EC2-安装 mod_ssl 后，httpd 服务未与 443 vhosts 一起运行

Question 1

根据要求，这是我的 apache 配置文件：

/etc/httpd/conf/httpd.conf（由 AWS 服务自动生成）

ServerRoot "/etc/httpd"

Listen 80

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"

LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig /etc/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

IncludeOptional conf.d/*.conf

/etc/httpd/conf.modules.d/00-ssl.conf（通过安装mod24_ssl包创建）

LoadModule ssl_module modules/mod_ssl.so

/etc/httpd/conf.d/ssl.conf（通过安装mod24_ssl包创建）

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

<VirtualHost _default_:443>

    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn

    SSLEngine on
    SSLProtocol all -SSLv3
    SSLProxyProtocol all -SSLv3
    SSLHonorCipherOrder on
    #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    #SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
    #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
    #SSLVerifyClient require
    #SSLVerifyDepth  10
    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0

    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

有了这个配置，httpd服务就无法启动，但如果我删除该<VirtualHost _default_:443>部分，它就可以完美启动。

最后，我查看了我的日志文件/var/log/httpd/error_log，当我尝试启动httpd服务时唯一出现的内容是：

AH00016: Configuration Failed

没有更多信息

谢谢你的帮助！

Answer

根据要求，这是我的 apache 配置文件：

/etc/httpd/conf/httpd.conf（由 AWS 服务自动生成）

ServerRoot "/etc/httpd"

Listen 80

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"

LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig /etc/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

IncludeOptional conf.d/*.conf

/etc/httpd/conf.modules.d/00-ssl.conf（通过安装mod24_ssl包创建）

LoadModule ssl_module modules/mod_ssl.so

/etc/httpd/conf.d/ssl.conf（通过安装mod24_ssl包创建）

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

<VirtualHost _default_:443>

    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn

    SSLEngine on
    SSLProtocol all -SSLv3
    SSLProxyProtocol all -SSLv3
    SSLHonorCipherOrder on
    #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    #SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
    #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
    #SSLVerifyClient require
    #SSLVerifyDepth  10
    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0

    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

有了这个配置，httpd服务就无法启动，但如果我删除该<VirtualHost _default_:443>部分，它就可以完美启动。

最后，我查看了我的日志文件/var/log/httpd/error_log，当我尝试启动httpd服务时唯一出现的内容是：

AH00016: Configuration Failed

没有更多信息

谢谢你的帮助！

Question 2

我刚刚发现另一个日志文件显然提供了更多信息：

[Wed Jun 12 08:31:42.263711 2019] [ssl:emerg] [pid 16968] AH02565: Certificate and private key ip-xx-xx-xx-xx.eu-west-3.compute.internal:443:0 from /etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key do not match

Answer

我刚刚发现另一个日志文件显然提供了更多信息：

[Wed Jun 12 08:31:42.263711 2019] [ssl:emerg] [pid 16968] AH02565: Certificate and private key ip-xx-xx-xx-xx.eu-west-3.compute.internal:443:0 from /etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key do not match

Question 3

我终于解决了我的问题！

根据日志错误消息，我找到了一个生成有效证书的解决方案，使用以下命令：

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/ssl/certs/localhost.crt

最初我按照这篇文章在我的 EC2 实例上设置 SSL：https://docs.aws.amazon.com/fr_fr/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html

在本文中，创建证书的步骤告诉使用以下命令：

cd /etc/pki/tls/certs
sudo make-dummy-cert localhost.crt

但似乎不起作用（不再至少）

再次感谢您的帮助，昨天我太沮丧了，完全忘记了简单地查阅日志......

Answer

我终于解决了我的问题！

根据日志错误消息，我找到了一个生成有效证书的解决方案，使用以下命令：

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/ssl/certs/localhost.crt

最初我按照这篇文章在我的 EC2 实例上设置 SSL：https://docs.aws.amazon.com/fr_fr/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html

在本文中，创建证书的步骤告诉使用以下命令：

cd /etc/pki/tls/certs
sudo make-dummy-cert localhost.crt

但似乎不起作用（不再至少）

再次感谢您的帮助，昨天我太沮丧了，完全忘记了简单地查阅日志......

EC2-安装 mod_ssl 后，httpd 服务未与 443 vhosts 一起运行

答案1

答案2

答案3

我终于解决了我的问题！

相关内容