SSL 一直等待回應

tag-icon tag-icon linux apache-http-server ssl https letsencrypt
SSL 一直等待回應

我正在嘗試配置 HTTPS,但它不起作用,我真的不知道出了什麼問題。

這些是我遵循的步驟:

  1. 我已經產生了一個.pem證書(證書+鏈)讓我們加密,透過使用下一個命令:

    sudo -H ./letsencrypt-auto certonly --server https://acme-v01.api.letsencrypt.org/directory

響應是這樣的:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xxxx.com/fullchain.pem. Your cert
   will expire on 2016-03-07. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

  1. 我已經產生了私鑰

    sudo openssl req -new -x509 -days 365 -nodes -out /etc/letsencrypt/live/xxxx.com/fullchain.pem -keyout /etc/letsencrypt/live/xxxx.com/fullchain.key

下面我貼回覆:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:xxxx
Locality Name (eg, city) []:xxxx
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxxx
Organizational Unit Name (eg, section) []:xxxx.com
Common Name (e.g. server FQDN or YOUR name) []:test
Email Address []:[email protected]

  1. 我已檢查該鍵是否返回我在上一個步驟中設定的正確值:

    sudo openssl x509 -in /etc/letsencrypt/live/xxxx.com/fullchain.pem -noout -subject

下面我貼回覆:

subject= /C=US/ST=xxxx/L=xxxx/O=xxxx/OU=xxxx.com/CN=test/
[email protected]

  1. 我設定了一個新的虛擬主機,將其複製到下面:

    <VirtualHost *:443>
  ServerAdmin [email protected]
  DocumentRoot /var/www/html/xxx1/public
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  ServerName xxxx.com
  SSLEngine on

  SSLCertificateFile      /etc/letsencrypt/live/xxxx.com/fullchain.pem
  SSLCertificateKeyFile      /etc/letsencrypt/live/xxxx.com/fullchain.key

  <FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
  </FilesMatch>

  <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
  </Directory>

  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>

  2. 我已經在我的/etc/apache2/ports.conf.

完成所有這些步驟後,我剛剛完成sudo service apache2 restart,但控制台只是在等待,直到我得到:

Job for apache2.service failed because the control process exited with error code. See "systemctl status apache2.service" and "journalctl -xe" for details.

當我調試它時,journalctl -xe結果如下:

-- Unit apache2.service has begun starting up.
Dec 08 19:12:20 devXxxx apache2[21637]: * Starting web server apache2
Dec 08 19:12:20 devXxxx apache2[21637]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 100.114.32.17. Set the 'ServerName' directive globally to suppress this mes
Dec 08 19:12:20 devXxxx apache2[21637]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
Dec 08 19:12:29 devXxxx sudo[21613]: pam_unix(sudo:session): session closed for user root
Dec 08 19:12:29 devXxxx polkitd(authority=local)[996]: Unregistered Authentication Agent for unix-process:21628:9475994 (system bus name :1.109, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, loca
Dec 08 19:12:40 devXxxx apache2[21637]: *
Dec 08 19:12:40 devXxxx apache2[21637]: * The apache2 instance did not start within 20 seconds. Please read the log files to discover problems
Dec 08 19:12:40 devXxxx systemd[1]: apache2.service: Control process exited, code=exited status=1
Dec 08 19:12:40 devXxxx systemd[1]: Failed to start LSB: Apache2 web server.
-- Subject: Unit apache2.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit apache2.service has failed.

在觀察了 apache 嘗試加載的這 20 秒後,我決定測試證書,如下所示:

  1. 檢查只有 1 張憑證:

    sudo ln -s /etc/letsencrypt/live/xxxx.com/fullchain.pemsudo openssl x509 -hash -noout -in /etc/letsencrypt/live/xxxx.com/fullchain.pem.0

  2. 驗證證書是否有效:

    openssl verify -CApath f6361f65.0

但令人驚訝的是,它沒有......終端不斷嘗試連接而沒有響應。

有人能幫我嗎?

謝謝指教。

答案1

首先,看起來有些東西已經綁定到連接埠443

Dec 08 19:12:20 devXxxx apache2[21637]: (98)位址已在使用: AH00072: make_sock: 無法綁定至位址 [::]:443 D

接下來,使用 Lets Encrypt,您不需要設定自己的私鑰,腳本應該為您產生一個私鑰(除非您手動產生自己的 CSR)。

腳本完成後,letsencrypt-auto您的證書目錄中應該有 4 個檔案。

  • cert.pem- 這是你的證書。在 Apache 中SSLCertificateFile應該指向這個檔案。
  • privkey.pem- 這是你的私鑰。保密。在 Apache 中SSLCertificateKeyFile應該指向這個檔案。
  • chain.pem- 這是建立您信任的憑證鏈。在 Apache 中,您可以指向SSLCertificateChainFile此文件。
  • fullchain.pemcert.pem- 這是和的組合chain.pem,因此它是您的憑證及其完整的信任鏈。在 Apache 中指向SSLCACertificateFile該檔案。

讓我們加密文檔

答案2

對於letsencypt,這個指令對我有用,不需要停止伺服器

./letsencrypt-auto certonly --webroot -w /websitedir -d www.domain.com

在 nginx 的此過程之後,您可以連結證書。

ln -s privkey.pem /etc/ssl/domain.key
ln -s fullchain.pem /etc/ssl/domain.crt

相關內容