求助apache2.2.8+openssl0.9.8 apache不能启动问题
caichang
|
1#
caichang 发表于 2008-12-12 17:34
求助apache2.2.8+openssl0.9.8 apache不能启动问题
操作系统和软件包:ubuntu-8.04-server + apache2.2.8 + openssl0.9.8
软件包都是apt-get install方式安装 配置时参考资料: http://linux.chinaunix.net/bbs/viewthread.php?tid=1004201 http://grid.tsinghua.edu.cn/home ... ter/Apache2SVN.html http://linux.chinaunix.net/bbs/v ... p%3Bfilter%3Ddigest 解决问题时搜索到的参考资料: http://www.chinalinuxpub.com/bbs/showthread.php?t=49296 http://tec.serveblog.net/?p=114 http://www.debianhelp.co.uk/apacheinstall.htm 默认站点在 /var/www/ 配置文件在 /etc/apache2/apache.conf(httpd.conf文件是空的) 日志在 /var/log/apache/error.log 启动脚本是 /usr/sbin/apache2ctl 或者 /etc/init.d/apache2 配置过程: 1、开启SSL模块 #a2enmod ssl 2、创建证书 可以使用apache内置的工具创建默认的证书,通过-days指定有效期。 #apache2-ssl-certificate ——找不到此条命令,不做过多纠缠 另外我们可以使用openssl来创建 #openssl req -x509 -newkey rsa:1024 -keyout apache.pem -out apache.pem -nodes -days 999 注:在要求输入Common Name (eg, YOUR name) 时,输入你的主机名。 #mkdir /etc/apache2/ssl #mv apache.pem /etc/apache2/ssl/apache.pem 4、编辑SSL的配置 可以将当前的默认站点配置文件拷贝一份 #cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl 然后进行修改 #vi /etc/apache2/sites-available/ssl 把端口改为443,加入SSL认证配置 #NameVirtualHost *:443 <VirtualHost 192.168.99.161:443> ServerSignature On SSLEngine On SSLCertificateFile /etc/apache2/ssl/apache.pem ServerAdmin webmaster@localhost ............ </VirtualHost> 修改普通http方式的配置 #vi /etc/apache2/sites-enabled/000-default 把端口改为80 #NameVirtualHost *:80 <VirtualHost 192.168.99.161:80> ServerAdmin webmaster@localhost ............ </VirtualHost> 5、编辑Apache端口配置,加入443端口(SSL的) #vi /etc/apache2/ports.conf Listen 80 Listen 443 重新载入Apache的配置 #/etc/init.d/apache2 force-reload 或者重新启动Apache2 #/etc/init.d/apache2 restart 到此处apache服务的启动正常,网页正常访问,但不能用https://url方式。 步骤一:签证 安装openssl后,在openssl下有一个CA.sh文件,就是利用此文件来签证, 来签三张证书,然后利用这三张证书来布SSL服务器。 1、在/etc/apache2/下,建立一个ssl.crt目录,将CA.sh文件copy至/etc/apache2/ssl.crt/目录 [root@dog /etc/apache2]# mkdir /etc/apache2/ssl.crt [root@dog /etc/apache2/ssl.crt]# cp /usr/lib/ssl/misc/CA.sh /etc/apache2/ssl.crt/CA.sh 2、运行CA.sh -newca,他会找你要CA需要的一个CA自己的私有密钥密码文件。如果没有这个文件?按回车会自动创建,输入密码来保护这个密码文件。之后会要你的一个公司信息来做CA.crt文件。最后在当前目录下多了一个./demoCA这样的目录../demoCA/private/cakey.pem就是CA 的key文件啦,./demoCA/cacert.pem就是CA的crt文件了 [root@dog /etc/apache2/ssl.crt]# ./CA.sh -newca 要求输入如下信息: Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:Beijing Locality Name (eg, city) [Newbury]:Beijing Organization Name (eg, company) [My Company Ltd]:JJJ Organizational Unit Name (eg, section) []:JJJ Common Name (eg, your name or your server's hostname) []:dog Email Address []:dog@hotmail.com 这样就建好了一个CA服务器,有了一个根证书的私钥cakey.pem及一张根证书cacert.pem,现在就可以cacert.pem来给签证了 3、签署服务器证书 生成服务器私钥: [root@dog /etc/apache2/ssl.crt]# openssl genrsa -des3 -out server.key 1024 生成服务器证书请求: [root@dog /etc/apache2/ssl.crt]# openssl req -new -key server.key -out server.csr 会要求输入信息: Country Name (2 letter code) [GB]:CN State or Province Name (full name) [Berkshire]:Beijing Locality Name (eg, city) [Newbury]:Beijing Organization Name (eg, company) [My Company Ltd]:JJJ Organizational Unit Name (eg, section) []:JJJ Common Name (eg, your name or your server's hostname) []:dog Email Address []:dog@hotmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:dog An optional company name []:dog 最后把server.crt文件mv成newreq.pem,然后用CA.sh来签证就可以了: [root@dog /etc/apache2/ssl.crt]# mv server.csr newreq.pem [root@dog /etc/apache2/ssl.crt]# ./CA.sh -sign 这样就生成了server的证书newcert.pem 把newcert.pem改名成server.crt [root@dog /etc/apache2/ssl.crt]# mv newcert.pem server.crt 4、处理客户端: 生成客户私钥: [root@dog /etc/apache2/ssl.crt]# openssl genrsa -des3 -out client.key 1024 请求: [root@dog /etc/apache2/ssl.crt]# openssl req -new -key client.key -out client.csr 签证: [root@dog /etc/apache2/ssl.crt]# openssl ca -in client.csr -out client.crt 把证书格式转换成pkcs12格式: [root@dog /etc/apache2/ssl.crt]# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx 5、这时就有了三张证书和三个私钥,一个是demoCA下的根证书,ssl.crt下的服务器证书和客户证书。及demoCA/private下的根 key,ssl.crt下的服务器key和客户key,在conf下的ssl.conf下指定证书的位置和服务器key的位置. 我是在conf下建立一个ssl.crt目录,并将所有的key和证书放到这里,同时复制一份证书,更名为ca.crt [root@dog /etc/apache2/ssl.crt]# cp demoCA/cacert.pem ca.crt 步骤二:编辑ssl.conf [root@dog /etc/apache2/]# cd mods-enabled [root@dog /etc/apache2/mods-enabled]# vim ssl.conf 添加如下内容 #指定服务器证书位置 SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt #指定服务器证书key位置 SSLCertificateKeyFile /usr/local/apache/conf/ssl.crt/server.key #证书目录 SSLCACertificatePath /usr/local/apache/conf/ssl.crt #根证书位置 SSLCACertificateFile /usr/local/apache/conf/ssl.crt/cacert.pem #开启客户端SSL请求 SSLVerifyClient require SSLVerifyDepth 1 启动ssl [root@dog /etc/apache2/mods-enabled]# /usr/sbin/apache2ctl startssl 会要求输入server.key的密码,这样一个默认的SSL服务器及http服务器就启动了。 我执行以上命令提示: The startssl option is no longer supported. Please edit httpd.conf to include the SSL configuration settings and then use apachectl start. 在此参考:http://tec.serveblog.net/?p=114 内容 (突然之間不了發生什麼事 ??到最後才明白 httpd2 + openssl-0.9.8 關於 ssl 的啟動方式變了, 這二者的組合只要將httpd.conf 中紅色這一行 “ Include conf/extra/httpd-ssl.conf ” 的mark拿除, 直接 /usr/local/xxx/bin/apachectl start 就會同時啟動ssl機制) 而我在 [root@dog /etc/apache2] vim /etc/apache2/apache.conf 中找到相类似的两行都没加注释: Include /etc/apache2/mods-enabled/*.load Include /etc/apache2/mods-enabled/*.conf 之后执行 /usr/sbin/apachectl start [Fri Dec 12 17:23:22 2008] [warn] The Alias directive in /etc/apache2/apache2.conf at line 130 will probably never match because it overlaps an earlier Alias. [Fri Dec 12 17:23:22 2008] [warn] VirtualHost 192.168.99.162:443 overlaps with VirtualHost 192.168.99.162:443, the first has precedence, perhaps you need a NameVirtualHost directive [Fri Dec 12 17:23:22 2008] [warn] VirtualHost 192.168.99.161:443 overlaps with VirtualHost 192.168.99.161:443, the first has precedence, perhaps you need a NameVirtualHost directive Apache/2.2.8 mod_ssl/2.2.8 (Pass Phrase Dialog) Some of your private key files are encrypted for 、etsecurity reasons. In order to read them you have to provide the pass phrases. Server localhost:443 (RSA) Enter pass phrase:我输入的密码 OK: Pass Phrase Dialog successful. 此时重启apache服务 [root@dog /etc/apache2]# /etc/init.d/apache restart * Restarting web server apache2 [Fri Dec 12 17:28:22 2008] [warn] The Alias directive in /etc/apache2/apache2.conf at line 130 will probably never match because it overlaps an earlier Alias. [Fri Dec 12 17:28:22 2008] [warn] VirtualHost 192.168.99.162:443 overlaps with VirtualHost 192.168.99.162:443, the first has precedence, perhaps you need a NameVirtualHost directive [Fri Dec 12 17:28:22 2008] [warn] VirtualHost 192.168.99.161:443 overlaps with VirtualHost 192.168.99.161:443, the first has precedence, perhaps you need a NameVirtualHost directive httpd (no pid file) not running [Fri Dec 12 17:28:33 2008] [warn] The Alias directive in /etc/apache2/apache2.conf at line 130 will probably never match because it overlaps an earlier Alias. [Fri Dec 12 17:28:33 2008] [warn] VirtualHost 192.168.99.162:443 overlaps with VirtualHost 192.168.99.162:443, the first has precedence, perhaps you need a NameVirtualHost directive [Fri Dec 12 17:28:33 2008] [warn] VirtualHost 192.168.99.161:443 overlaps with VirtualHost 192.168.99.161:443, the first has precedence, perhaps you need a NameVirtualHost directive Apache/2.2.8 mod_ssl/2.2.8 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server localhost:443 (RSA) Enter pass phrase:我输入的密码 OK: Pass Phrase Dialog successful. [fail] 服务没有启动,貌似以上所报警告不应影响apache启动,我又tail /var/log/apache/error.log 显示 Init: Multiple RSA server certificates not google也没有发现什么好的解决方案,特来请教坛友。 步骤三、安装和使用证书 ——还没做到这步 把刚才生成的证书:根证书ca.crt和客户证书client.pfx下到客户端,并安装, ca.crt安装到信任的机构,client.pfx直接在windows安装或安装到个人证书位置,然后用IP访问HTTP和https服务器。 |