配置客户端身份验证后无法启动 Apache 服务器

CentOS 7 |Apache 2.4.6

---

我已经建立了一个私人证书颁发机构（CA）和两个证书（一个用于服务器，一个用于客户端）。

然后，我将 Apache 配置为使用证书 X.509 来应答 HTTPS 连接，一切顺利（我在浏览器中看到了它）。

然后，当我配置客户端身份验证时，重新启动服务器并出现以下错误：

httpd.service 的作业失败，因为控制进程以错误代码退出。有关详细信息，请参阅“systemctl status httpd.service”和“journalctl -xe”。

现在显示“语法正常”，但我仍然无法启动服务器，使用以下命令出现以下错误：

.systemctl 状态 httpd.service

[root@localhost ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2019-05-01 18:35:40 WEST; 2min 3s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 12292 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 12288 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 12288 (code=exited, status=1/FAILURE)

May 01 18:35:37 src_ca systemd[1]: Starting The Apache HTTP Server...
May 01 18:35:40 src_ca systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 01 18:35:40 src_ca kill[12292]: kill: cannot find process ""
May 01 18:35:40 src_ca systemd[1]: httpd.service: control process exited, code=exited status=1
May 01 18:35:40 src_ca systemd[1]: Failed to start The Apache HTTP Server.
May 01 18:35:40 src_ca systemd[1]: Unit httpd.service entered failed state.
May 01 18:35:40 src_ca systemd[1]: httpd.service failed.

“journalctl-xe”

May 01 18:39:16 src_ca polkitd[2607]: Registered Authentication Agent for unix-process:12474:9099194 (system bus name :1.157 [/usr/bin/pkttyagent --notify-fd 5 --fallba
May 01 18:39:16 src_ca systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
May 01 18:39:18 src_ca systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 01 18:39:18 src_ca kill[12483]: kill: cannot find process ""
May 01 18:39:18 src_ca systemd[1]: httpd.service: control process exited, code=exited status=1
May 01 18:39:18 src_ca systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
May 01 18:39:18 src_ca systemd[1]: Unit httpd.service entered failed state.
May 01 18:39:18 src_ca systemd[1]: httpd.service failed.
May 01 18:39:18 src_ca polkitd[2607]: Unregistered Authentication Agent for unix-process:12474:9099194 (system bus name :1.157, object path /org/freedesktop/PolicyKit1/

我将在下面介绍我用来配置客户端身份验证的过程。我将在问题的底部留下一些有用的文件。

---

配置客户端身份验证的过程

1. 首先在文件“/etc/httpd/conf.d/ssl.conf”中找到选项“SSLCACertificateFile”：vi +/SSLCACertificateFile /etc/httpd/conf.d/ssl.conf

2. 将路径更新为：/etc/pki/CA/certs/ca.crt

这是 CA 证书的位置。

需要注意的是：客户端的证书位于文件夹 /etc/pki/CA/certs 内。我不确定这是否会在配置客户端身份验证时导致任何问题。(更新：编辑1）

3. 删除了指令“SSLVerifyClient require”上的“#”。

4. 保存更改并退出文件，:wq然后重新启动服务器：systemctl restart httpd

---

调试有用的文件

. “etc/hosts” （添加 IP + 主机）

. “/etc/hostname” （可以使用 来完成hostnamectl set-hostname new-hostname）

“etc/httpd/conf/httpd.conf”

。 “/etc/httpd/conf.d/ssl.conf”

.“/var/log/httpd/错误日志”

[Wed May 01 18:18:13.050768 2019] [core:notice] [pid 11416] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed May 01 18:18:13.053282 2019] [suexec:notice] [pid 11416] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[We May 01 18:18:16.238779 2019] [ssl:emerg] [pid 11416] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/ssl_error_log for more information

. “/var/log/httpd/ssl_error_log”

[Wed May 01 18:18:16.238749 2019] [ssl:emerg] [pid 11416] AH01895: Unable to configure verify locations for client authentication