在 Apache 中为多个本地站点设置带有 CA 的 SSL 并在特定位置进行身份验证(错误代码:ssl_error_handshake_failure_alert)Ubuntu

tag-icon tag-icon apache-2.2 ssl certificate-authority http-basic-authentication
在 Apache 中为多个本地站点设置带有 CA 的 SSL 并在特定位置进行身份验证(错误代码:ssl_error_handshake_failure_alert)Ubuntu

我正在尝试在本地 Web 服务器上实施 SSL(HTTPs),以保护用户登录的 Apache 网站上的指定目录,结合 SSL 和 HTTP 身份验证基础。我已遵循指南这里和阿帕奇的mod_ssl大部分情况下。我已经设置了本地 CA 并创建了 CA 的证书“cacert.pem”:

sudo openssl req -new -x509 -extensions v3_ca -keyout /etc/ssl/CA/private/cakey.pem -out /etc/ssl/CA/cacert.pem -days 3650
sudo openssl ca -gencrl -out /etc/ssl/CA/crl/crl.pem

创建密钥和证书:

sudo openssl genrsa -out webserver.key 2048
sudo openssl req -new -key webserver.key -out webserver.csr
sudo openssl ca -in webserver.csr -config /etc/ssl/openssl.cnf
# and now we have generated sighted certifivate "webserver.pem"
sudo openssl genrsa -out website.key 2048
sudo openssl req -new -key website.key -out website.csr
sudo openssl ca -in website.csr -config /etc/ssl/openssl.cnf
# and now we have generated sighted certifivate "website.crt"
sudo openssl pkcs12 -export -clcerts -in website.crt -inkey website.key -out website.p12

我已启用 mod_ssl 并编辑 default-ssl 中的行:

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
    SSLEngine on
    SSLCertificateFile    /path/to/apache/webserver.pem
    SSLCertificateKeyFile /path/to/apache/webserver.key
    SSLCACertificatePath /etc/ssl/CA/certs/
    SSLCACertificateFile /etc/ssl/CA/cacert.pem
    SSLCARevocationPath /etc/ssl/CA/crl/
    SSLCARevocationFile /etc/ssl/CA/crl/crl.pem
</VirtualHost>
</IfModule>

我的本地 website.conf (在 sites-enabled 内)如下所示:

<VirtualHost *:80>
    ServerAdmin [email protected]
    ServerName local.website.com
    DocumentRoot /path/to/public_html
    ErrorLog /path/to/error_log
    CustomLog /path/to/access_log combined
    DirectoryIndex index.php index.html
    <Directory /path/to/public_html>
        Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
    </Directory>
</VirtualHost>
<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin [email protected]
        ServerName local.website.com
        DocumentRoot /path/to/public_html

        SSLEngine on
        SSLVerifyClient      none
        SSLCertificateFile /path/to/website.crt
        SSLCertificateKeyFile /path/to/website.key

        <Location /secure_area >
            SSLRequireSSL
        </Location>

    </VirtualHost>
</IfModule>

我需要保护的文件夹内的 .htacces 如下所示:

### Redirecting ###
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{SERVER_PORT} !^443$
    RewriteCond %{REQUEST_URI} ^/secure_area(/)?$
    RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R,L]
</IfModule>

### HTTP Authentication ###
<IfModule mod_authn_file.c>
    AuthType Basic
#   SSLRequireSSL
#   SSLVerifyClient      require    
    SSLVerifyDepth       3
    SSLCipherSuite       RC4-SHA:AES128-SHA:HIGH:!aNULL:!MD5
    SSLOptions           +FakeBasicAuth     
    AuthName "Restricted Area."
    AuthUserFile /path/to/htpasswd
    <Limit GET POST>
        Require valid-user
    </Limit>
    Satisfy All
</IfModule>

运行正常,但如果我取消注释“SSLVerifyClient”,浏览器会返回一条消息“错误代码:ssl_error_handshake_failure_alert”。此外,如果我取消注释“SSLRequireSSL”(并将其从我的 website.conf 中删除),它会重定向到我的错误页面。我做错了什么?我是否遗漏了什么?问题出在哪里?证书、apache 还是其他什么?

相关内容