我的 CentOS7 上的 Apache 服务器在重新启动后突然停止工作。
我使用从有效 CA 获取的 .crt 和 .key 通配符证书进行 SSL 配置。
当我重新启动 httpd 服务时,没有错误,但网页未加载。
我已验证我的服务器正在侦听端口 443 和 80:
# netstat -tlnup | grep httpd
tcp6 0 0 :::80 :::* LISTEN 6186/httpd
tcp6 0 0 :::443 :::* LISTEN 6186/httpd
每次 Apache 重新启动后,在 error_log 中我得到:
[ssl:warn] [pid 6186] AH02292: Init: 基于名称的 SSL 虚拟主机仅适用于具有 TLS 服务器名称指示支持的客户端 (RFC 4366)
但我的证书的 CN 实际上是一个通配符:
# openssl x509 -in /etc/pki/tls/certs/domain.com.crt -noout -subject
subject= ********************* O= ************ OU=************ OU=***************** CN=*.domain.com
我的 apacheconf 文件是:
ServerName my.domain.com
<VirtualHost *:80>
ServerAlias *.domain.com
Redirect / https://my.domain.com/
</VirtualHost>
<VirtualHost *:443>
ServerAlias *.domain.com
DocumentRoot /var/www/html/glpi
ErrorLog /var/log/httpd/glpi.log
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/domain.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/domain.com.key
</VirtualHost>
进行本地卷曲测试我有以下内容:
# curl https://localhost
curl: (60) Peer's Certificate issuer is not recognized.
# curl -k https://localhost
Answer OK
# curl -v https://localhost
* About to connect() to localhost port 443 (#0)
* Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=*.domain.com,OU=*************************
* common name: *.domain.com
* issuer: CN=Trusted Secure Certificate Authority
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
错误在哪里以及为什么在重新启动之前它可以工作?