14

我在 localhost 上运行的 apache 上启用 ssl。我生成了一个自签名证书并将其放在通常的位置:

[david@david web]$ ll /etc/ssl/certs/
...
-rwxrwxrwx. 1 david david    977 Mar  7 13:18 localhost.crt
-rwxrwxrwx. 1 david david    712 Mar  7 13:16 localhost.csr
-rwxrwxrwx. 1 david david    963 Mar  7 13:12 localhost.key

但是当我重新启动 Apache 时,服务器出现故障,并且我在错误日志中收到以下信息:

[Fri Mar 07 13:29:17 2014] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0
[Fri Mar 07 13:29:17 2014] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Mar 07 13:29:17 2014] [error] (13)Permission denied: Init: Can't open server private key file /etc/ssl/certs/localhost.key

权限对我来说看起来不错,我做错了什么?

4

2 回答 2

45

这是因为您可能首先将文件上传到您的主目录之一,然后将它们移动到 /etc 目录中的某个位置。要更正此文件的上下文,请执行以下命令:

restorecon -RvF /etc/ssl/certs/

并重新启动 Apache service httpd restart

希望能帮助到你。

于 2015-09-17T14:38:30.857 回答
0

David,

I would suggest first to change the permissions and ownership on the key file

Change ownership:sudo chown root:root localhost.key
Change permissions:sudo chmod 600 localhost.key

To fix the problem, I needed to remove the passphrase from the key

Remove passphrase: openssl rsa -in localhost.key -out localhost_nopp.key

After that, just change the SSLCertificateKeyFile parameter to point to localhost_nopp.key and restart Apache.

I am guessing this produces a "clean" file that Apache is now happy to use. Since this appears to a development/test environment, the assumption is that removing the passphrase will not cause a major security issue.

Thanks,

John

于 2014-06-06T03:56:11.353 回答