- 论坛徽章:
- 0
|
操作系统和软件包:ubuntu-8.04-server + apache2.2.8 + openssl0.9.8
软件包都是apt-get install方式安装
配置时参考资料:
http://linux.chinaunix.net/bbs/viewthread.php?tid=1004201
http://grid.tsinghua.edu.cn/home ... ter/Apache2SVN.html
http://linux.chinaunix.net/bbs/v ... p%3Bfilter%3Ddigest
解决问题时搜索到的参考资料:
http://www.chinalinuxpub.com/bbs/showthread.php?t=49296
http://tec.serveblog.net/?p=114
http://www.debianhelp.co.uk/apacheinstall.htm
默认站点在 /var/www/
配置文件在 /etc/apache2/apache.conf(httpd.conf文件是空的)
日志在 /var/log/apache/error.log
启动脚本是 /usr/sbin/apache2ctl 或者 /etc/init.d/apache2
配置过程:
1、开启SSL模块
#a2enmod ssl
2、创建证书
可以使用apache内置的工具创建默认的证书,通过-days指定有效期。
#apache2-ssl-certificate ——找不到此条命令,不做过多纠缠
另外我们可以使用openssl来创建
#openssl req -x509 -newkey rsa:1024 -keyout apache.pem -out apache.pem -nodes -days 999
注:在要求输入Common Name (eg, YOUR name) 时,输入你的主机名。
#mkdir /etc/apache2/ssl
#mv apache.pem /etc/apache2/ssl/apache.pem
4、编辑SSL的配置
可以将当前的默认站点配置文件拷贝一份
#cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl
然后进行修改
#vi /etc/apache2/sites-available/ssl
把端口改为443,加入SSL认证配置
#NameVirtualHost *:443
<VirtualHost 192.168.99.161:443>
ServerSignature On
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
ServerAdmin webmaster@localhost
............
</VirtualHost>
修改普通http方式的配置
#vi /etc/apache2/sites-enabled/000-default
把端口改为80
#NameVirtualHost *:80
<VirtualHost 192.168.99.161:80>
ServerAdmin webmaster@localhost
............
</VirtualHost>
5、编辑Apache端口配置,加入443端口(SSL的)
#vi /etc/apache2/ports.conf
Listen 80
Listen 443
重新载入Apache的配置
#/etc/init.d/apache2 force-reload
或者重新启动Apache2
#/etc/init.d/apache2 restart
到此处apache服务的启动正常,网页正常访问,但不能用https://url方式。
步骤一:签证
安装openssl后,在openssl下有一个CA.sh文件,就是利用此文件来签证,
来签三张证书,然后利用这三张证书来布SSL服务器。
1、在/etc/apache2/下,建立一个ssl.crt目录,将CA.sh文件copy至/etc/apache2/ssl.crt/目录
[root@dog /etc/apache2]# mkdir /etc/apache2/ssl.crt
[root@dog /etc/apache2/ssl.crt]# cp /usr/lib/ssl/misc/CA.sh /etc/apache2/ssl.crt/CA.sh
2、运行CA.sh -newca,他会找你要CA需要的一个CA自己的私有密钥密码文件。如果没有这个文件?按回车会自动创建,输入密码来保护这个密码文件。之后会要你的一个公司信息来做CA.crt文件。最后在当前目录下多了一个./demoCA这样的目录../demoCA/private/cakey.pem就是CA 的key文件啦,./demoCA/cacert.pem就是CA的crt文件了
[root@dog /etc/apache2/ssl.crt]# ./CA.sh -newca
要求输入如下信息:
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:Beijing
Organization Name (eg, company) [My Company Ltd]:JJJ
Organizational Unit Name (eg, section) []:JJJ
Common Name (eg, your name or your server's hostname) []:dog
Email Address []:dog@hotmail.com
这样就建好了一个CA服务器,有了一个根证书的私钥cakey.pem及一张根证书cacert.pem,现在就可以cacert.pem来给签证了
3、签署服务器证书
生成服务器私钥:
[root@dog /etc/apache2/ssl.crt]# openssl genrsa -des3 -out server.key 1024
生成服务器证书请求:
[root@dog /etc/apache2/ssl.crt]# openssl req -new -key server.key -out server.csr
会要求输入信息:
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:Beijing
Locality Name (eg, city) [Newbury]:Beijing
Organization Name (eg, company) [My Company Ltd]:JJJ
Organizational Unit Name (eg, section) []:JJJ
Common Name (eg, your name or your server's hostname) []:dog
Email Address []:dog@hotmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:dog
An optional company name []:dog
最后把server.crt文件mv成newreq.pem,然后用CA.sh来签证就可以了:
[root@dog /etc/apache2/ssl.crt]# mv server.csr newreq.pem
[root@dog /etc/apache2/ssl.crt]# ./CA.sh -sign
这样就生成了server的证书newcert.pem
把newcert.pem改名成server.crt
[root@dog /etc/apache2/ssl.crt]# mv newcert.pem server.crt
4、处理客户端:
生成客户私钥:
[root@dog /etc/apache2/ssl.crt]# openssl genrsa -des3 -out client.key 1024
请求:
[root@dog /etc/apache2/ssl.crt]# openssl req -new -key client.key -out client.csr
签证:
[root@dog /etc/apache2/ssl.crt]# openssl ca -in client.csr -out client.crt
把证书格式转换成pkcs12格式:
[root@dog /etc/apache2/ssl.crt]# openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.pfx
5、这时就有了三张证书和三个私钥,一个是demoCA下的根证书,ssl.crt下的服务器证书和客户证书。及demoCA/private下的根 key,ssl.crt下的服务器key和客户key,在conf下的ssl.conf下指定证书的位置和服务器key的位置.
我是在conf下建立一个ssl.crt目录,并将所有的key和证书放到这里,同时复制一份证书,更名为ca.crt
[root@dog /etc/apache2/ssl.crt]# cp demoCA/cacert.pem ca.crt
步骤二:编辑ssl.conf
[root@dog /etc/apache2/]# cd mods-enabled
[root@dog /etc/apache2/mods-enabled]# vim ssl.conf 添加如下内容
#指定服务器证书位置
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
#指定服务器证书key位置
SSLCertificateKeyFile /usr/local/apache/conf/ssl.crt/server.key
#证书目录
SSLCACertificatePath /usr/local/apache/conf/ssl.crt
#根证书位置
SSLCACertificateFile /usr/local/apache/conf/ssl.crt/cacert.pem
#开启客户端SSL请求
SSLVerifyClient require
SSLVerifyDepth 1
启动ssl
[root@dog /etc/apache2/mods-enabled]# /usr/sbin/apache2ctl startssl
会要求输入server.key的密码,这样一个默认的SSL服务器及http服务器就启动了。
我执行以上命令提示:
The startssl option is no longer supported.
Please edit httpd.conf to include the SSL configuration settings
and then use apachectl start.
在此参考:http://tec.serveblog.net/?p=114 内容
(突然之間不了發生什麼事 ??到最後才明白 httpd2 + openssl-0.9.8 關於 ssl 的啟動方式變了,
這二者的組合只要將httpd.conf 中紅色這一行 “ Include conf/extra/httpd-ssl.conf ” 的mark拿除,
直接 /usr/local/xxx/bin/apachectl start 就會同時啟動ssl機制)
而我在
[root@dog /etc/apache2] vim /etc/apache2/apache.conf
中找到相类似的两行都没加注释:
Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf
之后执行
/usr/sbin/apachectl start
[Fri Dec 12 17:23:22 2008] [warn] The Alias directive in /etc/apache2/apache2.conf at line 130 will probably never match because it overlaps an earlier Alias.
[Fri Dec 12 17:23:22 2008] [warn] VirtualHost 192.168.99.162:443 overlaps with VirtualHost 192.168.99.162:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Fri Dec 12 17:23:22 2008] [warn] VirtualHost 192.168.99.161:443 overlaps with VirtualHost 192.168.99.161:443, the first has precedence, perhaps you need a NameVirtualHost directive
Apache/2.2.8 mod_ssl/2.2.8 (Pass Phrase Dialog)
Some of your private key files are encrypted for 、etsecurity reasons.
In order to read them you have to provide the pass phrases.
Server localhost:443 (RSA)
Enter pass phrase:我输入的密码
OK: Pass Phrase Dialog successful.
此时重启apache服务
[root@dog /etc/apache2]# /etc/init.d/apache restart
* Restarting web server apache2
[Fri Dec 12 17:28:22 2008] [warn] The Alias directive in /etc/apache2/apache2.conf at line 130 will probably never match because it overlaps an earlier Alias.
[Fri Dec 12 17:28:22 2008] [warn] VirtualHost 192.168.99.162:443 overlaps with VirtualHost 192.168.99.162:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Fri Dec 12 17:28:22 2008] [warn] VirtualHost 192.168.99.161:443 overlaps with VirtualHost 192.168.99.161:443, the first has precedence, perhaps you need a NameVirtualHost directive
httpd (no pid file) not running
[Fri Dec 12 17:28:33 2008] [warn] The Alias directive in /etc/apache2/apache2.conf at line 130 will probably never match because it overlaps an earlier Alias.
[Fri Dec 12 17:28:33 2008] [warn] VirtualHost 192.168.99.162:443 overlaps with VirtualHost 192.168.99.162:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Fri Dec 12 17:28:33 2008] [warn] VirtualHost 192.168.99.161:443 overlaps with VirtualHost 192.168.99.161:443, the first has precedence, perhaps you need a NameVirtualHost directive
Apache/2.2.8 mod_ssl/2.2.8 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server localhost:443 (RSA)
Enter pass phrase:我输入的密码
OK: Pass Phrase Dialog successful.
[fail]
服务没有启动,貌似以上所报警告不应影响apache启动,我又tail /var/log/apache/error.log 显示
Init: Multiple RSA server certificates not
google也没有发现什么好的解决方案,特来请教坛友。
步骤三、安装和使用证书 ——还没做到这步
把刚才生成的证书:根证书ca.crt和客户证书client.pfx下到客户端,并安装,
ca.crt安装到信任的机构,client.pfx直接在windows安装或安装到个人证书位置,然后用IP访问HTTP和https服务器。
[ 本帖最后由 caichang 于 2008-12-12 17:36 编辑 ] |
|
免费注册
发表于 2008-12-12 17:34
发表于 2008-12-12 21:48
