我已经安装了 apache2 和 OpenSSL
我是这样安装 OpenSSL 的:
sudo a2enmod ssl
sudo mkdir /etc/apache2/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt
sudo chmod 600 /etc/apache2/ssl/*
sudo nano /etc/apache2/sites-enabled/***.ru.conf
配置文件后
文件:/etc/apache2/sites-enabled/***.ru.conf
<VirtualHost *:80>
ServerAdmin office@***.eu
ServerName ***.ru
ServerAlias www.***.ru
DocumentRoot /var/www/***.ru/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerAdmin office@***.eu
ServerName ***.ru:443
ServerAlias www.***.ru
DocumentRoot /var/www/***.ru/public_html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile "/etc/apache2/ssl/apache.crt"
SSLCertificateKeyFile "/etc/apache2/ssl/apache.key"
</VirtualHost>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
并重新启动
sudo /etc/init.d/apache2 restart
我可以使用 http 成功调用域名。但使用 https 时,我收到“连接被拒绝”
我能做些什么?
更新 1:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 21766/apache2
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 12556/rpcbind
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 21766/apache2
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 402/sshd
tcp6 0 0 :::111 :::* LISTEN 12556/rpcbind
udp 0 0 0.0.0.0:859 0.0.0.0:* 12556/rpcbind
udp 0 0 0.0.0.0:111 0.0.0.0:* 12556/rpcbind
udp6 0 0 :::859 :::* 12556/rpcbind
udp6 0 0 :::111 :::* 12556/rpcbind
更新 2:
● apache2.service - LSB: Apache2 web server
Loaded: loaded (/etc/init.d/apache2)
Drop-In: /lib/systemd/system/apache2.service.d
└─forking.conf
Active: active (running) since Mon 2017-09-04 22:21:51 CEST; 32min ago
Process: 21728 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
Process: 21752 ExecStart=/etc/init.d/apache2 start (code=exited, status=0/SUCCESS)
CGroup: /system.slice/apache2.service
├─21766 /usr/sbin/apache2 -k start
├─21769 /usr/sbin/apache2 -k start
├─21794 /usr/sbin/apache2 -k start
└─21795 /usr/sbin/apache2 -k start
Sep 04 22:21:50 86piub systemd[1]: Starting LSB: Apache2 web server...
Sep 04 22:21:51 86piub apache2[21752]: Starting web server: apache2.
Sep 04 22:21:51 86piub systemd[1]: Started LSB: Apache2 web server.
更新 3:
[Mon Sep 04 21:06:04.445632 2017] [mpm_prefork:notice] [pid 20572] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Sep 04 21:06:04.445676 2017] [core:notice] [pid 20572] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:16:36.199232 2017] [mpm_prefork:notice] [pid 20572] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:16:37.326606 2017] [mpm_prefork:notice] [pid 20736] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Sep 04 21:16:37.326652 2017] [core:notice] [pid 20736] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:19:56.402621 2017] [mpm_prefork:notice] [pid 20736] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:19:57.547091 2017] [mpm_prefork:notice] [pid 20815] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:19:57.547136 2017] [core:notice] [pid 20815] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:28:37.135554 2017] [mpm_prefork:notice] [pid 20815] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:36:24.963288 2017] [ssl:warn] [pid 21088] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:24.992551 2017] [ssl:warn] [pid 21089] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:24.993230 2017] [mpm_prefork:notice] [pid 21089] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:36:24.993245 2017] [core:notice] [pid 21089] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:36:42.013201 2017] [mpm_prefork:notice] [pid 21089] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:36:43.125758 2017] [ssl:warn] [pid 21140] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:43.150716 2017] [ssl:warn] [pid 21141] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:43.151416 2017] [mpm_prefork:notice] [pid 21141] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:36:43.151450 2017] [core:notice] [pid 21141] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:37:42.229356 2017] [mpm_prefork:notice] [pid 21141] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:37:43.345401 2017] [ssl:warn] [pid 21195] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:37:43.371558 2017] [ssl:warn] [pid 21196] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:37:43.372641 2017] [mpm_prefork:notice] [pid 21196] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:37:43.372667 2017] [core:notice] [pid 21196] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:40:15.942263 2017] [mpm_prefork:notice] [pid 21196] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:40:17.047285 2017] [ssl:warn] [pid 21288] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:40:17.071700 2017] [ssl:warn] [pid 21289] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:40:17.072403 2017] [mpm_prefork:notice] [pid 21289] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:40:17.072419 2017] [core:notice] [pid 21289] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:51:43.059740 2017] [mpm_prefork:notice] [pid 21289] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:51:44.171087 2017] [ssl:warn] [pid 21424] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:51:44.198683 2017] [ssl:warn] [pid 21425] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:51:44.199380 2017] [mpm_prefork:notice] [pid 21425] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:51:44.199404 2017] [core:notice] [pid 21425] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 22:13:38.102014 2017] [mpm_prefork:notice] [pid 21425] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 22:13:39.213574 2017] [ssl:warn] [pid 21646] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:13:39.240219 2017] [ssl:warn] [pid 21647] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:13:39.240929 2017] [mpm_prefork:notice] [pid 21647] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 22:13:39.240948 2017] [core:notice] [pid 21647] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 22:21:49.629640 2017] [mpm_prefork:notice] [pid 21647] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 22:21:50.728557 2017] [ssl:warn] [pid 21765] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:21:50.751995 2017] [ssl:warn] [pid 21766] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:21:50.752633 2017] [mpm_prefork:notice] [pid 21766] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 22:21:50.752650 2017] [core:notice] [pid 21766] AH00094: Command line: '/usr/sbin/apache2'
更新 4:
openssl s_client -connect ***.ru:443 -tls1 -servername ***.ru | openssl x509 -text -noout
告诉我
connect: Connection refused
connect:errno=111
unable to load certificate
140019880523408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
答案1
因此,您的问题是您的 SSL 证书被解释为 CA 证书,而不是用作服务器的证书。 解决此问题的简单方法是生成 CA 证书并使用它来创建服务器的证书:
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=IP-OR-DOMAIN-HERE" -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -days 10000
然后您可以将生成的server.crt
和server.key
用于 Apache。
然而,请注意您使用的是自签名证书。考虑到可以获得受信任的证书自由的如今,我强烈建议你研究一下Certbot。