2

介绍

我想为在此版本中运行的服务配置OCSP装订httpd

[root@localhost ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Nov 19 2015 21:43:13

我正在运行这个 Linux 发行版:

[root@localhost ~]# lsb_release -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID: CentOS
Description:    CentOS Linux release 7.2.1511 (Core)
Release:        7.2.1511
Codename:       Core

方法

根据我通过阅读官方 Apache ssl HowTo官方 Apache ssl Doc的理解是:一方面我必须编辑文件/etc/httpd/conf/httpd.conf,另一方面我必须指定和复制.pem文件。此处的教程提供了类似的方法。

问题实施方法

事实上,我的文件/etc/httpd/conf/httpd.conf包含几个VirtualHosts,看起来像这样(注释和其他一些东西被省略了):

[root@localhost ~]# cat /etc/httpd/conf/httpd.conf
ServerRoot "/etc/httpd"
Listen 8443
ServerName my.main.domain.com
LoadModule  proxy_module         modules/mod_proxy.so
LoadModule  proxy_http_module    modules/mod_proxy_http.so
LoadModule  headers_module       modules/mod_headers.so
LoadModule  deflate_module       modules/mod_deflate.so
LoadFile    /usr/lib64/libxml2.so.2
LoadModule  xml2enc_module       modules/mod_xml2enc.so
LoadModule  proxy_html_module    modules/mod_proxy_html.so
LoadModule  ssl_module           /usr/lib64/httpd/modules/mod_ssl.so
Include conf.modules.d/*.conf
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
#commenting this in leads to the errors `AH02217`, `AH02235`,`AH01895` and `AH02312` from which httpd refused to restart
#SSLCACertificateFile /etc/httpd/conf/myFile.pem
<VirtualHost *:8443>
    ProxyPreserveHost On
    ProxyRequests Off
    ServerName sub1.my.main.domain.com
    RewriteEngine On
    ProxyVia Off
    ProxyPass / http://127.0.0.1:8887/
    ProxyPassReverse / http://127.0.0.1:8887/
    RequestHeader add X-Forwarded-Ssl on
    RequestHeader set X-Forwarded-Proto "https"
    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
    SSLEngine On
    SSLCertificateFile /etc/httpd/conf/someOtherFile.cer
    SSLCertificateKeyFile /etc/httpd/conf/someOtherFile.key
    #commenting this in here also leads to the errors `AH02217`, `AH02235`,`AH01895` and `AH02312` from which httpd refused to restart
    #SSLCACertificateFile /etc/httpd/conf/myFile.pem
</VirtualHost>
# more VirtualHost directives

这是错误日志文件的内容/etc/httpd/logs/error_log

[Wed Apr 06 11:23:01.702030 2016] [ssl:error] [pid 19305] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
[Wed Apr 06 11:23:01.702050 2016] [ssl:error] [pid 19305] AH02235: Unable to configure server certificate for stapling
[Wed Apr 06 11:23:01.702639 2016] [ssl:emerg] [pid 19305] AH01895: Unable to configure verify locations for client authentication
[Wed Apr 06 11:23:01.702650 2016] [ssl:emerg] [pid 19305] AH02312: Fatal error initialising mod_ssl, exiting.

我以以下方式myFile.pemanotherFile.pfxusing生成了文件:openssl

[root@localhost ~]# openssl pkcs12 -in anotherFile.pfx -nocerts -out myFile.pem
Enter Import Password:
MAC verified OK

问题

  1. 我的配置有什么问题?
  2. .pfx将文件转换为文件时我做错了什么.pem吗?
  3. 我需要从证书提供商那里获得哪些信息才能将文件正确转换为.pfx文件.pem
  4. 我的描述是否缺少调试此问题的关键信息?
4

0 回答 0