Centos

SSL 站點未載入且無錯誤

  • May 22, 2019

我正在嘗試安裝從第三方購買的證書。在日誌中收到以下錯誤,沒有別的。我找不到類似的解決方案,並且無法訪問 ssl 站點。

伺服器環境

伺服器版本:Apache/2.4.6 (CentOS) 伺服器搭建:Apr 24 2019 13:45:48

以下是我的配置文件

/etc/httpd/conf.d/ssl.conf

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

<VirtualHost _default_:443>

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv2 -SSLv3

SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM

SSLHonorCipherOrder on 

SSLCertificateFile /var/www/html/cert/2246172_abc.com_public.crt

SSLCertificateKeyFile /var/www/html/cert/2246172_abc.com.key

SSLCertificateChainFile /var/www/html/cert/2246172_abc.com_chain.crt

<Files ~ "\.(cgi|shtml|phtml|php3?)$">
   SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
   SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost> 

/etc/httpd/sites-available/abc.com.conf

<VirtualHost abc.com:80>
   ServerName abc.com
   ServerAlias www.abc.com
   DocumentRoot /var/www/html/yangmao/public
   ErrorLog /var/www/html/log/error.log
   CustomLog /var/www/html/log/requests.log combined
<Directory "/var/www/html/yangmao/public">
   Allowoverride All
</Directory>
</VirtualHost>

<VirtualHost abc.com:443>
   SSLEngine on
   SSLProtocol all -SSLv2 -SSLv3
   SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
   SSLHonorCipherOrder on
   SSLCertificateFile /var/www/html/cert/2246172_abc.com_public.crt
   SSLCertificateKeyFile /var/www/html/cert/2246172_abc.com.key
   SSLCertificateChainFile /var/www/html/cert/2246172_abc.com_chain.crt

   ServerName abc.com
   ServerAlias www.abc.com
   DocumentRoot /var/www/html/yangmao/public
   ErrorLog /var/www/html/log/error.log
   CustomLog /var/www/html/log/requests.log combined
<Directory "/var/www/html/yangmao/public">
   Allowoverride All
</Directory>
</VirtualHost>

更新

/etc/httpd/log/error_log 中的資訊

[Thu May 23 01:43:24.475306 2019] [mpm_event:notice] [pid 4036:tid 139917334841472] AH00492: caught SIGWINCH, shutting down gracefully
[Thu May 23 01:43:25.588508 2019] [suexec:notice] [pid 4357:tid 140179837872256] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 23 01:43:25.589750 2019] [ssl:warn] [pid 4357:tid 140179837872256] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 23 01:43:25.653936 2019] [auth_digest:notice] [pid 4357:tid 140179837872256] AH01757: generating secret for digest authentication ...
[Thu May 23 01:43:25.654491 2019] [lbmethod_heartbeat:notice] [pid 4357:tid 140179837872256] AH02282: No slotmem from mod_heartmonitor
[Thu May 23 01:43:25.655781 2019] [ssl:warn] [pid 4357:tid 140179837872256] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 23 01:43:25.720059 2019] [mpm_event:notice] [pid 4357:tid 140179837872256] AH00489: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.18 configured -- resuming normal operations
[Thu May 23 01:43:25.720096 2019] [core:notice] [pid 4357:tid 140179837872256] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

/etc/httpd/log/ssl_error_log 中的資訊

[Thu May 23 01:43:25.588891 2019] [ssl:info] [pid 4357:tid 140179837872256] AH02200: Loading certificate & private key of SSL-aware server 'abc.com:443'
[Thu May 23 01:43:25.589012 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu May 23 01:43:25.589423 2019] [ssl:info] [pid 4357:tid 140179837872256] AH01914: Configuring server abc.com:443 for SSL protocol
[Thu May 23 01:43:25.589581 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate)
[Thu May 23 01:43:25.589587 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu May 23 01:43:25.589591 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Thu May 23 01:43:25.589670 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_util_ssl.c(495): AH02412: [abc.com:443] Cert matches for name 'abc.com' [subject: CN=abc.com / iss$
[Thu May 23 01:43:25.589676 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
[Thu May 23 01:43:25.654838 2019] [ssl:info] [pid 4357:tid 140179837872256] AH02200: Loading certificate & private key of SSL-aware server 'abc.com:443'
[Thu May 23 01:43:25.654954 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu May 23 01:43:25.655470 2019] [ssl:info] [pid 4357:tid 140179837872256] AH01914: Configuring server abc.com:443 for SSL protocol
[Thu May 23 01:43:25.655623 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate)
[Thu May 23 01:43:25.655630 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu May 23 01:43:25.655634 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Thu May 23 01:43:25.655704 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_util_ssl.c(495): AH02412: [abc.com:443] Cert matches for name 'abc.com' [subject: CN=abc.com / iss$
[Thu May 23 01:43:25.655710 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(988): AH02236: Configuring RSA server private key

看起來您將證書文件放在公共 html 目錄中:/var/www/html/cert/…

這可能是防止使用此類證書的安全措施。

將證書目錄上移一級:

mv /var/www/html/cert /var/www/

設置 apache 使用者的可讀性(Ubuntu 和 debian 系統使用使用者 www-data)

chown -R apache /var/www/cert

相應地更改配置文件,並將虛擬主機配置更改為如下所示:

<VirtualHost *:443>
 ...
  ServerName abc.com
  ServerAlias www.abc.com
 ...

注意 * 而不是主機名!

並重新啟動 apache:

apachectl graceful

檢查 https:// …. 網址。

引用自:https://serverfault.com/questions/968458