apache2 mod_gnutls https服务实际上pipe理成功运行,但试图从pkcs11 URL读取私钥时一直返回此错误:
[Wed Jan 20 13:26:25.268236 2016] [gnutls:emerg] [pid 5232:tid 140334984677248] GnuTLS: Failed to Re-Import Private Key URL 'pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=GnuTLS-Test;id=%3e%2d%3d%e4%2b%8b%a0%7c%7c%56%08%95%aa%aa%47%db%15%a2%b9%84;object=GnuTLSTest2;object-type=private': (-300) PKCS #11 error. 使用apache2 2.4.x与mod-gnutls 0.7.2 + gnutls 3.3.x
操作系统:Ubuntu生动
有趣的是,它不会返回证书的这种错误,只是私钥。
那么有什么想法?
更新:
这是来自mod_gnutls.conf的configuration文件:
<IfModule mod_gnutls.c> # The default method is to use a DBM backed cache. It's not super fast, but # it's portable and doesn't require another server to be running like # memcached #GnuTLSP11Module /usr/lib/softhsm/libsofthsm.so #GnuTLSPIN 1234 GnuTLSCache dbm /var/cache/apache2/gnutls_cache # mod_gnutls can optionaly use a memcached server to store SSL sessions. # This is useful in a cluster environment, where you want all your servers to # share a single SSL session cache #GnuTLSCache memcache "127.0.0.1 server2.example.com server3.example.com" GnuTLSCacheTimeout 600 <VirtualHost _default_:443> DocumentRoot "/var/www/htdocs" ServerName localhost ServerAdmin [email protected] ErrorLog "/var/log/apache2/error_log" TransferLog "/var/log/apache2/access_log" GnuTLSEnable on GnuTLSSessionTickets on GnuTLSPriorities NORMAL GNUTLSExportCertificates on GnuTLSPIN 1234 GnuTLSCertificateFile pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=GnuTLS-Test;id=%3e%2d%3d%e4%2b%8b%a0%7c%7c%56%08%95%aa%aa%47%db%15%a2%b9%84;object=GnuTLSTest;object-type=cert GnuTLSKeyFile pkcs11:model=SoftHSM;manufacturer=SoftHSM;serial=1;token=GnuTLS-Test;id=%3e%2d%3d%e4%2b%8b%a0%7c%7c%56%08%95%aa%aa%47%db%15%a2%b9%84;object=GnuTLSTest2;object-type=private </VirtualHost> </IfModule>
你的pkcs11库被注释掉了:
GnuTLSP11Module /usr/lib/softhsm/libsofthsm.so
所以mod_gnutls不能读取HSM上的密钥。 你也可以取消注销:
GnuTLSPIN 1234
显然将其更改为您select的PIN码。