我正在安装 SSL 证书以提供 HTTPS 服务。我正在使用Apache 2.4
并Amazon Linux
在开始ssl。我的 Vhost 配置如下:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin [email protected]
ServerName myweb.com
DocumentRoot /var/www/html/myapp
<Directory /var/www/htmlmyapp>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/httpd/error_log
LogLevel warn
CustomLog /var/log/httpd/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/mycert.crt
SSLCertificateKeyFile /etc/ssl/private/mycert.key
SSLCertificateFile /etc/ssl/certs/sub.class1.server.ca.pem
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
当我重新启动 Apache 时,我得到以下输出:
Stopping httpd: [ OK ]
Starting httpd: Apache/2.4.12 mod_ssl (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Private key myweb.com:443:0 (/etc/ssl/private/mycert.key)
Enter pass phrase:
OK: Pass Phrase Dialog successful.
Apache:mod_ssl:Error: Private key not found.
**Stopped
[FAILED]
所以,它要求我输入密钥的密码,密码正确,然后它说找不到它。我遗漏了什么?
答案1
在您的配置中,有以下三行:
SSLCertificateFile /etc/ssl/certs/mycert.crt
SSLCertificateKeyFile /etc/ssl/private/mycert.key
SSLCertificateFile /etc/ssl/certs/sub.class1.server.ca.pem
您重复了SSLCertificateFile
。这意味着 Apache 将使用变量的第二个实例,即/etc/ssl/certs/sub.class1.server.ca.pem
- 但您的密钥是 的密钥/etc/ssl/certs/mycert.crt
,因此它与 CA 证书不匹配。因此,Apache 无法找到证书的密钥。
您的配置可能应该如下所示:
# Server certificate
SSLCertificateFile /etc/ssl/certs/mycert.crt
# Key to server certificate
SSLCertificateKeyFile /etc/ssl/private/mycert.key
# Glue certificate to CA
SSLCACertificateFile /etc/ssl/certs/sub.class1.server.ca.pem
请注意,第二个证书以 开头,SSLCA
而不是仅仅以 开头SSL
。
答案2
在您的配置文件中,您指向错误的 PrivateKey 文件SSLCertificateKeyFile /etc/ssl/private/mycert.key
而不是SSLCertificateKeyFile /etc/ssl/private/myweb.key
。
超出了问题的范围:您确定要为私钥保留密码吗?这意味着如果您的服务器重新启动,它将再次需要密码。但也意味着任何有权访问服务器的人都可能泄露您的私钥。
要生成没有密码的新密钥,请使用:openssl rsa -in oldkey.pem -out newkey.pem