Apache:mod_ssl:错误:未找到私钥

Apache:mod_ssl:错误:未找到私钥

我正在安装 SSL 证书以提供 HTTPS 服务。我正在使用Apache 2.4Amazon Linux开始ssl。我的 Vhost 配置如下:

<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
    ServerAdmin [email protected]
    ServerName myweb.com
    DocumentRoot /var/www/html/myapp
    <Directory /var/www/htmlmyapp>
      Options Indexes FollowSymLinks MultiViews
      AllowOverride None
      Order allow,deny
      allow from all
    </Directory>

    ErrorLog /var/log/httpd/error_log
    LogLevel warn

    CustomLog /var/log/httpd/ssl_access.log combined
    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/mycert.crt
    SSLCertificateKeyFile /etc/ssl/private/mycert.key
    SSLCertificateFile /etc/ssl/certs/sub.class1.server.ca.pem
    BrowserMatch "MSIE [2-6]" \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

  </VirtualHost>
</IfModule>

当我重新启动 Apache 时,我得到以下输出:

Stopping httpd:                                            [  OK  ]
Starting httpd: Apache/2.4.12 mod_ssl (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Private key myweb.com:443:0 (/etc/ssl/private/mycert.key)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
Apache:mod_ssl:Error: Private key not found.
**Stopped
                                                           [FAILED]

所以,它要求我输入密钥的密码,密码正确,然后它说找不到它。我遗漏了什么?

答案1

在您的配置中,有以下三行:

SSLCertificateFile    /etc/ssl/certs/mycert.crt
SSLCertificateKeyFile /etc/ssl/private/mycert.key
SSLCertificateFile /etc/ssl/certs/sub.class1.server.ca.pem

您重复了SSLCertificateFile。这意味着 Apache 将使用变量的第二个实例,即/etc/ssl/certs/sub.class1.server.ca.pem- 但您的密钥是 的密钥/etc/ssl/certs/mycert.crt,因此它与 CA 证书不匹配。因此,Apache 无法找到证书的密钥。

您的配置可能应该如下所示:

# Server certificate
SSLCertificateFile    /etc/ssl/certs/mycert.crt
# Key to server certificate
SSLCertificateKeyFile /etc/ssl/private/mycert.key
# Glue certificate to CA
SSLCACertificateFile /etc/ssl/certs/sub.class1.server.ca.pem

请注意,第二个证书以 开头,SSLCA而不是仅仅以 开头SSL

答案2

在您的配置文件中,您指向错误的 PrivateKey 文件SSLCertificateKeyFile /etc/ssl/private/mycert.key而不是SSLCertificateKeyFile /etc/ssl/private/myweb.key

超出了问题的范围:您确定要为私钥保留密码吗?这意味着如果您的服务器重新启动,它将再次需要密码。但也意味着任何有权访问服务器的人都可能泄露您的私钥。

要生成没有密码的新密钥,请使用:openssl rsa -in oldkey.pem -out newkey.pem

相关内容