服务器 Gind.cn
  1. 服务器 Gind.cn
  3. SSL不能在Windows上使用Apache
Intereting Posts
Nagios插件显示错误的结果 HPe5406zl交换机 – 在正常运行时间2-4天后停止路由 如何维护文件的本地同步到多台计算机 如何在本地VM负载平衡网站上工作 Active Directory LDS结构最佳实践 预置用户帐户 SCOM维护模式 在更新之后,Radiusauthentication在Ubuntu上失败 无法连接到SSRS报告pipe理器:访问权限不足 Nagios:如何让一个非pipe理员用户的正确权限能够确认警报? chroot问题,破pipe 如何判断/ dev中的哪个设备添加了内核模块? Windows 7:Delprofreplace用于删除configuration文件 后缀sasl“无法连接到saslauthd服务器:没有这样的文件或目录” 我已经改变了ISP,现在www访问我的网站不工作,但HTTP是

SSL不能在Windows上使用Apache

我正在使用来自必须在Windows上使用Apache的供应商提供的产品。

我们有我们自己的CA.

为了命名的目的:

AppServer – Server2012r2 – Apache 2.4

OldCertsha1 – Server2012r2

NewCertsha2 – Server2012r2

我使用下面的两个命令在AppServer上创build了CSR。 

genrsa –des3 –out name.sub.domain.com.key 2048 req –new –key name.sub.domain.com.key –out name.sub.domain.com.csr

这一切顺利 

 req -noout -text -in name.sub.domain.com.csr Certificate Request: Data: Version: 0 (0x0) Subject: C=xx, ST=xx, L=xx, O=xx, OU=xx, CN=name.sub.domain.com Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: e1:ae:5a:e8:26:81:fd:a0:49:f9:a3:c0:77:75:0f: 321:rf Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: sha1WithRSAEncryption aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d:9a:56:b4:22:e8:a5:1a:e8:43:1d:6f:ef:86:d8: aa:e4:b7:1d

然后在CA服务器上

https://开头NewCertsha2 / CertSrv

申请一个证书

高级证书请求。

通过使用base-64编码的CMC或PKCS#10文件提交证书请求,或使用base-64编码的PKCS#7文件提交续订请求。

在AppServer上打开CSR并粘贴CSR信息 

 -----BEGIN CERTIFICATE REQUEST----- MIIC0zCCAbsCAQAwgY0xCzAJBgNVBAYTAlVTMREwDwYDVQQIEwhNaWNoaWdhbjER MA8GA1UEBxMIRGVhcmJvcm4xFjAUBgNVBAoTDWRmY3VmaW5hbmNpYWwxDDAKBgNV BAsTA2l2cjEyMDAGA1UEAxMpcDAxMWRjMDEtY3JlYzAzLmNlbnRyYWwuZGZjdWZp bmFuY2lhbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCej1o0 EEq6UcgB4uhr9bYzA4u8pvxvaCE0JXCqW/8m8D2DBHnJFA2Ui4kEjQlKy1eRTfE0 6lRmowrsJVvvlz0pfsdfghksdkjfgsjskhgfksgfdfmjwHd1D/Bgg60AOPmUBIFl rgaGcw9CasdkjlhaslkdjhsaklfjhdsfkhsldfjhsdlkjfhdlFOoGVtQdgticLqy dzpLnAnqwezEnsdflsjhdfksdkfjhwsdkfjhLqKDx1b0z1n7tV4F8DS261dmm8+r ONz9oYqZfdAFu55gG7sHgOn14P5gP2QIoV/c6CJ2hzbtlifKmZp2A+9F/csXTMIJ w2sgfQzgv+UPEkH9AgMBAAGgADANBgkqhkiG9w0BAQUFAAOCAQEAMwjmg96iCLnB uTF4LOoeA788NAt9cYdsWuaUsHptnw70Mj5wWIiaZYgY0hCvWPezRsgOfFrWinN0 y4n0trlyEYXJquBKZbxJZ2yscNMqOJyKl70Ckb83IwpIdhxRYr0JZffEmFlx+2yv 4rhFquS3HZpWtCLopRroQx1v74bYGZHBiz2cM4peowzqGrs8r5NKYYqLRiH00VTs GEEB+Rihen4tnrn0Y1KLkumrSOrTghIrpQ0j2MZrmvhAIlcZ0W+6bJQcbl0lQ3Hv STaH9EyIj+47jpMhpfazRPOjSDdFiokjchVDS0Wj/iQJlNDurU7xd+570gduZfcF M4YoMCwv7Q== -----END CERTIFICATE REQUEST-----

模板Web服务器(10年)

在这里我得到两个select

DER编码或Base 64编码

无论我select哪一个它下载一个.cer和.p7b文件

我在OldCertsha1服务器上做了相同的步骤,并得到相同的结果

当我编辑httpd-ssl.conf文件时,添加以下内容并重新启动Apache2.4服务 

 SSLCertificateFile "E:/Apache24/conf/Certs/name.sub.domain.com.crt" SSLCertificateKeyFile "E:/Apache24/conf/Certs/name.sub.domain.com.key"

我从以上选项(DER编码或Base 64编码)中得到以下错误,不同types的错误:

DER编码: 

 [Wed Jan 11 08:37:44.471616 2017] [proxy:error] [pid 4804:tid 1780] (OS 10061)No connection could be made because the target machine actively refused it. : AH00957: HTTP: attempt to connect to 127.0.0.1:8080 (127.0.0.1) failed [Wed Jan 11 08:37:44.471616 2017] [proxy:error] [pid 4804:tid 1780] AH00959: ap_proxy_connect_backend disabling worker for (127.0.0.1) for 60s [Wed Jan 11 08:37:44.471616 2017] [proxy_http:error] [pid 4804:tid 1780] [client ::1:61346] AH01114: HTTP: failed to make connection to backend: 127.0.0.1, referer: https://name.sub.domain.com/knoahsoft/faces/client/index1.jspx?_afPfm=5600447c [Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] AH02562: Failed to configure certificate name.sub.domain.com:443:0 (with chain), check E:/Apache24/conf/Certs/name.sub.domain.com.cer [Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Wed Jan 11 13:13:56.437605 2017] [ssl:emerg] [pid 20860:tid 540] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib [Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] AH02562: Failed to configure certificate name.sub.domain.com:443:0 (with chain), check E:/Apache24/conf/Certs/name.sub.domain.com.cer [Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] SSL Library Error: error:0906D06C:PEM routines:PEM_read_bio:no start line (Expecting: TRUSTED CERTIFICATE) -- Bad file contents or format - or even just a forgotten SSLCertificateKeyFile? [Wed Jan 11 13:14:14.375459 2017] [ssl:emerg] [pid 23800:tid 544] SSL Library Error: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

Base 64编码: 

 [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file E:/Apache24/conf/Certs/name.sub.domain.com.key) [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] AH02564: Failed to configure encrypted (?) private key name.sub.domain.com:443:0, check E:/Apache24/conf/Certs/name.sub.domain.com.key [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA) [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO) [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file E:/Apache24/conf/Certs/name.sub.domain.com.key) [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] AH02564: Failed to configure encrypted (?) private key name.sub.domain.com:443:0, check E:/Apache24/conf/Certs/name.sub.domain.com.key [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=RSA) [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Wed Jan 11 14:36:12.355215 2017] [ssl:emerg] [pid 145468:tid 512] SSL Library Error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

我读了几篇文章,说CER和CRT文件是可以互换的,只是重命名它们。

如果我将cer重命名为crt并更新httpd-ssl.conf,那么在日志中会收到很多错误,其中有100个错误: 

 [Wed Jan 11 14:06:43.943865 2017] [autoindex:error] [pid 70976:tid 1784] [client 10.1.41.110:50933] AH01276: Cannot serve directory E:/KnoahSoft/EmpPhotos/: No matching DirectoryIndex (index.html) found, and server-generated directory index forbidden by Options directive

现在,供应商把server.crt,server.cre,server.csr和server.key文件放到盒子里,如果我把httpd-ssl.conf中的两行改回原来的状态罚款和一切正常,但我得到了SSL的警告 

 SSLCertificateFile "E:/Apache24/conf/Certs/server.crt" SSLCertificateKeyFile "E:/Apache24/conf/Certs/server.key"

有人可以告诉我我可能做错了什么,如果你需要看到configuration只是问我会把它们。

更新:

我拿着他们的server.csr在OldCertsha1和NewCertsha2上打开了CertSrv页面,当我使用Web服务器Web服务器(10年)模板时出现错误: 

 Your Request Id is 118. The disposition message is "Denied by Policy Module The certificate validity period will be shorter than the WebServer(10Years) Certificate Template specifies, because the template validity period is longer than the maximum certificate validity period allowed by the CA. Consider renewing the CA certificate, reducing the template validity period, or increasing the registry validity period. ".

所以然后我试图Web服务器(5年)同样的错误,然后我厌倦(Web服务器)没有得到一个错误,并下载DER编码或Base 64编码的CER和P7B文件。

将Base 64编码的server.cer更改为server.crt,将旧的server.crt更改为server1.crt并重新启动apache,

没有错误工作完美,

为什么? 我从一开始就做错了什么?

这是我第一次使用SSL和Apache,并使用自己的CA,我做错了什么? 唯一的想法,我可以想到我使用的Web服务器(10年)模板,但这真的没有意义的我。

如果我查看两个crt文件都有相同的信息

该证书旨在用于以下目的

  • 确保远程计算机的身份

发给:name.sub.domain.com

发行:OldCertsha1

从常规选项卡唯一真正的区别是多久是有效的,从我的csr的cst有效期为10年,crt的crt有效期为2年。

我将深入研究SSL的其他部分,看看我明天能否find分歧。

首先,Apache将总是使用base64,文件扩展名是不相关的(pem,crt,cer)。

其次,您不能颁发证书的时间超过证书颁发机构。

10年有点多了,看到浏览器开始把他们标记为不安全,我不会感到惊讶。

如果您仍然拥有已颁发的证书,则可以使用openssl进行validation。

https://security.stackexchange.com/a/56699/84379

到处都是64位,请:-)。

你的httpd.conf行 

 SSLCertificateKeyFile“E:/Apache24/conf/Certs/name.sdo.domain.com.key”

正在指定一个encryption的密钥文件。 Windows上的Apache不支持在运行时提供解密密码…请参阅错误日志行: 

 [Wed Jan 11 14:35:15.024474 2017] [ssl:emerg] [pid 141796:tid 508] AH02577:Init:SSLPassPhraseDialog内build在Win32上不受支持(密钥文件E:/Apache24/conf/Certs/name.sub。 domain.com.key)

你将不得不预先解密你的密钥文件: 

  openssl rsa -in name.sub.domain.com.key -out name.sub.domain.com.decryped.key

询问时提供密码。 更正httpd.conf并重新启动Apache。