httpd 不以自签名证书开头

tag-icon tag-icon apache-httpd ssl
httpd 不以自签名证书开头

尝试启动 httpd,我在错误日志中看到以下内容,

[Mon Apr 12 21:00:13.398987 2021] [suexec:notice] [pid 155] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 12 21:00:13.399247 2021] [ssl:emerg] [pid 155] AH02572: Failed to configure at least one certificate and key for myHost.net:443
[Mon Apr 12 21:00:13.399265 2021] [ssl:emerg] [pid 155] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Mon Apr 12 21:00:13.399270 2021] [ssl:emerg] [pid 155] AH02312: Fatal error initialising mod_ssl, exiting.

在 /var/www/test 中,我通过以下方式创建了自签名文件

bash-4.2# openssl req -new -x509 -nodes -out server.crt -keyout server.key
Generating a 2048 bit RSA private key
........+++
..................................................................................+++
writing new private key to 'server.key'
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:NJ
Locality Name (eg, city) [Default City]:Princeton
Organization Name (eg, company) [Default Company Ltd]:Acme
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:myHost.net
Email Address []:[email protected]

/etc/httpd/conf.d/ssl.conf 文件包含,

<VirtualHost _default_:443>
SSLEngine on
SSLProtocol all -SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
ServerName myHost.net
SSLCertificateFile /var/www/test/server.crt
SSLCertificateKeyFile /var/www/test/server.key
Include /etc/httpd/conf.d/options-ssl-apache.conf
</VirtualHost>

/etc/httpd/conf.d/options-ssl-apache.conf 有

SSLEngine on
# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder     off
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

/etc/httpd/conf.modules.d/00-ssl.conf 有

LoadModule ssl_module modules/mod_ssl.so

这是在 Docker 容器内,

bash-4.2# cat /etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

httpd.conf 的底部包含

IncludeOptional conf.d/*.conf

有没有关于在哪里查看稍微模糊的错误的指示?

非常感谢

答案1

作为一个疯狂的猜测,尝试将证书/密钥移出/var/www。

第二个想法:密钥文件的权限可能太宽(这个答案建议对证书和密钥文件的权限应为 600,对包含目录(由 root 拥有)的权限应为 700。

相关内容