我刚刚尝试在我的 Apache 上开始使用 letsencrypt 证书。
- 已添加到我的
/usr/local/directadmin/conf/directadmin.conf
行letsencrypt=1
/usr/local/directadmin/conf/directadmin.conf
在我的行中编辑enable_ssl_sni=1
- 然后:
cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt
./build rewrite_confs
我得到了错误的结果:
Checking to ensure /etc/httpd/conf/ssl.crt/server.ca is set.
Using 193.107.90.129 for your server IP
Installation of ModSecurity Rule Set has been finished.
Restarting apache.
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
我有:
CentOS Linux 版本 7.7.1908(核心)
服务器版本:Apache/2.4.25 (Unix)
OpenSSL 1.0.2k-fips
系统控制状态httpd.service says
● httpd.service - The Apache HTTP Server
Loaded: loaded (/etc/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sun 2020-04-05 23:23:06 CEST; 2s ago
Process: 24927 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 24926 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 24926 (code=exited, status=1/FAILURE)
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: Starting The Apache HTTP Server...
Apr 05 23:23:06 vps.kustransport.kylos.net.pl httpd[24926]: AH00526: Syntax error on line 243 of /etc/httpd/conf/extra/httpd-ssl.conf:
Apr 05 23:23:06 vps.kustransport.kylos.net.pl httpd[24926]: Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Apr 05 23:23:06 vps.kustransport.kylos.net.pl kill[24927]: kill: cannot find process ""
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: httpd.service: control process exited, code=exited status=1
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: Failed to start The Apache HTTP Server.
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: Unit httpd.service entered failed state.
Apr 05 23:23:06 vps.kustransport.kylos.net.pl systemd[1]: httpd.service failed.
除了journalctl -xe
最后两行之外,其他都基本相同:
-- Unit httpd.service has begun starting up.
Apr 05 23:24:06 vps.kustransport.kylos.net.pl httpd[25033]: AH00526: Syntax error on line 243 of /etc/httpd/conf/extra/httpd-ssl.conf:
Apr 05 23:24:06 vps.kustransport.kylos.net.pl httpd[25033]: Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration
Apr 05 23:24:06 vps.kustransport.kylos.net.pl systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Apr 05 23:24:06 vps.kustransport.kylos.net.pl kill[25034]: kill: cannot find process ""
Apr 05 23:24:06 vps.kustransport.kylos.net.pl systemd[1]: httpd.service: control process exited, code=exited status=1
Apr 05 23:24:06 vps.kustransport.kylos.net.pl systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
最后两行:
Apr 05 23:24:09 vps.kustransport.kylos.net.pl kernel: Firewall: *UDP_IN Blocked* IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:52:54:00:22:de:69:08:00 SRC=193.107.89.52 DST=255.255.255.255 LEN=68 TOS=0x00 PRE
Apr 05 23:24:13 vps.kustransport.kylos.net.pl kernel: Firewall: *TCP_IN Blocked* IN=eth0 OUT= MAC=00:16:3c:af:2d:c5:00:d0:04:94:38:00:08:00 SRC=185.175.93.105 DST=193.107.90.129 LEN=40 TOS=0x00 PRE
“坏”的那行/etc/httpd/conf/extra/httpd-ssl.conf
看上去不错,就像:
SSLOpenSSLConfCmd DHParameters "/etc/httpd/conf/ssl.crt/dhparams.pem"
我还发现/etc/httpd/conf/extra/httpd-ssl.conf
我有:
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/var/www/html"
ServerName www.example.com:443
ServerAdmin [email protected]
ErrorLog /var/log/httpd/error_log
TransferLog /var/log/httpd/access_log
当我为我的域设置 ServerName 时,每次我执行“./build update”时,它都会更改为上面的内容。但是,当我手动更改并重新启动时,问题是一样的。
此外tail /var/log/httpd/error_log
:
[Mon Apr 06 00:55:02.001888 2020] [ssl:warn] [pid 25965:tid 139892334979200] AH01909: localhost:443:0 server certificate does NOT include an ID which matches the server name
[Mon Apr 06 00:55:02.002157 2020] [suexec:notice] [pid 25965:tid 139892334979200] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 06 00:55:02.002177 2020] [core:emerg] [pid 25965:tid 139892334979200] (28)No space left on device: AH00023: Couldn't create the rewrite-map mutex
AH00016: Configuration Failed
答案1
参数描述如下mod_ssl 文档您的 httpd 服务器版本和 ssl 版本似乎均支持:
Description: Configure OpenSSL parameters through its SSL_CONF API
Syntax: SSLOpenSSLConfCmd command-name command-value
Context: server config, virtual host
Status: Extension
Module: mod_ssl
Compatibility: Available in httpd 2.4.8 and later, if using OpenSSL 1.0.2 or later
确保 mod_ssl 已启用:
a2enmod ssl
如果通过发出上一个命令收到错误,请安装 httpd ssl 模块:
yum install mod_ssl