apache2 mod_gnutls https 服务实际上成功运行,但在尝试从 pkcs11 URL 读取私钥时始终返回此错误:
[Wed Jan 20 13:26:25.268236 2016] [gnutls:emerg] [pid 5232:tid 140334984677248] GnuTLS: Failed to Re-Import Private Key URL 'pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=GnuTLS-Test;id=%3e%2d%3d%e4%2b%8b%a0%7c%7c%56%08%95%aa%aa%47%db%15%a2%b9%84;object=GnuTLSTest2;object-type=private': (-300) PKCS #11 error.
使用 apache2 2.4.x 与 mod-gnutls 0.7.2 + gnutls 3.3.x
操作系统:Ubuntu Vivid
有趣的是,它不会返回证书的此类错误,只会返回私钥。
那么有什么想法吗?
更新:
这是来自 mod_gnutls.conf 的配置文件:
<IfModule mod_gnutls.c>
# The default method is to use a DBM backed cache. It's not super fast, but
# it's portable and doesn't require another server to be running like
# memcached
#GnuTLSP11Module /usr/lib/softhsm/libsofthsm.so
#GnuTLSPIN 1234
GnuTLSCache dbm /var/cache/apache2/gnutls_cache
# mod_gnutls can optionaly use a memcached server to store SSL sessions.
# This is useful in a cluster environment, where you want all your servers to
# share a single SSL session cache
#GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com"
GnuTLSCacheTimeout 600
<VirtualHost _default_:443>
DocumentRoot "/var/www/htdocs"
ServerName localhost
ServerAdmin [email protected]
ErrorLog "/var/log/apache2/error_log"
TransferLog "/var/log/apache2/access_log"
GnuTLSEnable on
GnuTLSSessionTickets on
GnuTLSPriorities NORMAL
GNUTLSExportCertificates on
GnuTLSPIN 1234
GnuTLSCertificateFile pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=GnuTLS-Test;id=%3e%2d%3d%e4%2b%8b%a0%7c%7c%56%08%95%aa%aa%47%db%15%a2%b9%84;object=GnuTLSTest;object-type=cert
GnuTLSKeyFile pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=GnuTLS-Test;id=%3e%2d%3d%e4%2b%8b%a0%7c%7c%56%08%95%aa%aa%47%db%15%a2%b9%84;object=GnuTLSTest2;object-type=private
</VirtualHost>
</IfModule>
答案1
您的 pkcs11 库已被注释掉:
GnuTLSP11Module /usr/lib/softhsm/libsofthsm.so
因此mod_gnutls无法读取 HSM 上的密钥。您也可以取消注释该引脚:
GnuTLSPIN 1234
显然将其更改为您选择的 PIN。