SSL 不適用於 Windows 上的 Apache
我正在使用必須在 Windows 上使用 Apache 的供應商提供的產品。
我們有自己的 CA。
出於命名目的:
AppServer - Server2012r2 - Apache 2.4
OldCertsha1 - Server2012r2
NewCertsha2 - Server2012r2
我使用以下兩個命令在 AppServer 上創建了 CSR。
genrsa –des3 –out name.sub.domain.com.key 2048 req –new –key name.sub.domain.com.key –out name.sub.domain.com.csr
一切順利
req -noout -text -in name.sub.domain.com.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=xx, ST=xx, L=xx, O=xx, OU=xx, CN=name.sub.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: 321:rf Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d
然後在 CA 伺服器上
申請證書
高級證書請求。
使用 base-64 編碼的 CMC 或 PKCS #10 文件送出證書請求,或使用 base-64 編碼的 PKCS #7 文件送出續訂請求。
在 AppServer 上打開 CSR 並將 CSR 資訊粘貼到框中
-----BEGIN CERTIFICATE REQUEST----- MIIC0zCCAbsCAQAwgY0xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaWNoaWdhbjER MA8GA1UEBxMIRGVhcmJvcm4xFjAUBgNVBAoTDWRmY3VmaW5hbmNpYWwxDDAKBgNV BAsTA2l2cjEyMDAGA1UEAxMpcDAxMWRjMDEtY3JlYzAzLmNlbnRyYWwuZGZjdWZp bmFuY2lhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCej1o0 EEq6UcgB4uhr9bYzA4u8pvxvaCE0JXCqW/8m8D2DBHnJFA2Ui4kEjQlKy1eRTfE0 6lRmowrsJVvvlz0pfsdfghksdkjfgsjskhgfksgfdfmjwHd1D/Bgg60AOPmUBIFl rgaGcw9CasdkjlhaslkdjhsaklfjhdsfkhsldfjhsdlkjfhdlFOoGVtQdgticLqy dzpLnAnqwezEnsdflsjhdfksdkfjhwsdkfjhLqKDx1b0z1n7tV4F8DS261dmm8+r ONz9oYqZfdAFu55gG7sHgOn14P5gP2QIoV/c6CJ2hzbtlifKmZp2A+9F/csXTMIJ w2sgfQzgv+UPEkH9AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAMwjmg96iCLnB uTF4LOoeA788NAt9cYdsWuaUsHptnw70Mj5wWIiaZYgY0hCvWPezRsgOfFrWinN0 y4n0trlyEYXJquBKZbxJZ2yscNMqOJyKl70Ckb83IwpIdhxRYr0JZffEmFlx+2yv 4rhFquS3HZpWtCLopRroQx1v74bYGZHBiz2cM4peowzqGrs8r5NKYYqLRiH00VTs GEEB+Rihen4tnrn0Y1KLkumrSOrTghIrpQ0j2MZrmvhAIlcZ0W+6bJQcbl0lQ3Hv STaH9EyIj+47jpMhpfazRPOjSDdFiokjchVDS0Wj/iQJlNDurU7xd+570gduZfcF M4YoMCwv7Q== -----END CERTIFICATE REQUEST-----
模板 Web 伺服器(10 年)
在這裡我有兩個選擇
DER 編碼或 Base 64 編碼
無論我選擇哪一個,它都會下載一個 .cer 和一個 .p7b 文件
我在 OldCertsha1 伺服器上做了同樣的步驟,得到了同樣的結果
當我編輯 httpd-ssl.conf 文件時,添加以下內容並重新啟動 Apache2.4 服務
SSLCertificateFile "E:/Apache24/conf/Certs/name.sub.domain.com.crt" SSLCertificateKeyFile "E:/Apache24/conf/Certs/name.sub.domain.com.key"
我收到以下錯誤,來自上述選擇的不同類型的不同錯誤(DER 編碼或 Base 64 編碼):
DER編碼:
[Wed Jan 11 08:37:44.471616 2017] [proxy:error] [pid 4804:tid 1780] (OS 10061)No connection could be made because the target machine actively refused it. : AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed [Wed Jan 11 08:37:44.471616 2017] [proxy:error] [pid 4804:tid 1780] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s [Wed Jan 11 08:37:44.471616 2017] [proxy_http:error] [pid 4804:tid 1780] [client ::1:61346] AH01114: HTTP: failed to make connection to backend: 127.0.0.1, referer: https://name.sub.domain.com/knoahsoft/faces/client/index1.jspx?_afPfm=5600447c [Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] AH02562: Failed to configure certificate name.sub.domain.com:443:0 (with chain), check E:/Apache24/conf/Certs/name.sub.domain.com.cer [Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] AH02562: Failed to configure certificate name.sub.domain.com:443:0 (with chain), check E:/Apache24/conf/Certs/name.sub.domain.com.cer [Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
Base 64 編碼:
[Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file E:/Apache24/conf/Certs/name.sub.domain.com.key) [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] AH02564: Failed to configure encrypted (?) private key name.sub.domain.com:443:0, check E:/Apache24/conf/Certs/name.sub.domain.com.key [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA) [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO) [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file E:/Apache24/conf/Certs/name.sub.domain.com.key) [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] AH02564: Failed to configure encrypted (?) private key name.sub.domain.com:443:0, check E:/Apache24/conf/Certs/name.sub.domain.com.key [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA) [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
我讀了幾篇文章說 CER 和 CRT 文件可以互換,只需重命名它們即可。
如果我將 cer 重命名為 crt 並更新 httpd-ssl.conf,那麼我會在日誌中收到很多錯誤,其中大約 100 個:
[Wed Jan 11 14:06:43.943865 2017] [autoindex:error] [pid 70976:tid 1784] [client 10.1.41.110:50933] AH01276: Cannot serve directory E:/KnoahSoft/EmpPhotos/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive
現在供應商將他們在傳遞盒子時載入的 server.crt、server.cre、server.csr 和 server.key 文件放入,如果我將 httpd-ssl.conf 中的兩行改回原來的內容,它將重新啟動很好,一切正常,但我收到 SSL 警告
SSLCertificateFile "E:/Apache24/conf/Certs/server.crt" SSLCertificateKeyFile "E:/Apache24/conf/Certs/server.key"
有人可以告訴我我可能做錯了什麼,如果您需要查看配置,請詢問我會放上去。
更新:
我拿他們的 server.csr 打開了 OldCertsha1 和 NewCertsha2 上的 CertSrv 頁面,當我使用 Web Server Web Server (10 year) 模板時出現錯誤:
Your Request Id is 118. The disposition message is "Denied by Policy Module The certificate validity period will be shorter than the WebServer(10Years) Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period. ".
所以然後我嘗試了 Web 伺服器(5 年)同樣的錯誤,然後我厭倦了(Web 伺服器)沒有收到錯誤並下載了 DER 編碼或 Base 64 編碼的 cer 和 p7b 文件。
將 Base 64 編碼的 server.cer 更改為 server.crt,將舊的 server.crt 重命名為 server1.crt 並重新啟動 apache,
沒有錯誤完美地工作,
為什麼?我從一開始做錯了什麼?
這是我第一次使用 SSL 和 apache 並使用我自己的 CA,我做錯了什麼?我能想到的唯一想法是我使用了 Web 伺服器(10 年)模板,但這對我來說真的沒有意義。
如果我查看兩個 crt 文件,它們都有相同的資訊
該證書旨在用於以下目的
- 確保遠端電腦的身份
發給:name.sub.domain.com
頒發者:OldCertsha1
與“正常”選項卡的唯一真正區別是有效期多長,我的 cst 的有效期為 10 年,他們的 csr 的 crt 的有效期為 2 年。
我將更深入地研究 SSL 的其他部分,看看明天是否能找到差異。
首先,Apache 將始終使用 base64,文件副檔名無關緊要(pem、crt、cer)。
其次,您頒發證書的時間不能超過證書頒發機構。
10 年有點長,看到瀏覽器開始將它們標記為不安全,我不會感到驚訝。
如果您仍然擁有已頒發的證書,則可以使用 openssl 對其進行驗證。
Base 64 無處不在,請:-)。
您的 httpd.conf 行
SSLCertificateKeyFile "E:/Apache24/conf/Certs/name.sub.domain.com.key"
正在指定一個加密的密鑰文件。Windows 上的 Apache 不支持在執行時提供解密密碼…請參閱錯誤日誌行:
[2017 年 1 月 11 日星期三 14:35:15.024474] [ssl:emerg] [pid 141796:tid 508] AH02577:初始化:Win32 不支持 SSLPassPhraseDialog 內置(密鑰文件 E:/Apache24/conf/Certs/name.sub. domain.com.key)
您必須預先解密您的密鑰文件:
openssl rsa -in name.sub.domain.com.key -out name.sub.domain.com.decryped.key
詢問時提供密碼。更正 httpd.conf 並重新啟動 Apache。