ssl 配置完成后 apache2 无法启动

ssl 配置完成后 apache2 无法启动

我做了以下操作来使我的网站能够使用 https(德语):http://www.tecchannel.de/a/owncloud-9-unter-ubuntu-server-16-04-lts-installieren,3277807,2

现在如果我启动 apache2 我会收到此错误:

> Job for apache2.service failed. See 'systemctl status apache2.service'
> and 'journalctl -xn' for details.

细节:

● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─forking.conf
   Active: failed (Result: exit-code) since Sun 2017-03-26 18:55:09 CEST; 17s ago
  Process: 4328 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
  Process: 5164 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: Starting web server: apache2 failed!
Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: The apache2 configtest failed. ... (warning).
Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: Output of config test was:
Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: apache2: Syntax error on line 219 of /etc/apache2/apache2.conf: Syntax error on line 4 of /etc/apache2/sites-enabled/default-ssl.conf: <IfModule takes one argument, Container for directives based on existence of specified modules
Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: Action 'configtest' failed.
Mar 26 18:55:09 root599046.kms4.cc apache2[5164]: The Apache error log may have more information.
Mar 26 18:55:09 root599046.kms4.cc systemd[1]: apache2.service: control process exited, code=exited status=1
Mar 26 18:55:09 root599046.kms4.cc systemd[1]: Failed to start LSB: Apache2 web server.
Mar 26 18:55:09 root599046.kms4.cc systemd[1]: Unit apache2.service entered failed state.

但是 ifModule 有什么问题?我的 apache2.conf:

> # This is the main Apache server configuration file.  It contains the
> # configuration directives that give the server its instructions.
> # See http://httpd.apache.org/docs/2.4/ for detailed information about
> # the directives and /usr/share/doc/apache2/README.Debian about Debian specific
> # hints.
> #
> #
> # Summary of how the Apache 2 configuration works in Debian:
> # The Apache 2 web server configuration in Debian is quite different to
> # upstream's suggested way to configure the web server. This is because Debian's
> # default Apache2 installation attempts to make adding and removing modules,
> # virtual hosts, and extra configuration directives as flexible as possible, in
> # order to make automating the changes and administering the server as easy as
> # possible.
> 
> # It is split into several files forming the configuration hierarchy outlined
> # below, all located in the /etc/apache2/ directory:
> #
> # /etc/apache2/
> # |-- apache2.conf
> # |   `--  ports.conf
> # |-- mods-enabled
> # |   |-- *.load
> # |   `-- *.conf
> # |-- conf-enabled
> # |   `-- *.conf
> #     `-- sites-enabled
> #     `-- *.conf
> #
> #
> # * apache2.conf is the main configuration file (this file). It puts the pieces
> #   together by including all remaining configuration files when starting up the
> #   web server.
> #
> # * ports.conf is always included from the main configuration file. It is
> #   supposed to determine listening ports for incoming connections which can be
> #   customized anytime.
> #
> # * Configuration files in the mods-enabled/, conf-enabled/ and sites-enabled/
> #   directories contain particular configuration snippets which manage modules,
> #   global configuration fragments, or virtual host configurations,
> #   respectively.
> #
> #   They are activated by symlinking available configuration files from their
> #   respective *-available/ counterparts. These should be managed by using our
> #   helpers a2enmod/a2dismod, a2ensite/a2dissite and a2enconf/a2disconf. See
> #   their respective man pages for detailed information.
> #
> # * The binary is called apache2. Due to the use of environment variables, in
> #   the default configuration, apache2 needs to be started/stopped with
> #   /etc/init.d/apache2 or apache2ctl. Calling /usr/bin/apache2 directly will not
> #   work with the default configuration.
> 
> 
> # Global configuration
> #
> 
> #
> # ServerRoot: The top of the directory tree under which the server's
> # configuration, error, and log files are kept.
> #
> # NOTE!  If you intend to place this on an NFS (or otherwise network)
> # mounted filesystem then please read the Mutex documentation (available
> # at <URL:http://httpd.apache.org/docs/2.4/mod/core.html#mutex>);
> # you will save yourself a lot of trouble.
> #
> # Do NOT add a slash at the end of the directory path.
> #
> #ServerRoot "/etc/apache2"
> 
> #
> # The accept serialization lock file MUST BE STORED ON A LOCAL DISK.
> # Mutex file:${APACHE_LOCK_DIR} default
> 
> #
> # PidFile: The file in which the server should record its process
> # identification number when it starts.
> # This needs to be set in /etc/apache2/envvars
> # PidFile ${APACHE_PID_FILE}
> 
> #
> # Timeout: The number of seconds before receives and sends time out.
> # Timeout 300
> 
> #
> # KeepAlive: Whether or not to allow persistent connections (more than
> # one request per connection). Set to "Off" to deactivate.
> # KeepAlive On
> 
> #
> # MaxKeepAliveRequests: The maximum number of requests to allow
> # during a persistent connection. Set to 0 to allow an unlimited amount.
> # We recommend you leave this number high, for maximum performance.
> # MaxKeepAliveRequests 100
> 
> #
> # KeepAliveTimeout: Number of seconds to wait for the next request from the
> # same client on the same connection.
> # KeepAliveTimeout 5
> 
> 
> # These need to be set in /etc/apache2/envvars User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP}
> 
> #
> # HostnameLookups: Log the names of clients or just their IP addresses
> # e.g., www.apache.org (on) or 204.62.129.132 (off).
> # The default is off because it'd be overall better for the net if people
> # had to knowingly turn this feature on, since enabling it means that
> # each client request will result in AT LEAST one lookup request to the
> # nameserver.
> # HostnameLookups Off
> 
> # ErrorLog: The location of the error log file.
> # If you do not specify an ErrorLog directive within a <VirtualHost>
> # container, error messages relating to that virtual host will be
> # logged here.  If you *do* define an error logfile for a <VirtualHost>
> # container, that host's errors will be logged there and not here.
> # ErrorLog ${APACHE_LOG_DIR}/error.log
> 
> #
> # LogLevel: Control the severity of messages logged to the error_log.
> # Available values: trace8, ..., trace1, debug, info, notice, warn,
> # error, crit, alert, emerg.
> # It is also possible to configure the log level for particular modules, e.g.
> # "LogLevel info ssl:warn"
> # LogLevel warn
> 
> # Include module configuration: IncludeOptional mods-enabled/*.load IncludeOptional mods-enabled/*.conf
> 
> # Include list of ports to listen on Include ports.conf
> 
> 
> # Sets the default security model of the Apache2 HTTPD server. It does
> # not allow access to the root filesystem outside of /usr/share and /var/www.
> # The former is used by web applications packaged in Debian,
> # the latter may be used for local directories served by the web server. If
> # your system is serving content from a sub-directory in /srv you must allow
> # access here, or in any related virtual host. <Directory />  Options FollowSymLinks  AllowOverride None  Require all denied </Directory>
> 
> <Directory /usr/share>    AllowOverride None  Require all granted
> </Directory>
> 
> <Directory /var/www/>     Options Indexes FollowSymLinks  AllowOverride
> None  Require all granted </Directory>
> 
> #<Directory /srv/>
> # Options Indexes FollowSymLinks
> # AllowOverride None
> # Require all granted
> #</Directory>
> 
> 
> 
> 
> # AccessFileName: The name of the file to look for in each directory
> # for additional configuration directives.  See also the AllowOverride
> # directive.
> # AccessFileName .htaccess
> 
> #
> # The following lines prevent .htaccess and .htpasswd files from being
> # viewed by Web clients.
> # <FilesMatch "^\.ht">    Require all denied </FilesMatch>
> 
> 
> #
> # The following directives define some format nicknames for use with
> # a CustomLog directive.
> #
> # These deviate from the Common Log Format definitions in that they use %O
> # (the actual bytes sent including headers) instead of %b (the size of the
> # requested file), because the latter makes it impossible to detect partial
> # requests.
> #
> # Note that the use of %{X-Forwarded-For}i instead of %h is not recommended.
> # Use mod_remoteip instead.
> # LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined LogFormat "%h %l %u %t \"%r\" %>s
> %O \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t
> \"%r\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat
> "%{User-agent}i" agent
> 
> # Include of directories ignores editors' and dpkg's backup files,
> # see README.Debian for details.
> 
> # Include generic snippets of statements IncludeOptional conf-enabled/*.conf
> 
> # Include the virtual host configurations: IncludeOptional sites-enabled/*.conf
> 
> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet

默认-ssl.conf:

<IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
        <IfModule mod_headers.c>Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"</IfModule>

        DocumentRoot /var/www

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/apache.crtSSLCertificateKeyFile
        /etc/apache2/ssl/apache.key

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        #   SSLCertificateFile  /etc/ssl/certs/ssl-cert-snakeoil.pem
        #   SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

        #   Server Certificate Chain:
        #   Point SSLCertificateChainFile at a file containing the
        #   concatenation of PEM encoded CA certificates which form the
        #   certificate chain for the server certificate. Alternatively
        #   the referenced file can be the same as SSLCertificateFile
        #   when the CA certificates are directly appended to the server
        #   certificate for convinience.
        #SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

        #   Certificate Authority (CA):
        #   Set the CA certificate verification path where to find CA
        #   certificates for client authentication or alternatively one
        #   huge file containing all of them (file must be PEM encoded)
        #   Note: Inside SSLCACertificatePath you need hash symlinks
        #        to point to the certificate files. Use the provided
        #        Makefile to update the hash symlinks after changes.
        #SSLCACertificatePath /etc/ssl/certs/
        #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt

        #   Certificate Revocation Lists (CRL):
        #   Set the CA revocation path where to find CA CRLs for client
        #   authentication or alternatively one huge file containing all
        #   of them (file must be PEM encoded)
        #   Note: Inside SSLCARevocationPath you need hash symlinks
        #        to point to the certificate files. Use the provided
        #        Makefile to update the hash symlinks after changes.
        #SSLCARevocationPath /etc/apache2/ssl.crl/
        #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl

        #   Client Authentication (Type):
        #   Client certificate verification type and depth.  Types are
        #   none, optional, require and optional_no_ca.  Depth is a
        #   number which specifies how deeply to verify the certificate
        #   issuer chain before deciding the certificate is not valid.
        #SSLVerifyClient require
        #SSLVerifyDepth  10

        #   SSL Engine Options:
        #   Set various options for the SSL engine.
        #   o FakeBasicAuth:
        #    Translate the client X.509 into a Basic Authorisation.  This means that
        #    the standard Auth/DBMAuth methods can be used for access control.  The
        #    user name is the `one line' version of the client's X.509 certificate.
        #    Note that no password is obtained from the user. Every entry in the user
        #    file needs this password: `xxj31ZMTZzkVA'.
        #   o ExportCertData:
        #    This exports two additional environment variables: SSL_CLIENT_CERT and
        #    SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
        #    server (always existing) and the client (only existing when client
        #    authentication is used). This can be used to import the certificates
        #    into CGI scripts.
        #   o StdEnvVars:
        #    This exports the standard SSL/TLS related `SSL_*' environment variables.
        #    Per default this exportation is switched off for performance reasons,
        #    because the extraction step is an expensive operation and is usually
        #    useless for serving static content. So one usually enables the
        #    exportation for CGI and SSI requests only.
        #   o OptRenegotiate:
        #    This enables optimized SSL connection renegotiation handling when SSL
        #    directives are used in per-directory context.
        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>

        #   SSL Protocol Adjustments:
        #   The safe and default but still SSL/TLS standard compliant shutdown
        #   approach is that mod_ssl sends the close notify alert but doesn't wait for
        #   the close notify alert from client. When you need a different shutdown
        #   approach you can use one of the following variables:
        #   o ssl-unclean-shutdown:
        #    This forces an unclean shutdown when the connection is closed, i.e. no
        #    SSL close notify alert is send or allowed to received.  This violates
        #    the SSL/TLS standard but is needed for some brain-dead browsers. Use
        #    this when you receive I/O errors because of the standard approach where
        #    mod_ssl sends the close notify alert.
        #   o ssl-accurate-shutdown:
        #    This forces an accurate shutdown when the connection is closed, i.e. a
        #    SSL close notify alert is send and mod_ssl waits for the close notify
        #    alert of the client. This is 100% SSL/TLS standard compliant, but in
        #    practice often causes hanging connections with brain-dead browsers. Use
        #    this only for browsers where you know that their SSL implementation
        #    works correctly.
        #   Notice: Most problems of broken clients are also related to the HTTP
        #   keep-alive facility, so you usually additionally want to disable
        #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
        #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
        #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
        #   "force-response-1.0" for this.
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        # MSIE 7 and newer should be able to use keepalive
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

    </VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

希望有人能帮忙!:)

答案1

 Syntax error on line 4 of /etc/apache2/sites-enabled/default-ssl.conf: <IfModule takes one argument

这是第 4 行

<IfModule mod_headers.c>Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"</IfModule>

我认为您需要将其拆分开来,以便每个指令都在其自己的行上。

相关内容