2016/01/25

,

ローカルテスト環境でApacheのSSLを設定する

1 comment  

Apacheサーバでテスト環境作っていたら、Apacheの設定ファイルにSSLの項目追加しても動かない。


$ sudo service httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中: httpd: Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error on line 12 of /etc/httpd/conf.d/ssl.conf: Cannot load /etc/httpd/modules/mod_ssl.so into server: /etc/httpd/modules/mod_ssl.so: cannot open shared object file: No such file or directory
                                                           [失敗]
mod_ssl無いと。

mod_sslのインストール

$ sudo yum install mod_ssl openssl

$ sudo service httpd restart
httpd を停止中:                                            [失敗]
httpd を起動中: Syntax error on line 123 of /etc/httpd/conf.d/ssl.conf:
SSLCertificateChainFile: file '/etc/pki/tls/certs/server-chain.crt' does not exist or is empty
やっぱテスト環境とはいえ鍵作らないとダメか。


秘密鍵を作成 

$ sudo mkdir /etc/httpd/conf/ssl.key
$ cd /etc/httpd/conf/ssl.key/
$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.............................++++++
....................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: [パスフレーズを入力]
Verifying - Enter pass phrase for server.key: [確認用パスフレーズを入力]

$ sudo chmod 400 server.key

署名要求を作成 

$ sudo openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: [パスフレーズ入力]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:Chiyoda
Organization Name (eg, company) [Default Company Ltd]:Hogehoge
Organizational Unit Name (eg, section) []:[Enter:省略]
Common Name (eg, your name or your server's hostname) []:[ホスト名入力]
Email Address []:[メールアドレス入力]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Enter:省略]
An optional company name []:[Enter:省略]

$ sudo chmod 400 server.csr

勘違いでNGな設定

/etc/httpd/conf.d/ssl.conf 
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCertificateFile /etc/httpd/conf/ssl.key/server.csr

$ sudo service httpd restart
httpd を停止中:                                            [  OK  ]
                                                           [失敗]
ちきしょー動かねぇ
/var/log/httpd/error_log

[Mon Jan 25 17:21:30 2016] [error] Init: Unable to read server certificate from file /etc/httpd/conf/ssl.key/server.csr
[Mon Jan 25 17:21:30 2016] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Mon Jan 25 17:21:30 2016] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
CSRファイル壊れてる? 
$ sudo openssl x509 -noout -text -in /etc/httpd/conf/ssl.key/server.csr
unable to load certificate
140169678825288:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE

ロードできないが、、
ああ、、署名要求と証明書を混同していた。。

サーバー証明書を作成

$ sudo openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
$ chmod 400 server.crt
/etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/httpd/conf/ssl.key/server.crt

$ sudo service httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中: 
Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server 127.0.0.1:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
                                                           [  OK  ]
パスフレーズ聞かれたけど、無事起動。
でも、パスフレーズを聞かれると障害時の自動再起動がされないので困る。

パスフレーズの解除

openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: [元のパスフレーズを入力]

$ sudo service httpd restart
httpd を停止中:                                            [  OK  ]
httpd を起動中: httpd: apr_sockaddr_info_get() failed for sitetest
                                                           [  OK  ]
うまくいった。やれやれ。


参考にしたサイト

・apache+mod_sslでSSL
http://www.server-memo.net/server-setting/apache/apache-mod_ssl.html
・サーバ証明書導入失敗の顛末
https://pc.shigizemi.com/2015/07/31/error-crt/
・Apache 2.2(Wind32) with SSL テスト環境導入ノート
http://ptsv.org/repository/apache-22wind32-with-ssl-%E3%83%86%E3%82%B9%E3%83%88%E7%92%B0%E5%A2%83%E5%B0%8E%E5%85%A5%E3%83%8E%E3%83%BC%E3%83%88/
・Apacheでの、パスフレーズ入力なしでの起動方法。
https://jp.globalsign.com/support/faq/93.html

1 件のコメント:

  1. 匿名2022/12/02 16:32:00

    Experience essentially the most advanced technology, that includes every little thing 바카라 사이트 from video poker to the most recent video reel slots. Whether penny slots are your ardour, quarter slots are your calling or $100 games are your pleasure, our skilled attendants can be found assist you|that will help you|that can help you} find the game for you. Online slots are totally reliant on likelihood, however that doesn’t mean there aren’t issues you are able to to} do} to place yourself in a greater position to win.

    返信削除