介绍
我想为在此版本中运行的服务配置OCSP装订:httpd
[root@localhost ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 19 2015 21:43:13
我正在运行这个 Linux 发行版:
[root@localhost ~]# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.2.1511 (Core)
Release: 7.2.1511
Codename: Core
方法
根据我通过阅读官方 Apache ssl HowTo和官方 Apache ssl Doc的理解是:一方面我必须编辑文件/etc/httpd/conf/httpd.conf
,另一方面我必须指定和复制.pem
文件。此处的教程提供了类似的方法。
问题实施方法
事实上,我的文件/etc/httpd/conf/httpd.conf
包含几个VirtualHosts
,看起来像这样(注释和其他一些东西被省略了):
[root@localhost ~]# cat /etc/httpd/conf/httpd.conf
ServerRoot "/etc/httpd"
Listen 8443
ServerName my.main.domain.com
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule headers_module modules/mod_headers.so
LoadModule deflate_module modules/mod_deflate.so
LoadFile /usr/lib64/libxml2.so.2
LoadModule xml2enc_module modules/mod_xml2enc.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
Include conf.modules.d/*.conf
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
#commenting this in leads to the errors `AH02217`, `AH02235`,`AH01895` and `AH02312` from which httpd refused to restart
#SSLCACertificateFile /etc/httpd/conf/myFile.pem
<VirtualHost *:8443>
ProxyPreserveHost On
ProxyRequests Off
ServerName sub1.my.main.domain.com
RewriteEngine On
ProxyVia Off
ProxyPass / http://127.0.0.1:8887/
ProxyPassReverse / http://127.0.0.1:8887/
RequestHeader add X-Forwarded-Ssl on
RequestHeader set X-Forwarded-Proto "https"
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
SSLEngine On
SSLCertificateFile /etc/httpd/conf/someOtherFile.cer
SSLCertificateKeyFile /etc/httpd/conf/someOtherFile.key
#commenting this in here also leads to the errors `AH02217`, `AH02235`,`AH01895` and `AH02312` from which httpd refused to restart
#SSLCACertificateFile /etc/httpd/conf/myFile.pem
</VirtualHost>
# more VirtualHost directives
这是错误日志文件的内容/etc/httpd/logs/error_log
:
[Wed Apr 06 11:23:01.702030 2016] [ssl:error] [pid 19305] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
[Wed Apr 06 11:23:01.702050 2016] [ssl:error] [pid 19305] AH02235: Unable to configure server certificate for stapling
[Wed Apr 06 11:23:01.702639 2016] [ssl:emerg] [pid 19305] AH01895: Unable to configure verify locations for client authentication
[Wed Apr 06 11:23:01.702650 2016] [ssl:emerg] [pid 19305] AH02312: Fatal error initialising mod_ssl, exiting.
我以以下方式myFile.pem
从anotherFile.pfx
using生成了文件:openssl
[root@localhost ~]# openssl pkcs12 -in anotherFile.pfx -nocerts -out myFile.pem
Enter Import Password:
MAC verified OK
问题
- 我的配置有什么问题?
.pfx
将文件转换为文件时我做错了什么.pem
吗?- 我需要从证书提供商那里获得哪些信息才能将文件正确转换为
.pfx
文件.pem
? - 我的描述是否缺少调试此问题的关键信息?