Centos
SSL 站點未載入且無錯誤
我正在嘗試安裝從第三方購買的證書。在日誌中收到以下錯誤,沒有別的。我找不到類似的解決方案,並且無法訪問 ssl 站點。
伺服器環境
伺服器版本:Apache/2.4.6 (CentOS) 伺服器搭建:Apr 24 2019 13:45:48
以下是我的配置文件
/etc/httpd/conf.d/ssl.conf
Listen 443 https SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog SSLSessionCache shmcb:/run/httpd/sslcache(512000) SSLSessionCacheTimeout 300 SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 SSLCryptoDevice builtin #SSLCryptoDevice ubsec <VirtualHost _default_:443> ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM SSLHonorCipherOrder on SSLCertificateFile /var/www/html/cert/2246172_abc.com_public.crt SSLCertificateKeyFile /var/www/html/cert/2246172_abc.com.key SSLCertificateChainFile /var/www/html/cert/2246172_abc.com_chain.crt <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
/etc/httpd/sites-available/abc.com.conf
<VirtualHost abc.com:80> ServerName abc.com ServerAlias www.abc.com DocumentRoot /var/www/html/yangmao/public ErrorLog /var/www/html/log/error.log CustomLog /var/www/html/log/requests.log combined <Directory "/var/www/html/yangmao/public"> Allowoverride All </Directory> </VirtualHost> <VirtualHost abc.com:443> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM SSLHonorCipherOrder on SSLCertificateFile /var/www/html/cert/2246172_abc.com_public.crt SSLCertificateKeyFile /var/www/html/cert/2246172_abc.com.key SSLCertificateChainFile /var/www/html/cert/2246172_abc.com_chain.crt ServerName abc.com ServerAlias www.abc.com DocumentRoot /var/www/html/yangmao/public ErrorLog /var/www/html/log/error.log CustomLog /var/www/html/log/requests.log combined <Directory "/var/www/html/yangmao/public"> Allowoverride All </Directory> </VirtualHost>
更新
/etc/httpd/log/error_log 中的資訊
[Thu May 23 01:43:24.475306 2019] [mpm_event:notice] [pid 4036:tid 139917334841472] AH00492: caught SIGWINCH, shutting down gracefully [Thu May 23 01:43:25.588508 2019] [suexec:notice] [pid 4357:tid 140179837872256] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu May 23 01:43:25.589750 2019] [ssl:warn] [pid 4357:tid 140179837872256] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Thu May 23 01:43:25.653936 2019] [auth_digest:notice] [pid 4357:tid 140179837872256] AH01757: generating secret for digest authentication ... [Thu May 23 01:43:25.654491 2019] [lbmethod_heartbeat:notice] [pid 4357:tid 140179837872256] AH02282: No slotmem from mod_heartmonitor [Thu May 23 01:43:25.655781 2019] [ssl:warn] [pid 4357:tid 140179837872256] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) [Thu May 23 01:43:25.720059 2019] [mpm_event:notice] [pid 4357:tid 140179837872256] AH00489: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.18 configured -- resuming normal operations [Thu May 23 01:43:25.720096 2019] [core:notice] [pid 4357:tid 140179837872256] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
/etc/httpd/log/ssl_error_log 中的資訊
[Thu May 23 01:43:25.588891 2019] [ssl:info] [pid 4357:tid 140179837872256] AH02200: Loading certificate & private key of SSL-aware server 'abc.com:443' [Thu May 23 01:43:25.589012 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required [Thu May 23 01:43:25.589423 2019] [ssl:info] [pid 4357:tid 140179837872256] AH01914: Configuring server abc.com:443 for SSL protocol [Thu May 23 01:43:25.589581 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate) [Thu May 23 01:43:25.589587 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling [Thu May 23 01:43:25.589591 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate [Thu May 23 01:43:25.589670 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_util_ssl.c(495): AH02412: [abc.com:443] Cert matches for name 'abc.com' [subject: CN=abc.com / iss$ [Thu May 23 01:43:25.589676 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(988): AH02236: Configuring RSA server private key [Thu May 23 01:43:25.654838 2019] [ssl:info] [pid 4357:tid 140179837872256] AH02200: Loading certificate & private key of SSL-aware server 'abc.com:443' [Thu May 23 01:43:25.654954 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required [Thu May 23 01:43:25.655470 2019] [ssl:info] [pid 4357:tid 140179837872256] AH01914: Configuring server abc.com:443 for SSL protocol [Thu May 23 01:43:25.655623 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate) [Thu May 23 01:43:25.655630 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling [Thu May 23 01:43:25.655634 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate [Thu May 23 01:43:25.655704 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_util_ssl.c(495): AH02412: [abc.com:443] Cert matches for name 'abc.com' [subject: CN=abc.com / iss$ [Thu May 23 01:43:25.655710 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
看起來您將證書文件放在公共 html 目錄中:/var/www/html/cert/…
這可能是防止使用此類證書的安全措施。
將證書目錄上移一級:
mv /var/www/html/cert /var/www/
設置 apache 使用者的可讀性(Ubuntu 和 debian 系統使用使用者 www-data)
chown -R apache /var/www/cert
相應地更改配置文件,並將虛擬主機配置更改為如下所示:
<VirtualHost *:443> ... ServerName abc.com ServerAlias www.abc.com ...
注意 * 而不是主機名!
並重新啟動 apache:
apachectl graceful
檢查 https:// …. 網址。