2016/01/25

ローカルテスト環境でApacheのSSLを設定する


Apacheサーバでテスト環境作っていたら、Apacheの設定ファイルにSSLの項目追加しても動かない。


$ sudo service httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中: httpd: Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error on line 12 of /etc/httpd/conf.d/ssl.conf: Cannot load /etc/httpd/modules/mod_ssl.so into server: /etc/httpd/modules/mod_ssl.so: cannot open shared object file: No such file or directory
                                                           [失敗]
mod_ssl無いと。

mod_sslのインストール

$ sudo yum install mod_ssl openssl

$ sudo service httpd restart
httpd を停止中:                                            [失敗]
httpd を起動中: Syntax error on line 123 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateChainFile: file '/etc/pki/tls/certs/server-chain.crt' does not exist or is empty
やっぱテスト環境とはいえ鍵作らないとダメか。


秘密鍵を作成

$ sudo mkdir /etc/httpd/conf/ssl.key
$ cd /etc/httpd/conf/ssl.key/
$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.............................++++++
....................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: [パスフレーズを入力]
Verifying - Enter pass phrase for server.key: [確認用パスフレーズを入力]

$ sudo chmod 400 server.key

署名要求を作成

$ sudo openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: [パスフレーズ入力]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Chiyoda
Organization Name (eg, company) [Default Company Ltd]:Hogehoge
Organizational Unit Name (eg, section) []:[Enter:省略]
Common Name (eg, your name or your server's hostname) []:[ホスト名入力]
Email Address []:[メールアドレス入力]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter:省略]
An optional company name []:[Enter:省略]

$ sudo chmod 400 server.csr

勘違いでNGな設定

/etc/httpd/conf.d/ssl.conf
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCertificateFile /etc/httpd/conf/ssl.key/server.csr
$ sudo service httpd restart
httpd を停止中:                                            [  OK  ]
                                                           [失敗]
ちきしょー動かねぇ
/var/log/httpd/error_log

[Mon Jan 25 17:21:30 2016] [error] Init: Unable to read server certificate from file /etc/httpd/conf/ssl.key/server.csr
[Mon Jan 25 17:21:30 2016] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Jan 25 17:21:30 2016] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
CSRファイル壊れてる?
$ sudo openssl x509 -noout -text -in /etc/httpd/conf/ssl.key/server.csr
unable to load certificate
140169678825288:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

ロードできないが、、
ああ、、署名要求と証明書を混同していた。。

サーバー証明書を作成

$ sudo openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
$ chmod 400 server.crt
/etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf/ssl.key/server.crt
$ sudo service httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中: 
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server 127.0.0.1:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
                                                           [  OK  ]
パスフレーズ聞かれたけど、無事起動。
でも、パスフレーズを聞かれると障害時の自動再起動がされないので困る。

パスフレーズの解除

openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: [元のパスフレーズを入力]
$ sudo service httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中: httpd: apr_sockaddr_info_get() failed for sitetest
                                                           [  OK  ]
うまくいった。やれやれ。


参考にしたサイト

・apache+mod_sslでSSL
http://www.server-memo.net/server-setting/apache/apache-mod_ssl.html
・サーバ証明書導入失敗の顛末
https://pc.shigizemi.com/2015/07/31/error-crt/
・Apache 2.2(Wind32) with SSL テスト環境導入ノート
http://ptsv.org/repository/apache-22wind32-with-ssl-%E3%83%86%E3%82%B9%E3%83%88%E7%92%B0%E5%A2%83%E5%B0%8E%E5%85%A5%E3%83%8E%E3%83%BC%E3%83%88/
・Apacheでの、パスフレーズ入力なしでの起動方法。
https://jp.globalsign.com/support/faq/93.html

0 コメント:

コメントを投稿