安装IPA的过程中,修改了/etc/httpd/conf.d/ssl.conf替换所有443为444,导致了httpd启动失败。
查看日志/var/log/httpd/error_log,有以下提示
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name
修改hosts文件如下:
[root@ipa conf.d]# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost.localdomain localhost4 localhost4.localdomain4 localhost ipa ipa.xionghuilin.com
::1 localhost.localdomain localhost.localdomain localhost6 localhost6.localdomain6 localhost ipa ipa.xonghuilin.com
192.168.26.120 ipa ipa.xionghuilin.com
[root@ipa conf.d]#
错误2: Apache 因SSL Library Certificate has expired 无法启动.
参考https://www.cnblogs.com/Fle-x/articles/5789614.html, 重新生成ssl证书:
[root@ipa ~]# service httpd start
Starting httpd: [FAILED]
[root@ipa ~]# vim /etc/httpd/conf.d/ssl.conf
[root@ipa ~]# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Mon Dec 18 03:03:47 2006
Not After : Sat Dec 18 03:03:47 2010
Subject: "CN=localhost4.localdomain4,O=example.com,C=US"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
e7:01:10:1d:25:a3:17:03:6e:96:07:7e:24:b0:da:d9:
3f:a2:27:68:a1:31:f6:94:2a:81:76:58:1c:1f:04:a8:
18:c2:4e:5f:54:8d:2a:69:58:cc:34:23:92:31:22:55:
6d:a2:82:eb:b9:67:f0:cc:11:c0:a1:e8:8a:95:a4:20:
63:59:87:b6:3e:c6:d6:ae:9b:7d:ab:16:ca:ff:14:43:
c8:6f:a0:68:58:f3:94:16:e0:6c:81:1f:17:b1:de:ee:
a1:68:40:f7:91:c1:8a:4d:81:b0:80:5a:e6:e6:77:84:
0e:cf:aa:1c:bc:ea:d1:d0:cf:41:6a:ad:72:7a:20:4d
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Type
Data: <ssl Server>
Name: Certificate Key Usage
Usages: Key Encipherment
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
93:9e:e1:a0:58:cb:77:04:0a:cc:6f:d1:cb:19:72:1f:
bd:0a:c6:67:a3:56:0d:76:34:e0:2e:73:3a:5e:35:f9:
7b:44:98:c5:a1:ce:d6:f8:7a:b3:6a:75:73:72:c5:b7:
d1:f5:fb:94:44:65:d5:30:39:a4:b9:e5:56:9b:d6:01:
4a:2e:65:69:c8:ab:a7:0b:c3:b5:5b:8c:ed:6d:51:86:
f1:31:d8:9b:1f:45:0f:47:1e:fc:d2:15:a5:96:b1:19:
0c:ac:7c:9a:4c:99:4d:78:46:c8:f9:29:f2:54:35:f6:
75:34:61:c8:c1:7c:53:9c:af:7a:00:da:21:eb:29:ab
Fingerprint (MD5):
E2:31:F4:31:CE:63:00:A1:E2:FB:F0:16:3B:9F:DA:A3
Fingerprint (SHA1):
C0:23:89:24:2A:5B:66:73:76:F7:E4:74:B8:A5:CC:A6:01:DA:29:CF
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
[root@ipa ~]# cd /etc/httpd/alias
[root@ipa alias]# ls
cert8.db install.log key3.db libnssckbi.so secmod.db
[root@ipa alias]# rm -f *.db
[root@ipa alias]# /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
[root@ipa alias]# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Sat Oct 19 05:48:49 2019
Not After : Thu Oct 19 05:48:49 2023
Subject: "CN=localhost4.localdomain4,O=example.com,C=US"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
d7:08:43:46:30:91:9c:07:69:0e:c0:5d:94:7e:38:b2:
19:d2:1b:ab:97:a3:4a:06:b2:d3:af:53:94:7e:33:5c:
15:ad:19:27:63:ab:40:e5:37:dd:d2:44:68:1c:f6:7a:
6c:25:ad:8e:86:68:9a:f3:fe:0f:9b:fd:88:e0:d9:70:
c8:a9:aa:d0:fe:2a:4d:88:15:60:27:7b:e6:71:d4:14:
f7:79:67:8e:a7:75:3d:03:b0:70:73:59:a4:bd:a0:9f:
3a:d1:5a:89:f3:82:fe:bf:bb:26:8e:d4:b2:e0:39:9d:
55:15:b2:f9:f4:84:b6:c7:15:9a:e2:a0:5f:4d:c7:b1
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Type
Data: </ssl><ssl Server>
Name: Certificate Key Usage
Usages: Key Encipherment
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Signature:
7d:06:59:6e:a8:98:02:df:b7:44:45:70:af:a8:ab:ac:
7d:60:30:6f:b2:bb:8b:c7:e0:24:e3:dd:42:27:f2:ed:
d5:87:2f:6c:b6:f7:28:b0:d8:fb:21:59:f0:b4:aa:a0:
c6:6e:01:98:64:59:d4:05:64:0d:5f:6f:ad:69:58:a4:
9b:49:56:a2:e1:fd:8b:20:0d:c3:df:7c:88:d9:38:a5:
52:d7:88:a0:6f:30:6f:0d:9e:cc:e0:25:3f:7a:43:ce:
52:99:d5:99:d0:6c:df:13:bb:20:fe:b4:07:71:8b:07:
72:37:7d:1d:9b:5c:82:fa:57:e2:75:e8:69:5e:27:d7
Fingerprint (MD5):
40:D7:F4:E6:DF:B7:D5:16:11:F6:EA:17:6E:35:90:76
Fingerprint (SHA1):
BD:9F:1B:A3:39:DB:53:52:02:2C:9F:70:D2:0E:46:BA:A4:FE:B6:5F
Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
[root@ipa alias]# ll
total 92
-rw-------. 1 root root 65536 Oct 19 13:48 cert8.db
-rw-------. 1 root root 4614 Oct 19 13:48 install.log
-rw-------. 1 root root 16384 Oct 19 13:48 key3.db
lrwxrwxrwx. 1 root root 31 Dec 18 2006 libnssckbi.so -> ../../..//usr/lib/libnssckbi.so
-rw-------. 1 root root 16384 Oct 19 13:48 secmod.db
[root@ipa alias]# chmod 750 *.db
[root@ipa alias]# ll
total 92
-rwxr-x---. 1 root root 65536 Oct 19 13:48 cert8.db
-rw-------. 1 root root 4614 Oct 19 13:48 install.log
-rwxr-x---. 1 root root 16384 Oct 19 13:48 key3.db
lrwxrwxrwx. 1 root root 31 Dec 18 2006 libnssckbi.so -> ../../..//usr/lib/libnssckbi.so
-rwxr-x---. 1 root root 16384 Oct 19 13:48 secmod.db
[root@ipa alias]# service httpd start
Starting httpd: [ OK ]
[root@ipa alias]#
[root@ipa alias]# service httpd status
httpd (pid 20838) is running...
[root@ipa alias]# pwd
/etc/httpd/alias
以上httpd可以正常启动,但是网页不能正常访问,/var/log/httpd/error_log报错如下:
[Sat Oct 19 15:14:11 2019] [error] NSS_Initialize failed. Certificate database: /etc/httpd/alias.
[Sat Oct 19 15:14:11 2019] [error] SSL Library Error: -8038 SEC_ERROR_NOT_INITIALIZED
参考链接,解决方如下,也就是完全不使用SSL,可能是临时的解决办法。
You can uninstall mod_ssl, or just move /etc/httpd/conf.d/ssl.conf to /etc/httpd/conf.d/ssl.conf-BAK, so apache does not read the ssl configuration part. In this case you should also check httpd.conf and comment out every reference to ssl.
进行以下操作,重启httpd,网页可以正常访问,
[root@ipa ~]# mv /etc/httpd/conf.d/nss.conf /etc/httpd/conf.d/nss.conf.bak
Reference
CentOS 5.5 (5.6) SSL Problem by www.linuxquestions.org forum