3. openssl x509 -req -days 100 -in ca.crt -out cacert.pem -signkey private/cakey.pem

引用自:https://serverfault.com/questions/965414