in Linux

SSL导致httpd无法使用解决

安装IPA的过程中,修改了/etc/httpd/conf.d/ssl.conf替换所有443为444,导致了httpd启动失败。
查看日志/var/log/httpd/error_log,有以下提示

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name

修改hosts文件如下:

[root@ipa conf.d]# cat /etc/hosts
127.0.0.1   localhost.localdomain   localhost.localdomain   localhost4  localhost4.localdomain4 localhost   ipa ipa.xionghuilin.com
::1 localhost.localdomain   localhost.localdomain   localhost6  localhost6.localdomain6 localhost   ipa ipa.xonghuilin.com
192.168.26.120 ipa ipa.xionghuilin.com
[root@ipa conf.d]#

错误2: Apache 因SSL Library Certificate has expired 无法启动.

参考https://www.cnblogs.com/Fle-x/articles/5789614.html, 重新生成ssl证书:

[root@ipa ~]# service httpd start
Starting httpd:                                            [FAILED]
[root@ipa ~]# vim /etc/httpd/conf.d/ssl.conf
[root@ipa ~]# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Mon Dec 18 03:03:47 2006
            Not After : Sat Dec 18 03:03:47 2010
        Subject: "CN=localhost4.localdomain4,O=example.com,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    e7:01:10:1d:25:a3:17:03:6e:96:07:7e:24:b0:da:d9:
                    3f:a2:27:68:a1:31:f6:94:2a:81:76:58:1c:1f:04:a8:
                    18:c2:4e:5f:54:8d:2a:69:58:cc:34:23:92:31:22:55:
                    6d:a2:82:eb:b9:67:f0:cc:11:c0:a1:e8:8a:95:a4:20:
                    63:59:87:b6:3e:c6:d6:ae:9b:7d:ab:16:ca:ff:14:43:
                    c8:6f:a0:68:58:f3:94:16:e0:6c:81:1f:17:b1:de:ee:
                    a1:68:40:f7:91:c1:8a:4d:81:b0:80:5a:e6:e6:77:84:
                    0e:cf:aa:1c:bc:ea:d1:d0:cf:41:6a:ad:72:7a:20:4d
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Type
            Data: <ssl Server>

            Name: Certificate Key Usage
            Usages: Key Encipherment

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        93:9e:e1:a0:58:cb:77:04:0a:cc:6f:d1:cb:19:72:1f:
        bd:0a:c6:67:a3:56:0d:76:34:e0:2e:73:3a:5e:35:f9:
        7b:44:98:c5:a1:ce:d6:f8:7a:b3:6a:75:73:72:c5:b7:
        d1:f5:fb:94:44:65:d5:30:39:a4:b9:e5:56:9b:d6:01:
        4a:2e:65:69:c8:ab:a7:0b:c3:b5:5b:8c:ed:6d:51:86:
        f1:31:d8:9b:1f:45:0f:47:1e:fc:d2:15:a5:96:b1:19:
        0c:ac:7c:9a:4c:99:4d:78:46:c8:f9:29:f2:54:35:f6:
        75:34:61:c8:c1:7c:53:9c:af:7a:00:da:21:eb:29:ab
    Fingerprint (MD5):
        E2:31:F4:31:CE:63:00:A1:E2:FB:F0:16:3B:9F:DA:A3
    Fingerprint (SHA1):
        C0:23:89:24:2A:5B:66:73:76:F7:E4:74:B8:A5:CC:A6:01:DA:29:CF

    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[root@ipa ~]# cd /etc/httpd/alias
[root@ipa alias]# ls
cert8.db  install.log  key3.db  libnssckbi.so  secmod.db
[root@ipa alias]#  rm -f *.db
[root@ipa alias]# /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
[root@ipa alias]# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Sat Oct 19 05:48:49 2019
            Not After : Thu Oct 19 05:48:49 2023
        Subject: "CN=localhost4.localdomain4,O=example.com,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d7:08:43:46:30:91:9c:07:69:0e:c0:5d:94:7e:38:b2:
                    19:d2:1b:ab:97:a3:4a:06:b2:d3:af:53:94:7e:33:5c:
                    15:ad:19:27:63:ab:40:e5:37:dd:d2:44:68:1c:f6:7a:
                    6c:25:ad:8e:86:68:9a:f3:fe:0f:9b:fd:88:e0:d9:70:
                    c8:a9:aa:d0:fe:2a:4d:88:15:60:27:7b:e6:71:d4:14:
                    f7:79:67:8e:a7:75:3d:03:b0:70:73:59:a4:bd:a0:9f:
                    3a:d1:5a:89:f3:82:fe:bf:bb:26:8e:d4:b2:e0:39:9d:
                    55:15:b2:f9:f4:84:b6:c7:15:9a:e2:a0:5f:4d:c7:b1
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Type
            Data: </ssl><ssl Server>

            Name: Certificate Key Usage
            Usages: Key Encipherment

    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
        7d:06:59:6e:a8:98:02:df:b7:44:45:70:af:a8:ab:ac:
        7d:60:30:6f:b2:bb:8b:c7:e0:24:e3:dd:42:27:f2:ed:
        d5:87:2f:6c:b6:f7:28:b0:d8:fb:21:59:f0:b4:aa:a0:
        c6:6e:01:98:64:59:d4:05:64:0d:5f:6f:ad:69:58:a4:
        9b:49:56:a2:e1:fd:8b:20:0d:c3:df:7c:88:d9:38:a5:
        52:d7:88:a0:6f:30:6f:0d:9e:cc:e0:25:3f:7a:43:ce:
        52:99:d5:99:d0:6c:df:13:bb:20:fe:b4:07:71:8b:07:
        72:37:7d:1d:9b:5c:82:fa:57:e2:75:e8:69:5e:27:d7
    Fingerprint (MD5):
        40:D7:F4:E6:DF:B7:D5:16:11:F6:EA:17:6E:35:90:76
    Fingerprint (SHA1):
        BD:9F:1B:A3:39:DB:53:52:02:2C:9F:70:D2:0E:46:BA:A4:FE:B6:5F

    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

[root@ipa alias]# ll
total 92
-rw-------. 1 root root 65536 Oct 19 13:48 cert8.db
-rw-------. 1 root root  4614 Oct 19 13:48 install.log
-rw-------. 1 root root 16384 Oct 19 13:48 key3.db
lrwxrwxrwx. 1 root root    31 Dec 18  2006 libnssckbi.so -> ../../..//usr/lib/libnssckbi.so
-rw-------. 1 root root 16384 Oct 19 13:48 secmod.db
[root@ipa alias]# chmod 750 *.db
[root@ipa alias]# ll
total 92
-rwxr-x---. 1 root root 65536 Oct 19 13:48 cert8.db
-rw-------. 1 root root  4614 Oct 19 13:48 install.log
-rwxr-x---. 1 root root 16384 Oct 19 13:48 key3.db
lrwxrwxrwx. 1 root root    31 Dec 18  2006 libnssckbi.so -> ../../..//usr/lib/libnssckbi.so
-rwxr-x---. 1 root root 16384 Oct 19 13:48 secmod.db
[root@ipa alias]# service httpd start
Starting httpd:                                            [  OK  ]
[root@ipa alias]#
[root@ipa alias]# service httpd status
httpd (pid  20838) is running...
[root@ipa alias]# pwd
/etc/httpd/alias

以上httpd可以正常启动,但是网页不能正常访问,/var/log/httpd/error_log报错如下:

[Sat Oct 19 15:14:11 2019] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[Sat Oct 19 15:14:11 2019] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED

参考链接,解决方如下,也就是完全不使用SSL,可能是临时的解决办法。

You can uninstall mod_ssl, or just move /etc/httpd/conf.d/ssl.conf to /etc/httpd/conf.d/ssl.conf-BAK, so apache does not read the ssl configuration part. In this case you should also check httpd.conf and comment out every reference to ssl.

进行以下操作,重启httpd,网页可以正常访问,

[root@ipa ~]# mv /etc/httpd/conf.d/nss.conf /etc/httpd/conf.d/nss.conf.bak

Reference

CentOS 5.5 (5.6) SSL Problem by www.linuxquestions.org forum