我正在尝试安装从第三方购买的证书。日志中收到以下错误,没有其他错误。我找不到类似的解决方案,并且 SSL 站点无法访问。
服务器环境
服务器版本:Apache/2.4.6 (CentOS) 服务器建立时间:2019 年 4 月 24 日 13:45:48
以下是我的配置文件
/etc/httpd/conf.d/ssl.conf
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
SSLHonorCipherOrder on
SSLCertificateFile /var/www/html/cert/2246172_abc.com_public.crt
SSLCertificateKeyFile /var/www/html/cert/2246172_abc.com.key
SSLCertificateChainFile /var/www/html/cert/2246172_abc.com_chain.crt
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
/etc/httpd/sites-available/abc.com.conf
<VirtualHost abc.com:80>
ServerName abc.com
ServerAlias www.abc.com
DocumentRoot /var/www/html/yangmao/public
ErrorLog /var/www/html/log/error.log
CustomLog /var/www/html/log/requests.log combined
<Directory "/var/www/html/yangmao/public">
Allowoverride All
</Directory>
</VirtualHost>
<VirtualHost abc.com:443>
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM
SSLHonorCipherOrder on
SSLCertificateFile /var/www/html/cert/2246172_abc.com_public.crt
SSLCertificateKeyFile /var/www/html/cert/2246172_abc.com.key
SSLCertificateChainFile /var/www/html/cert/2246172_abc.com_chain.crt
ServerName abc.com
ServerAlias www.abc.com
DocumentRoot /var/www/html/yangmao/public
ErrorLog /var/www/html/log/error.log
CustomLog /var/www/html/log/requests.log combined
<Directory "/var/www/html/yangmao/public">
Allowoverride All
</Directory>
</VirtualHost>
更新
/etc/httpd/log/error_log 中的信息
[Thu May 23 01:43:24.475306 2019] [mpm_event:notice] [pid 4036:tid 139917334841472] AH00492: caught SIGWINCH, shutting down gracefully
[Thu May 23 01:43:25.588508 2019] [suexec:notice] [pid 4357:tid 140179837872256] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 23 01:43:25.589750 2019] [ssl:warn] [pid 4357:tid 140179837872256] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 23 01:43:25.653936 2019] [auth_digest:notice] [pid 4357:tid 140179837872256] AH01757: generating secret for digest authentication ...
[Thu May 23 01:43:25.654491 2019] [lbmethod_heartbeat:notice] [pid 4357:tid 140179837872256] AH02282: No slotmem from mod_heartmonitor
[Thu May 23 01:43:25.655781 2019] [ssl:warn] [pid 4357:tid 140179837872256] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Thu May 23 01:43:25.720059 2019] [mpm_event:notice] [pid 4357:tid 140179837872256] AH00489: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.18 configured -- resuming normal operations
[Thu May 23 01:43:25.720096 2019] [core:notice] [pid 4357:tid 140179837872256] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
/etc/httpd/log/ssl_error_log 中的信息
[Thu May 23 01:43:25.588891 2019] [ssl:info] [pid 4357:tid 140179837872256] AH02200: Loading certificate & private key of SSL-aware server 'abc.com:443'
[Thu May 23 01:43:25.589012 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu May 23 01:43:25.589423 2019] [ssl:info] [pid 4357:tid 140179837872256] AH01914: Configuring server abc.com:443 for SSL protocol
[Thu May 23 01:43:25.589581 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate)
[Thu May 23 01:43:25.589587 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu May 23 01:43:25.589591 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Thu May 23 01:43:25.589670 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_util_ssl.c(495): AH02412: [abc.com:443] Cert matches for name 'abc.com' [subject: CN=abc.com / iss$
[Thu May 23 01:43:25.589676 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
[Thu May 23 01:43:25.654838 2019] [ssl:info] [pid 4357:tid 140179837872256] AH02200: Loading certificate & private key of SSL-aware server 'abc.com:443'
[Thu May 23 01:43:25.654954 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Thu May 23 01:43:25.655470 2019] [ssl:info] [pid 4357:tid 140179837872256] AH01914: Configuring server abc.com:443 for SSL protocol
[Thu May 23 01:43:25.655623 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate)
[Thu May 23 01:43:25.655630 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Thu May 23 01:43:25.655634 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Thu May 23 01:43:25.655704 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_util_ssl.c(495): AH02412: [abc.com:443] Cert matches for name 'abc.com' [subject: CN=abc.com / iss$
[Thu May 23 01:43:25.655710 2019] [ssl:debug] [pid 4357:tid 140179837872256] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
答案1
看来您将证书文件放在了公共 html 目录中:/var/www/html/cert/...
这可能是防止使用此类证书的安全措施。
将证书目录上移一级:
mv /var/www/html/cert /var/www/
设置 apache 用户的可读权限(Ubuntu 和 debian 系统使用用户 www-data)
chown -R apache /var/www/cert
相应地更改配置文件,然后更改虚拟主机配置如下:
<VirtualHost *:443>
...
ServerName abc.com
ServerAlias www.abc.com
...
注意 * 而不是主机名!
然后重新启动 apache:
apachectl graceful
检查 https:// .... 网址。