求助apache2.2.8+openssl0.9.8 apache不能啟動問題
操作系統和軟體包:ubuntu-8.04-server + apache2.2.8 + openssl0.9.8
軟體包都是apt-get install方式安裝
配置時參考資料:
http://linux.chinaunix.net/bbs/viewthread.php?tid=1004201
http://grid.tsinghua.edu.cn/home/liulk/publish/computer/Apache2SVN.html
http://linux.chinaunix.net/bbs/viewthread.php?tid=479635&extra=page%3D3%26amp%3Bfilter%3Ddigest
解決問題時搜索到的參考資料:
http://www.chinalinuxpub.com/bbs/showthread.php?t=49296
http://tec.serveblog.net/?p=114
http://www.debianhelp.co.uk/apacheinstall.htm
默認站點在 /var/www/
配置文件在 /etc/apache2/apache.conf(httpd.conf文件是空的)
日誌在 /var/log/apache/error.log
啟動腳本是 /usr/sbin/apache2ctl 或者 /etc/init.d/apache2
配置過程:
1、開啟SSL模塊
#a2enmod ssl
2、創建證書
可以使用apache內置的工具創建默認的證書,通過-days指定有效期。
#apache2-ssl-certificate ——找不到此條命令,不做過多糾纏
另外我們可以使用openssl來創建
#openssl req -x509 -newkey rsa:1024 -keyout apache.pem -out apache.pem -nodes -days 999
註:在要求輸入Common Name (eg, YOUR name) 時,輸入你的主機名。
#mkdir /etc/apache2/ssl
#mv apache.pem /etc/apache2/ssl/apache.pem
4、編輯SSL的配置
可以將當前的默認站點配置文件拷貝一份
#cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
然後進行修改
#vi /etc/apache2/sites-available/ssl
把埠改為443,加入SSL認證配置
#NameVirtualHost *:443
<VirtualHost 192.168.99.161:443>
ServerSignature On
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
ServerAdmin webmaster@localhost
............
</VirtualHost>
修改普通http方式的配置
#vi /etc/apache2/sites-enabled/000-default
把埠改為80
#NameVirtualHost *:80
<VirtualHost 192.168.99.161:80>
ServerAdmin webmaster@localhost
............
</VirtualHost>
5、編輯Apache埠配置,加入443埠(SSL的)
#vi /etc/apache2/ports.conf
Listen 80
Listen 443
重新載入Apache的配置
#/etc/init.d/apache2 force-reload
或者重新啟動Apache2
#/etc/init.d/apache2 restart
到此處apache服務的啟動正常,網頁正常訪問,但不能用https://url方式。
步驟一:簽證
安裝openssl后,在openssl下有一個CA.sh文件,就是利用此文件來簽證,
來簽三張證書,然後利用這三張證書來布SSL伺服器。
1、在/etc/apache2/下,建立一個ssl.crt目錄,將CA.sh文件copy至/etc/apache2/ssl.crt/目錄
# mkdir /etc/apache2/ssl.crt
# cp /usr/lib/ssl/misc/CA.sh /etc/apache2/ssl.crt/CA.sh
2、運行CA.sh -newca,他會找你要CA需要的一個CA自己的私有密鑰密碼文件。如果沒有這個文件?按回車會自動創建,輸入密碼來保護這個密碼文件。之後會要你的一個公司信息來做CA.crt文件。最後在當前目錄下多了一個./demoCA這樣的目錄../demoCA/private/cakey.pem就是CA 的key文件啦,./demoCA/cacert.pem就是CA的crt文件了
# ./CA.sh -newca
要求輸入如下信息:
Country Name (2 letter code) :CN
State or Province Name (full name) :Beijing
Locality Name (eg, city) :Beijing
Organization Name (eg, company) :JJJ
Organizational Unit Name (eg, section) []:JJJ
Common Name (eg, your name or your server's hostname) []:dog
Email Address []:dog@hotmail.com
這樣就建好了一個CA伺服器,有了一個根證書的私鑰cakey.pem及一張根證書cacert.pem,現在就可以cacert.pem來給簽證了
3、簽署伺服器證書
生成伺服器私鑰:
# openssl genrsa -des3 -out server.key 1024
生成伺服器證書請求:
# openssl req -new -key server.key -out server.csr
會要求輸入信息:
Country Name (2 letter code) :CN
State or Province Name (full name) :Beijing
Locality Name (eg, city) :Beijing
Organization Name (eg, company) :JJJ
Organizational Unit Name (eg, section) []:JJJ
Common Name (eg, your name or your server's hostname) []:dog
Email Address []:dog@hotmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:dog
An optional company name []:dog
最後把server.crt文件mv成newreq.pem,然後用CA.sh來簽證就可以了:
# mv server.csr newreq.pem
# ./CA.sh -sign
這樣就生成了server的證書newcert.pem
把newcert.pem改名成server.crt
# mv newcert.pem server.crt
4、處理客戶端:
生成客戶私鑰:
# openssl genrsa -des3 -out client.key 1024
請求:
# openssl req -new -key client.key -out client.csr
簽證:
# openssl ca -in client.csr -out client.crt
把證書格式轉換成pkcs12格式:
# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
5、這時就有了三張證書和三個私鑰,一個是demoCA下的根證書,ssl.crt下的伺服器證書和客戶證書。及demoCA/private下的根 key,ssl.crt下的伺服器key和客戶key,在conf下的ssl.conf下指定證書的位置和伺服器key的位置.
我是在conf下建立一個ssl.crt目錄,並將所有的key和證書放到這裡,同時複製一份證書,更名為ca.crt
# cp demoCA/cacert.pem ca.crt
步驟二:編輯ssl.conf
# cd mods-enabled
# vim ssl.conf 添加如下內容
#指定伺服器證書位置
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
#指定伺服器證書key位置
SSLCertificateKeyFile /usr/local/apache/conf/ssl.crt/server.key
#證書目錄
SSLCACertificatePath /usr/local/apache/conf/ssl.crt
#根證書位置
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/cacert.pem
#開啟客戶端SSL請求
SSLVerifyClient require
SSLVerifyDepth 1
啟動ssl
# /usr/sbin/apache2ctl startssl
會要求輸入server.key的密碼,這樣一個默認的SSL伺服器及http伺服器就啟動了。
我執行以上命令提示:
The startssl option is no longer supported.
Please edit httpd.conf to include the SSL configuration settings
and then use apachectl start.
在此參考:http://tec.serveblog.net/?p=114 內容
(突然之間不了發生什麼事 ??到最後才明白 httpd2 + openssl-0.9.8 關於 ssl 的啟動方式變了,
這二者的組合只要將httpd.conf 中紅色這一行 「 Include conf/extra/httpd-ssl.conf 」 的mark拿除,
直接 /usr/local/xxx/bin/apachectl start 就會同時啟動ssl機制)
而我在
vim /etc/apache2/apache.conf
中找到相類似的兩行都沒加註釋:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
之後執行
/usr/sbin/apachectl start
The Alias directive in /etc/apache2/apache2.conf at line 130 will probably never match because it overlaps an earlier Alias.
VirtualHost 192.168.99.162:443 overlaps with VirtualHost 192.168.99.162:443, the first has precedence, perhaps you need a NameVirtualHost directive
VirtualHost 192.168.99.161:443 overlaps with VirtualHost 192.168.99.161:443, the first has precedence, perhaps you need a NameVirtualHost directive
Apache/2.2.8 mod_ssl/2.2.8 (Pass Phrase Dialog)
Some of your private key files are encrypted for 、etsecurity reasons.
In order to read them you have to provide the pass phrases.
Server localhost:443 (RSA)
Enter pass phrase:我輸入的密碼
OK: Pass Phrase Dialog successful.
此時重啟apache服務
# /etc/init.d/apache restart
* Restarting web server apache2
The Alias directive in /etc/apache2/apache2.conf at line 130 will probably never match because it overlaps an earlier Alias.
VirtualHost 192.168.99.162:443 overlaps with VirtualHost 192.168.99.162:443, the first has precedence, perhaps you need a NameVirtualHost directive
VirtualHost 192.168.99.161:443 overlaps with VirtualHost 192.168.99.161:443, the first has precedence, perhaps you need a NameVirtualHost directive
httpd (no pid file) not running
The Alias directive in /etc/apache2/apache2.conf at line 130 will probably never match because it overlaps an earlier Alias.
VirtualHost 192.168.99.162:443 overlaps with VirtualHost 192.168.99.162:443, the first has precedence, perhaps you need a NameVirtualHost directive
VirtualHost 192.168.99.161:443 overlaps with VirtualHost 192.168.99.161:443, the first has precedence, perhaps you need a NameVirtualHost directive
Apache/2.2.8 mod_ssl/2.2.8 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server localhost:443 (RSA)
Enter pass phrase:我輸入的密碼
OK: Pass Phrase Dialog successful.
服務沒有啟動,貌似以上所報警告不應影響apache啟動,我又tail /var/log/apache/error.log 顯示
Init: Multiple RSA server certificates not
google也沒有發現什麼好的解決方案,特來請教壇友。
步驟三、安裝和使用證書 ——還沒做到這步
把剛才生成的證書:根證書ca.crt和客戶證書client.pfx下到客戶端,並安裝,
ca.crt安裝到信任的機構,client.pfx直接在windows安裝或安裝到個人證書位置,然後用IP訪問HTTP和https伺服器。
[ 本帖最後由 caichang 於 2008-12-12 17:36 編輯 ]
《解決方案》
感謝wingger、caincheung的帖子
我得把配置過程寫出來,還要把問題描述出來,長了點!:mrgreen:
不會是iptables把443埠禁止了吧,應該和iptables配置沒有啥關係吧!
[ 本帖最後由 caichang 於 2008-12-12 17:43 編輯 ]
《解決方案》
回復 #1 caichang 的帖子
VirtualHost 192.168.99.162:443
你的虛擬機的定義存在問題
《解決方案》
原帖由 kns1024wh 於 2008-12-12 21:48 發表 http://bbs.chinaunix.net/images/common/back.gif
VirtualHost 192.168.99.162:443
你的虛擬機的定義存在問題
好的,我再看看!知道問題在哪對我來說就是進步!謝謝了