mod_ssl
我在 AWS EC2 实例上遇到了配置问题
sudo service httpd restart
看来我安装后无法通过 httpd 服务运行mod24_ssl
。我没有语法错误,只是FAILED
在尝试重新启动 httpd 时有响应:
[ec2]$ sudo service httpd restart
Stopping httpd: [FAILED]
Starting httpd: [FAILED]
.conf
我注意到,当我从自定义文件中删除 443 个 vhosts 的配置时,ssl.conf
文件中的所有东西都运行正常
我已经验证我有默认指定localhost.crt
的localhost.key
ssl.conf
在我安装该mod24_ssl
软件包之前,这些虚拟主机运行正常,我只收到如下错误“SSL 收到的记录超出了最大允许长度”,根据我找到的几个主题,可以通过安装 mod_ssl 来修复
我正在尝试使用有效的 SSL 配置来通过 https 访问本地地址,但它是否真的能与签名良好的证书一起工作并不重要。
答案1
根据要求,这是我的 apache 配置文件:
/etc/httpd/conf/httpd.conf
(由 AWS 服务自动生成)
ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf
/etc/httpd/conf.modules.d/00-ssl.conf
(通过安装mod24_ssl
包创建)
LoadModule ssl_module modules/mod_ssl.so
/etc/httpd/conf.d/ssl.conf
(通过安装mod24_ssl
包创建)
Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLHonorCipherOrder on
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
#SSLProxyCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
#SSLVerifyClient require
#SSLVerifyDepth 10
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
有了这个配置,httpd
服务就无法启动,但如果我删除该<VirtualHost _default_:443>
部分,它就可以完美启动。
最后,我查看了我的日志文件/var/log/httpd/error_log
,当我尝试启动httpd
服务时唯一出现的内容是:
AH00016: Configuration Failed
没有更多信息
谢谢你的帮助!
答案2
我刚刚发现另一个日志文件显然提供了更多信息:
[Wed Jun 12 08:31:42.263711 2019] [ssl:emerg] [pid 16968] AH02565: Certificate and private key ip-xx-xx-xx-xx.eu-west-3.compute.internal:443:0 from /etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key do not match
答案3
我终于解决了我的问题!
根据日志错误消息,我找到了一个生成有效证书的解决方案,使用以下命令:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/ssl/certs/localhost.crt
最初我按照这篇文章在我的 EC2 实例上设置 SSL:https://docs.aws.amazon.com/fr_fr/AWSEC2/latest/UserGuide/SSL-on-amazon-linux-2.html
在本文中,创建证书的步骤告诉使用以下命令:
cd /etc/pki/tls/certs
sudo make-dummy-cert localhost.crt
但似乎不起作用(不再至少)
再次感谢您的帮助,昨天我太沮丧了,完全忘记了简单地查阅日志......