安装后 SSL 连接被拒绝

2024-5-31 • tag-icon

我已经安装了 apache2 和 OpenSSL

我是这样安装 OpenSSL 的：

sudo a2enmod ssl

sudo mkdir /etc/apache2/ssl

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

sudo chmod 600 /etc/apache2/ssl/*

sudo nano /etc/apache2/sites-enabled/***.ru.conf

配置文件后

文件：/etc/apache2/sites-enabled/***.ru.conf

<VirtualHost *:80>

    ServerAdmin office@***.eu
    ServerName ***.ru
    ServerAlias www.***.ru
    DocumentRoot /var/www/***.ru/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
<VirtualHost *:443>

    ServerAdmin office@***.eu
    ServerName ***.ru:443
    ServerAlias www.***.ru
    DocumentRoot /var/www/***.ru/public_html
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile "/etc/apache2/ssl/apache.crt"
    SSLCertificateKeyFile "/etc/apache2/ssl/apache.key"

</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

并重新启动

sudo /etc/init.d/apache2 restart

我可以使用 http 成功调用域名。但使用 https 时，我收到“连接被拒绝”

我能做些什么？

更新 1：

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      21766/apache2
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      12556/rpcbind
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      21766/apache2
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      402/sshd
tcp6       0      0 :::111                  :::*                    LISTEN      12556/rpcbind
udp        0      0 0.0.0.0:859             0.0.0.0:*                           12556/rpcbind
udp        0      0 0.0.0.0:111             0.0.0.0:*                           12556/rpcbind
udp6       0      0 :::859                  :::*                                12556/rpcbind
udp6       0      0 :::111                  :::*                                12556/rpcbind

更新 2：

● apache2.service - LSB: Apache2 web server
   Loaded: loaded (/etc/init.d/apache2)
  Drop-In: /lib/systemd/system/apache2.service.d
           └─forking.conf
   Active: active (running) since Mon 2017-09-04 22:21:51 CEST; 32min ago
  Process: 21728 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS)
  Process: 21752 ExecStart=/etc/init.d/apache2 start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/apache2.service
           ├─21766 /usr/sbin/apache2 -k start
           ├─21769 /usr/sbin/apache2 -k start
           ├─21794 /usr/sbin/apache2 -k start
           └─21795 /usr/sbin/apache2 -k start

Sep 04 22:21:50 86piub systemd[1]: Starting LSB: Apache2 web server...
Sep 04 22:21:51 86piub apache2[21752]: Starting web server: apache2.
Sep 04 22:21:51 86piub systemd[1]: Started LSB: Apache2 web server.

更新 3：

[Mon Sep 04 21:06:04.445632 2017] [mpm_prefork:notice] [pid 20572] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Sep 04 21:06:04.445676 2017] [core:notice] [pid 20572] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:16:36.199232 2017] [mpm_prefork:notice] [pid 20572] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:16:37.326606 2017] [mpm_prefork:notice] [pid 20736] AH00163: Apache/2.4.10 (Debian) configured -- resuming normal operations
[Mon Sep 04 21:16:37.326652 2017] [core:notice] [pid 20736] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:19:56.402621 2017] [mpm_prefork:notice] [pid 20736] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:19:57.547091 2017] [mpm_prefork:notice] [pid 20815] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:19:57.547136 2017] [core:notice] [pid 20815] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:28:37.135554 2017] [mpm_prefork:notice] [pid 20815] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:36:24.963288 2017] [ssl:warn] [pid 21088] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:24.992551 2017] [ssl:warn] [pid 21089] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:24.993230 2017] [mpm_prefork:notice] [pid 21089] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:36:24.993245 2017] [core:notice] [pid 21089] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:36:42.013201 2017] [mpm_prefork:notice] [pid 21089] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:36:43.125758 2017] [ssl:warn] [pid 21140] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:43.150716 2017] [ssl:warn] [pid 21141] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:36:43.151416 2017] [mpm_prefork:notice] [pid 21141] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:36:43.151450 2017] [core:notice] [pid 21141] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:37:42.229356 2017] [mpm_prefork:notice] [pid 21141] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:37:43.345401 2017] [ssl:warn] [pid 21195] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:37:43.371558 2017] [ssl:warn] [pid 21196] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:37:43.372641 2017] [mpm_prefork:notice] [pid 21196] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:37:43.372667 2017] [core:notice] [pid 21196] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:40:15.942263 2017] [mpm_prefork:notice] [pid 21196] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:40:17.047285 2017] [ssl:warn] [pid 21288] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:40:17.071700 2017] [ssl:warn] [pid 21289] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:40:17.072403 2017] [mpm_prefork:notice] [pid 21289] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:40:17.072419 2017] [core:notice] [pid 21289] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 21:51:43.059740 2017] [mpm_prefork:notice] [pid 21289] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 21:51:44.171087 2017] [ssl:warn] [pid 21424] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:51:44.198683 2017] [ssl:warn] [pid 21425] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 21:51:44.199380 2017] [mpm_prefork:notice] [pid 21425] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 21:51:44.199404 2017] [core:notice] [pid 21425] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 22:13:38.102014 2017] [mpm_prefork:notice] [pid 21425] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 22:13:39.213574 2017] [ssl:warn] [pid 21646] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:13:39.240219 2017] [ssl:warn] [pid 21647] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:13:39.240929 2017] [mpm_prefork:notice] [pid 21647] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 22:13:39.240948 2017] [core:notice] [pid 21647] AH00094: Command line: '/usr/sbin/apache2'
[Mon Sep 04 22:21:49.629640 2017] [mpm_prefork:notice] [pid 21647] AH00169: caught SIGTERM, shutting down
[Mon Sep 04 22:21:50.728557 2017] [ssl:warn] [pid 21765] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:21:50.751995 2017] [ssl:warn] [pid 21766] AH01906: ***.ru:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Mon Sep 04 22:21:50.752633 2017] [mpm_prefork:notice] [pid 21766] AH00163: Apache/2.4.10 (Debian) OpenSSL/1.0.1t configured -- resuming normal operations
[Mon Sep 04 22:21:50.752650 2017] [core:notice] [pid 21766] AH00094: Command line: '/usr/sbin/apache2'

更新 4：

openssl s_client -connect ***.ru:443 -tls1 -servername ***.ru | openssl x509 -text -noout

告诉我

connect: Connection refused
connect:errno=111
unable to load certificate
140019880523408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE

答案1

因此，您的问题是您的 SSL 证书被解释为 CA 证书，而不是用作服务器的证书。解决此问题的简单方法是生成 CA 证书并使用它来创建服务器的证书：

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -days 10000 -out ca.crt
openssl genrsa -out server.key 2048
openssl req -new -key server.key -subj "/CN=IP-OR-DOMAIN-HERE" -out server.csr
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -out server.crt -days 10000

然后您可以将生成的server.crt和server.key用于 Apache。

然而，请注意您使用的是自签名证书。考虑到可以获得受信任的证书自由的如今，我强烈建议你研究一下Certbot。

答案1

相关内容