我正在构建一个反向代理服务器Apache HTTPd 2.4.6, 在下面CentOS 7(新安装)运行于VMWare虚拟机。
我也遵循了https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI(通过帖子发现https://stackoverflow.com/questions/14830133/apache-httpd-virtual-host-ssl-certificate)并发布https://stackoverflow.com/questions/36050140/centos-httpd-ssl-404-error。
Apache HTTPd 实际配置(/etc/httpd/conf.d/my.domain.com.conf):
LoadModule ssl_module modules/mod_ssl.so Listen 443 NameVirtualHost *:443 SSLStrictSNIVHostCheck off <VirtualHost *:443> ServerName my.domain.com SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RCA+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/my.domain.com.cer SSLCertificateKeyFile /etc/pki/tls/private/my.domain.com.key SSLCertificateChainFile /etc/pki/ca-trust/source/anchors/chained.pem ProxyPreserveHost On <LocationMatch "/myapp"> ProxyPass http://X.X.X.X:8080/app ProxyPassReverse http://X.X.X.X:8080/app </LocationMatch> </VirtualHost>
证书链文件chained.pem包含我的CA。
该CA是证书的颁发者my.domain.com.cer并且存储的私钥my.domain.com.key是正确的。
此 CA 已添加到/etc/pki/tls/certs/ca-bundle.crt
语法正确(httpd -t)。
> 问题:当我访问 my.domain.com 时,发送的是 VMWare 证书而不是我的证书……
从客户端,当我使用 curl 向我的域发出请求时:
curl -v https://my.domain.com -k (...) * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): (...) * Server certificate: * subject: C=US; L=Palo Alto; OU=VMware; CN=VMware; [email protected] * start date: May 24 09:24:16 2017 GMT * expire date: May 24 09:24:16 2018 GMT * issuer: C=US; L=Palo Alto; OU=VMware; CN=VMware; [email protected] * SSL certificate verify result: self signed certificate (18), continuing anyway.从客户端来说,当我使用 Chrome 向我的域发出请求时:
在 HTTPd 服务器上,httpd 调试日志中没有关于 SSL 错误的任何信息……:
[Wed Mar 14 05:31:00.572506 2018] [ssl:info] [pid 2715] AH02200: Loading certificate & private key of SSL-aware server 'my.domain.com:443'
[Wed Mar 14 05:31:00.573282 2018] [ssl:debug] [pid 2715] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Wed Mar 14 05:31:00.573333 2018] [ssl:info] [pid 2715] AH01914: Configuring server my.domain.com:443 for SSL protocol
[Wed Mar 14 05:31:00.574085 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(872): AH01904: Configuring server certificate chain (2 CA certificates)
[Wed Mar 14 05:31:00.574105 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Wed Mar 14 05:31:00.574116 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[Wed Mar 14 05:31:00.574356 2018] [ssl:debug] [pid 2715] ssl_util_ssl.c(489): AH02412: [my.domain.com:443] Cert matches for name 'my.domain.com' [subject: [email protected],CN=my.domain.com ....... / notbefore: Mar 12 14:58:57 2018 GMT / notafter: Mar 9 14:58:57 2028 GMT]
[Wed Mar 14 05:31:00.574369 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[Wed Mar 14 05:31:00.640615 2018] [ssl:info] [pid 2715] AH02200: Loading certificate & private key of SSL-aware server 'my.domain.com:443'
[Wed Mar 14 05:31:00.641115 2018] [ssl:debug] [pid 2715] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Wed Mar 14 05:31:00.641180 2018] [ssl:info] [pid 2715] AH01914: Configuring server my.domain.com:443 for SSL protocol
[Wed Mar 14 05:31:00.641646 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(872): AH01904: Configuring server certificate chain (2 CA certificates)
[Wed Mar 14 05:31:00.641656 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Wed Mar 14 05:31:00.641666 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(919): AH02232: Configuring RSA server certificate
[Wed Mar 14 05:31:00.642392 2018] [ssl:debug] [pid 2715] ssl_util_ssl.c(489): AH02412: [my.domain.com:443] Cert matches for name 'my.domain.com' [[subject: [email protected],CN=my.domain.com ....... / notbefore: Mar 12 14:58:57 2018 GMT / notafter: Mar 9 14:58:57 2028 GMT]
[Wed Mar 14 05:31:00.642492 2018] [ssl:debug] [pid 2715] ssl_engine_init.c(974): AH02236: Configuring RSA server private key
[Wed Mar 14 05:31:00.656912 2018] [proxy:debug] [pid 2717] proxy_util.c(1843): AH00925: initializing worker http://X.X.X.X:8080/app shared
[Wed Mar 14 05:31:00.656964 2018] [proxy:debug] [pid 2717] proxy_util.c(1885): AH00927: initializing worker http://X.X.X.X:8080/app local
[Wed Mar 14 05:31:00.656984 2018] [proxy:debug] [pid 2717] proxy_util.c(1936): AH00931: initialized single connection worker in child 2717 for (X.X.X.X)
没有 /etc/httpd/logs/ssl_error 日志。
我不明白为什么我的客户会收到 WMWare 证书而不是我的...有什么想法吗?:(
注意:没有安装 iptables 服务并且没有加载默认文件 /etc/httpd/conf.d/ssl.conf(重命名为 ssl.conf.bak)
答案1
好的。找到了。经过了好几天的头痛之后。
- 如果您未使用桥接连接,则域
my.domain.com必须绑定到 VM IP,而不是主机 IP。请在域控制器中检查。 - 编辑文件
config.xml(Windows默认路径C:\ProgramData\VMware\hostd\config.xml:)以删除该块:<!-- Remove the following node to disable SSL --> <ssl> <!-- The server private key file --> <privateKey>C:\ProgramData\VMware\ssl/rui.key</privateKey> <!-- The server side certificate file --> <certificate>C:\ProgramData\VMware\ssl/rui.crt</certificate>--> <!-- The SSL version to use --> <!-- <sslVersion>all</sslVersion> --> </ssl>
首先会显示虚拟机管理的证书。您也可以更改rui.crt,rui.key但它们将应用于所有虚拟机。这不是我想要的。
- 必须停止 VMWare,并且需要重新启动 WMWare Workstation 服务(命令行:
net stop VMwareHostd然后net start VMwareHostd) - 重新运行虚拟机。完成!