我无法在CentOS 6.5上启动httpd 2.4.9(尝试2.4.x),并且使用最简单的SSLconfiguration。 安装在机器上的openssl版本是OpenSSL 1.0.1e-fips 11 Feb 2013 (我已经使用'yum update'升级到最新的补丁版本了)
我已经使用以下命令编译并安装了httpd 2.4.9:
./configure --enable-ssl --with-ssl=/usr/local/ssl/ --enable-proxy=shared --enable-proxy_wstunnel=shared --with-apr=apr-1.5.1/ --with-apr-util=apr-util-1.5.3/ make make install
现在我正如CentOS HowTo中所描述的那样生成默认的自签名证书:
openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt cp server.crt /usr/local/apache2/conf cp server.key /usr/local/apache2/conf cp server.csr /usr/local/apache2/conf
这是我的httpd-ssl.conf文件:
Listen 443 SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/usr/local/apache2/logs/ssl_scache(512000)" SSLSessionCacheTimeout 300 <VirtualHost *:443> DocumentRoot "/usr/local/apache2/htdocs" ServerName 192.168.9.128 ServerAdmin [email protected] ErrorLog "/usr/local/apache2/logs/error_log" TransferLog "/usr/local/apache2/logs/access_log" SSLEngine on SSLCertificateFile "/usr/local/apache2/conf/server.crt" SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/apache2/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "/usr/local/apache2/logs/ssl_request_log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
当我使用bin/apachectl -k start启动httpd时, error_log出现以下错误:
Wed Jun 04 00:29:27.995654 2014] [ssl:info] [pid 24021:tid 139640404293376] AH01887: Init: Initializing (virtual) servers for SSL [Wed Jun 04 00:29:27.995726 2014] [ssl:info] [pid 24021:tid 139640404293376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol [Wed Jun 04 00:29:27.995863 2014] [ssl:debug] [pid 24021:tid 139640404293376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling [Wed Jun 04 00:29:27.996111 2014] [ssl:debug] [pid 24021:tid 139640404293376] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / serial: AF04AF31799B7695 / notbefore: Jun 3 22:26:45 2014 GMT / notafter: Jun 3 22:26:45 2015 GMT] [Wed Jun 04 00:29:27.996122 2014] [ssl:info] [pid 24021:tid 139640404293376] AH02568: Certificate and private key 192.168.9.128:443:0 configured from /usr/local/apache2/conf/server.crt and /usr/local/apache2/conf/server.key [Wed Jun 04 00:29:27.996209 2014] [ssl:info] [pid 24021:tid 139640404293376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol [Wed Jun 04 00:29:27.996280 2014] [ssl:debug] [pid 24021:tid 139640404293376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling [Wed Jun 04 00:29:27.996295 2014] [ssl:emerg] [pid 24021:tid 139640404293376] AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443 [Wed Jun 04 00:29:27.996303 2014] [ssl:emerg] [pid 24021:tid 139640404293376] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: DH PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Wed Jun 04 00:29:27.996308 2014] [ssl:emerg] [pid 24021:tid 139640404293376] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: EC PARAMETERS) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Wed Jun 04 00:29:27.996318 2014] [ssl:emerg] [pid 24021:tid 139640404293376] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned [Wed Jun 04 00:29:27.996321 2014] [ssl:emerg] [pid 24021:tid 139640404293376] AH02312: Fatal error initialising mod_ssl, exiting. AH00016: Configuration Failed
然后我尝试生成缺失的DH参数和EC参数:
openssl dhparam -outform PEM -out dhparam.pem 2048 openssl ecparam -out ec_param.pem -name prime256v1 cat dhparam.pem ec_param.pem >> /usr/local/apache2/conf/server.crt
它减轻了错误,但接下来出来:
[Wed Jun 04 00:34:05.021438 2014] [ssl:info] [pid 24089:tid 140719371077376] AH01887: Init: Initializing (virtual) servers for SSL [Wed Jun 04 00:34:05.021487 2014] [ssl:info] [pid 24089:tid 140719371077376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol [Wed Jun 04 00:34:05.021874 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling [Wed Jun 04 00:34:05.022050 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_util_ssl.c(343): AH02412: [192.168.9.128:443] Cert matches for name '192.168.9.128' [subject: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / issuer: CN=192.168.9.128,OU=XXX,O=XXXX,L=XXXX,ST=NRW,C=DE / serial: AF04AF31799B7695 / notbefore: Jun 3 22:26:45 2014 GMT / notafter: Jun 3 22:26:45 2015 GMT] [Wed Jun 04 00:34:05.022066 2014] [ssl:info] [pid 24089:tid 140719371077376] AH02568: Certificate and private key 192.168.9.128:443:0 configured from /usr/local/apache2/conf/server.crt and /usr/local/apache2/conf/server.key [Wed Jun 04 00:34:05.022285 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(1016): AH02540: Custom DH parameters (2048 bits) for 192.168.9.128:443 loaded from /usr/local/apache2/conf/server.crt [Wed Jun 04 00:34:05.022389 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(1030): AH02541: ECDH curve prime256v1 for 192.168.9.128:443 specified in /usr/local/apache2/conf/server.crt [Wed Jun 04 00:34:05.022397 2014] [ssl:info] [pid 24089:tid 140719371077376] AH01914: Configuring server 192.168.9.128:443 for SSL protocol [Wed Jun 04 00:34:05.022464 2014] [ssl:debug] [pid 24089:tid 140719371077376] ssl_engine_init.c(312): AH01893: Configuring TLS extension handling [Wed Jun 04 00:34:05.022478 2014] [ssl:emerg] [pid 24089:tid 140719371077376] AH02572: Failed to configure at least one certificate and key for 192.168.9.128:443 [Wed Jun 04 00:34:05.022488 2014] [ssl:emerg] [pid 24089:tid 140719371077376] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned [Wed Jun 04 00:34:05.022491 2014] [ssl:emerg] [pid 24089:tid 140719371077376] AH02312: Fatal error initialising mod_ssl, exiting.
AH00016:configuration失败
我试图完全按照httpd文档中所述生成简单的证书/密钥对。不幸的是,我仍然得到了与上面完全相同的错误。
我看到一个类似的问题的bug报告: https : //issues.apache.org/bugzilla/show_bug.cgi? id = 56410但我所报道的openssl版本在那里工作。 我也尝试从报告中应用补丁以及build立最新的2.4.x分支没有成功,我得到了与上面相同的错误。
我也尝试创build一个短的证书链,并使用SSLCertificateChainFile指令设置根CA证书。 这也没有帮助,我得到了完全相同的错误,如上所述。
我不想设置强化的安全等。我唯一需要的是启动httpd与最简单的SSLconfiguration可能继续testing代理configurationmod_proxy_wstunnel
有没有人遇到并解决了这个问题?
我的创build自签名证书的顺序是否正确?
我非常感谢任何帮助!
PS:更新了初始的http-ssl.conf,以反映我正在testing的正确状态。
这个问题似乎与您所生成的证书有关。 看起来你忘记了/跳过了一些步骤。 我认为你已经为证书指定了一些密码,而apache无法find它。 密码可以通过您的configuration文件中缺less的SSLPassPhraseDialog指定。
或者,您可以在生成证书时通过从证书中剥离此密码来避免此密码。 我已经通过http://www.akadia.com/services/ssh_test_certificate.html上的步骤成功生成了自签名证书
我build议使用上述链接中提到的说明重新生成一个新的证书,并再次testing….
您创build证书颁发机构的初始命令可能不正确。 我会尝试使用Arch Linux Wiki中的这些命令来重buildCA:
# openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out server.key # chmod 600 server.key # openssl req -new -key server.key -out server.csr # openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
让我们知道怎么回事!
作为一个方面说明,我注意到你正在使用一个易受攻击的OpenSSL版本(1.0.1e-fips)。 这个版本受着名的心脏病的影响。 请参阅http://en.wikipedia.org/wiki/Heartbleed了解更多详情。
您可以尝试将OpenSSL升级到解决此问题的相应最新版本。
它看起来像我的问题是错误地构buildhttpd与“错误的”openssl。 最初,我已经下载了openssl 1.0.1g源代码,构build并安装了它们,并在configurationhttpd时引用了安装的版本:
cd ../openssl-1.0.1g ./config -fPIC no-gost no-shared no-zlib make depend make make install cd ../httpd-2.4.9 ./configure --enable-ssl --with-ssl=/usr/local/ssl/ --with-apr=apr-1.5.1/ --with-apr-util=apr-util-1.5.3/ make make install
相反,我已经使用yum安装了openssl-devel软件包,并使用了默认的openssl位置:
yum install openssl-devel cd ../httpd-2.4.9 ./configure --enable-ssl --with-apr=apr-1.5.1/ --with-apr-util=apr-util-1.5.3/ make make install
服务器在安装完成后立即使用以下命令在/ usr / local / apache2 / conf文件夹中生成简单证书:
openssl req -new -x509 -nodes -out server.crt -keyout server.key