Apache 重启后停止工作

tag-icon tag-icon centos apache-httpd certificates
Apache 重启后停止工作

我的 CentOS7 上的 Apache 服务器在重新启动后突然停止工作。

我使用从有效 CA 获取的 .crt 和 .key 通配符证书进行 SSL 配置。

当我重新启动 httpd 服务时,没有错误,但网页未加载。

我已验证我的服务器正在侦听端口 443 和 80:

# netstat -tlnup | grep httpd
tcp6       0      0 :::80                   :::*                    LISTEN      6186/httpd          
tcp6       0      0 :::443                  :::*                    LISTEN      6186/httpd

每次 Apache 重新启动后,在 error_log 中我得到:

[ssl:warn] [pid 6186] AH02292: Init: 基于名称的 SSL 虚拟主机仅适用于具有 TLS 服务器名称指示支持的客户端 (RFC 4366)

但我的证书的 CN 实际上是一个通配符:

# openssl x509 -in /etc/pki/tls/certs/domain.com.crt -noout -subject
subject= ********************* O= ************ OU=************ OU=***************** CN=*.domain.com

我的 apacheconf 文件是:

ServerName my.domain.com
<VirtualHost *:80>
   ServerAlias *.domain.com
   Redirect / https://my.domain.com/
</VirtualHost>

<VirtualHost *:443>
    ServerAlias *.domain.com
        DocumentRoot /var/www/html/glpi
        ErrorLog /var/log/httpd/glpi.log
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/domain.com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key
</VirtualHost>

进行本地卷曲测试我有以下内容:

# curl https://localhost
curl: (60) Peer's Certificate issuer is not recognized.

# curl -k https://localhost
Answer OK

# curl -v https://localhost
* About to connect() to localhost port 443 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*   subject: CN=*.domain.com,OU=*************************
*   common name: *.domain.com
*   issuer: CN=Trusted Secure Certificate Authority
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

错误在哪里以及为什么在重新启动之前它可以工作?

相关内容