EC2-安装 mod_ssl 后,httpd 服务未与 443 vhosts 一起运行

EC2-安装 mod_ssl 后,httpd 服务未与 443 vhosts 一起运行

mod_ssl我在 AWS EC2 实例上遇到了配置问题

sudo service httpd restart看来我安装后无法通过 httpd 服务运行mod24_ssl。我没有语法错误,只是FAILED在尝试重新启动 httpd 时有响应:

[ec2]$ sudo service httpd restart
Stopping httpd:    [FAILED]
Starting httpd:    [FAILED]

.conf我注意到,当我从自定义文件中删除 443 个 vhosts 的配置时,ssl.conf文件中的所有东西都运行正常

我已经验证我有默认指定localhost.crtlocalhost.keyssl.conf

在我安装该mod24_ssl软件包之前,这些虚拟主机运行正常,我只收到如下错误“SSL 收到的记录超出了最大允许长度”,根据我找到的几个主题,可以通过安装 mod_ssl 来修复

我正在尝试使用有效的 SSL 配置来通过 https 访问本地地址,但它是否真的能与签名良好的证书一起工作并不重要。

答案1

根据要求,这是我的 apache 配置文件:

/etc/httpd/conf/httpd.conf(由 AWS 服务自动生成)

ServerRoot "/etc/httpd"

Listen 80

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@localhost

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www/html"

<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"

LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig /etc/mime.types

    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

IncludeOptional conf.d/*.conf

/etc/httpd/conf.modules.d/00-ssl.conf(通过安装mod24_ssl包创建)

LoadModule ssl_module modules/mod_ssl.so

/etc/httpd/conf.d/ssl.conf(通过安装mod24_ssl包创建)

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

<VirtualHost _default_:443>

    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn

    SSLEngine on
    SSLProtocol all -SSLv3
    SSLProxyProtocol all -SSLv3
    SSLHonorCipherOrder on
    #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    #SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5
    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
    #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
    #SSLVerifyClient require
    #SSLVerifyDepth  10
    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>

    BrowserMatch "MSIE [2-5]" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0

    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

有了这个配置,httpd服务就无法启动,但如果我删除该<VirtualHost _default_:443>部分,它就可以完美启动。


最后,我查看了我的日志文件/var/log/httpd/error_log,当我尝试启动httpd服务时唯一出现的内容是:

AH00016: Configuration Failed

没有更多信息

谢谢你的帮助!

答案2

我刚刚发现另一个日志文件显然提供了更多信息:

[Wed Jun 12 08:31:42.263711 2019] [ssl:emerg] [pid 16968] AH02565: Certificate and private key ip-xx-xx-xx-xx.eu-west-3.compute.internal:443:0 from /etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key do not match

答案3

我终于解决了我的问题!

根据日志错误消息,我找到了一个生成有效证书的解决方案,使用以下命令:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/ssl/certs/localhost.crt

最初我按照这篇文章在我的 EC2 实例上设置 SSL:https://docs.aws.amazon.com/fr_fr/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html

在本文中,创建证书的步骤告诉使用以下命令:

cd /etc/pki/tls/certs
sudo make-dummy-cert localhost.crt

但似乎不起作用(不再至少)

再次感谢您的帮助,昨天我太沮丧了,完全忘记了简单地查阅日志......

相关内容