CentOS 7 |阿帕奇2.4.6
我建立了一个专用的证书颁发机构(CA)和两个证书(一个用于服务器,一个用于客户端)。
然后,我将Apache配置为使用证书X.509来回答HTTPS连接,然后一切正常(我在浏览器中看到了)。
然后,当我配置客户端身份验证时,重新启动服务器并得到以下错误:
由于控制进程退出并显示错误代码,因此httpd.service的作业失败。有关详细信息,请参见“ systemctl状态httpd.service”和“ journalctl -xe”。
现在,它显示为“语法正确”,但是我仍然无法使用以下命令启动服务器,出现以下错误:
。 systemctl状态httpd.service
[root@localhost ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2019-05-01 18:35:40 WEST; 2min 3s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 12292 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 12288 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 12288 (code=exited, status=1/FAILURE)
May 01 18:35:37 src_ca systemd[1]: Starting The Apache HTTP Server...
May 01 18:35:40 src_ca systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 01 18:35:40 src_ca kill[12292]: kill: cannot find process ""
May 01 18:35:40 src_ca systemd[1]: httpd.service: control process exited, code=exited status=1
May 01 18:35:40 src_ca systemd[1]: Failed to start The Apache HTTP Server.
May 01 18:35:40 src_ca systemd[1]: Unit httpd.service entered failed state.
May 01 18:35:40 src_ca systemd[1]: httpd.service failed.
。“ journalctl -xe”
May 01 18:39:16 src_ca polkitd[2607]: Registered Authentication Agent for unix-process:12474:9099194 (system bus name :1.157 [/usr/bin/pkttyagent --notify-fd 5 --fallba
May 01 18:39:16 src_ca systemd[1]: Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has begun starting up.
May 01 18:39:18 src_ca systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
May 01 18:39:18 src_ca kill[12483]: kill: cannot find process ""
May 01 18:39:18 src_ca systemd[1]: httpd.service: control process exited, code=exited status=1
May 01 18:39:18 src_ca systemd[1]: Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit httpd.service has failed.
--
-- The result is failed.
May 01 18:39:18 src_ca systemd[1]: Unit httpd.service entered failed state.
May 01 18:39:18 src_ca systemd[1]: httpd.service failed.
May 01 18:39:18 src_ca polkitd[2607]: Unregistered Authentication Agent for unix-process:12474:9099194 (system bus name :1.157, object path /org/freedesktop/PolicyKit1/
我将在下面保留用于配置客户端身份验证的过程。我将在问题的底部保留一些有用的文件。
配置客户端身份验证的过程
首先在文件“ /etc/httpd/conf.d/ssl.conf”中找到选项“ SSLCACertificateFile”:
vi +/SSLCACertificateFile /etc/httpd/conf.d/ssl.conf将路径更新为:
/etc/pki/CA/certs/ca.crt这是CA证书的位置。
注意:客户端的证书位于/ etc / pki / CA / certs文件夹中。我不确定在配置客户端身份验证时是否会引起任何问题。 (更新:编辑1)
删除指令“ SSLVerifyClient require”上的“#”。
保存更改并使用
:wq退出文件,然后重新启动服务器:systemctl restart httpd有用的调试文件
。 “ etc / hosts”(添加IP +主机)
。 “ / etc / hostname”(可以使用
hostnamectl set-hostname new-hostname完成)
。 “ etc / httpd / conf / httpd.conf”
。 “ /etc/httpd/conf.d/ssl.conf”
。 “ / var / log / httpd / error_log”
[Wed May 01 18:18:13.050768 2019] [core:notice] [pid 11416] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Wed May 01 18:18:13.053282 2019] [suexec:notice] [pid 11416] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[We May 01 18:18:16.238779 2019] [ssl:emerg] [pid 11416] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/ssl_error_log for more information
。 “ / var / log / httpd / ssl_error_log”
[Wed May 01 18:18:16.238749 2019] [ssl:emerg] [pid 11416] AH01895: Unable to configure verify locations for client authentication
最佳答案
我使用了在另一个上下文上构建的证书,重新启动了Apache,但未显示错误。
这意味着错误必须出在证书上。
鉴于此,我仔细检查了用于构建CA的过程(我将在此答案的底部添加该过程)并发现了错误。
我使用的是“临时”证书而不是cacert.pem。
创建CA的过程:openssl genrsa -des3 -out /etc/pki/CA/private/cakey.pemopenssl req -new -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/ca.crtopenssl x509 -req -days 100 -in ca.crt -out cacert.pem -signkey private/cakey.pem
关于apache - 配置客户端身份验证后无法启动Apache Server,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/55939858/