当我在 apache2 ubuntu 服务器上启用 SSL 时,http 和 https 都不起作用
Posted
技术标签:
【中文标题】当我在 apache2 ubuntu 服务器上启用 SSL 时,http 和 https 都不起作用【英文标题】:When I enable SSL on apache2 ubuntu server both http and https does not work 【发布时间】:2020-03-26 12:25:06 【问题描述】:我正在尝试为我的网络服务器启用 SSL。但是,当我启用 ssl 时,http 停止工作并且 https 不开始工作。我遵循了以下指南:
https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04
服务器上没有激活防火墙。 这是 default-ssl.conf 文件:
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin admin@MyWebSit.com
ServerName MyWebSite.com
ServerAlias www.MyWebSite.com
DocumentRoot /var/www/html
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog $APACHE_LOG_DIR/error.log
CustomLog $APACHE_LOG_DIR/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl/MyWebSite_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/MyWebSite_com.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/ssl/certs/
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl/
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
# BrowserMatch "MSIE [2-6]" \
# nokeepalive ssl-unclean-shutdown \
# downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
apache -S 给我:
AH00111:未定义配置变量 $APACHE_RUN_DIR apache2:/etc/apache2/apache2.conf 第 80 行的语法错误:DefaultRuntimeDir 必须是有效目录,绝对或相对于 ServerRoot
而 apachectl -S 给了我:
AH00558:apache2:无法可靠地确定服务器的完全限定域名,使用 192.168.178.24。全局设置“ServerName”指令以禁止显示此消息 虚拟主机配置: *:80 192.168.178.24 (/etc/apache2/sites-enabled/000-default.conf:1) *:443 MyWebSite.com (/etc/apache2/sites-enabled/default-ssl.conf:2) 服务器根目录:“/etc/apache2” 主文档根目录:“/var/www/html” 主要错误日志:“/var/log/apache2/error.log” 互斥看门狗回调:using_defaults Mutex ssl-stapling-refresh: using_defaults 互斥 ssl 装订:using_defaults 互斥 ssl 缓存:using_defaults 互斥锁默认:dir="/var/run/apache2/" 机制=默认 互斥体 mpm-accept: using_defaults PidFile:“/var/run/apache2/apache2.pid” 定义:DUMP_VHOSTS 定义:DUMP_RUN_CFG 用户:name="www-data" id=33 组:name="www-data" id=33
禁用 ssl 会立即恢复 http。 (重启 Apache 后)
不幸的是,我不再知道我可以尝试做什么。 在这里的任何帮助将不胜感激!
提前谢谢你!
编辑: 很明显,我提供的信息并不能完全解释我的问题,因此我在此处添加更多详细信息:
sudo service apache2 restart
给出以下结果:
警告:单元文件、源配置文件或插件 磁盘上的 apache2.service 已更改。运行“systemctl daemon-reload”到 重新加载单位。 apache2.service 的作业失败,因为控制 进程以错误代码退出。请参阅“systemctl status apache2.service” 和“journalctl -xe”了解详情
systemctl daemon-reload
运行成功,但再次运行重新启动命令时仍然收到作业失败响应。以下是“systemctl status apache2.service”的响应
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Mon 2019-12-02 11:08:57 CET; 3h 28min ago
Process: 4557 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Main PID: 1413 (code=exited, status=0/SUCCESS)
Dec 02 11:08:57 ubuntu systemd[1]: Starting The Apache HTTP Server...
Dec 02 11:08:57 ubuntu apachectl[4557]: AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 192.168.178.24. Set the 'ServerNa
Dec 02 11:08:57 ubuntu apachectl[4557]: Action 'start' failed.
Dec 02 11:08:57 ubuntu apachectl[4557]: The Apache error log may have more information.
Dec 02 11:08:57 ubuntu systemd[1]: apache2.service: Control process exited, code=exited status=1
Dec 02 11:08:57 ubuntu systemd[1]: apache2.service: Failed with result 'exit-code'.
Dec 02 11:08:57 ubuntu systemd[1]: Failed to start The Apache HTTP Server.
下面是 journalctl -xe 的结果
--
-- Unit motd-news.service has begun starting up.
Dec 02 13:56:00 ubuntu 50-motd-news[5122]: * Overheard at KubeCon: "microk8s.status just blew my mind".
Dec 02 13:56:00 ubuntu 50-motd-news[5122]: https://microk8s.io/docs/commands#microk8s.status
Dec 02 13:56:00 ubuntu systemd[1]: Started Message of the Day.
-- Subject: Unit motd-news.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit motd-news.service has finished starting up.
--
-- The start-up result is RESULT.
Dec 02 14:09:02 ubuntu CRON[5169]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 02 14:09:02 ubuntu CRON[5170]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Dec 02 14:09:02 ubuntu CRON[5169]: pam_unix(cron:session): session closed for user root
Dec 02 14:09:44 ubuntu systemd[1]: Starting Clean php session files...
-- Subject: Unit phpsessionclean.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit phpsessionclean.service has begun starting up.
Dec 02 14:09:44 ubuntu sessionclean[5171]: PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli' (tried: /usr/lib/php/20170718/mysqli (/usr/lib/php/2017071
Dec 02 14:09:44 ubuntu systemd[1]: Started Clean php session files.
-- Subject: Unit phpsessionclean.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit phpsessionclean.service has finished starting up.
--
-- The start-up result is RESULT.
Dec 02 14:17:01 ubuntu CRON[5220]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 02 14:17:01 ubuntu CRON[5221]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)
Dec 02 14:17:01 ubuntu CRON[5220]: pam_unix(cron:session): session closed for user root
Dec 02 14:18:00 ubuntu systemd-timesyncd[1097]: Network configuration changed, trying to establish connection.
Dec 02 14:18:00 ubuntu systemd-timesyncd[1097]: Synchronized to time server 91.189.89.198:123 (ntp.ubuntu.com).
Dec 02 14:39:01 ubuntu CRON[5241]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 02 14:39:01 ubuntu CRON[5242]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Dec 02 14:39:01 ubuntu CRON[5241]: pam_unix(cron:session): session closed for user root
Dec 02 14:39:44 ubuntu systemd[1]: Starting Clean php session files...
-- Subject: Unit phpsessionclean.service has begun start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit phpsessionclean.service has begun starting up.
Dec 02 14:39:44 ubuntu sessionclean[5244]: PHP Warning: PHP Startup: Unable to load dynamic library 'mysqli' (tried: /usr/lib/php/20170718/mysqli (/usr/lib/php/2017071
Dec 02 14:39:44 ubuntu systemd[1]: Started Clean php session files.
-- Subject: Unit phpsessionclean.service has finished start-up
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit phpsessionclean.service has finished starting up.
--
-- The start-up result is RESULT.
Dec 02 14:47:59 ubuntu systemd-timesyncd[1097]: Network configuration changed, trying to establish connection.
Dec 02 14:47:59 ubuntu systemd-timesyncd[1097]: Synchronized to time server 91.189.89.198:123 (ntp.ubuntu.com).
【问题讨论】:
你会在serverfault.com/questions/558283/…找到答案 我已经浏览了您提供的线程中的所有建议以及被列为重复的线程,但他们似乎都没有任何对我有帮助的东西。您能否详细说明为什么您认为这个问题回答了我的问题以及我如何将线程中的答案应用于我的情况?再次感谢您抽出宝贵时间查看我的问题,如果这是非常明显的问题,我们深表歉意。 我不知道你实际上做了什么“通过线程中的所有建议”,但问题是环境变量没有定义,因为你已经重新启动阿帕奇错误的方式。引用 “显示此消息因为您直接执行了 apache2 二进制文件。在 Ubuntu/Debian 中,apache 配置依赖于仅激活的 envvar 文件....” .解决方案也有:"...sudo service apache2 restart...". 对此表示歉意,我应该更具体一些。感谢您解释问题之间的关系。当我运行 sudo service apache2 restart 时,我得到以下结果: 警告:磁盘上的 apache2.service 的单元文件、源配置文件或插件已更改。运行“systemctl daemon-reload”重新加载单元。 apache2.service 的作业失败,因为控制进程以错误代码退出。有关详细信息,请参阅“systemctl status apache2.service”和“journalctl -xe”。所以我成功运行'systemctl daemon-reload'并再次尝试重新启动。但我仍然收到作业失败的消息。 运行“systemctl status apache2.service”给出:ubuntu systemd[1]:启动 Apache HTTP 服务器... ubuntu apachectl[4299]:AH00558:apache2:无法可靠地确定服务器的完全合格域名,使用 192.168.178.24。设置 'ServerNa ubuntu apachectl[4299]: Action 'start' failed。 ubuntu apachectl[4299]:Apache 错误日志可能有更多信息。 ubuntu systemd[1]:apache2.service:控制进程退出,code=exited status=1 ubuntu systemd[1]:apache2.service:失败,结果为“exit-code”。 ubuntu systemd[1]: 无法启动 Apache HTTP 服务器。 【参考方案1】:经过大量搜索,我发现这是由于我的密钥损坏。
我可以通过检查 apache 错误日志来确定这一点:
sudo nano /var/log/apache2/error.log
[Mon Dec 02 11:08:57.784521 2019] [ssl:error] [pid 4560] AH02579: Init: Private key not found
[Mon Dec 02 11:08:57.784840 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Mon Dec 02 11:08:57.784922 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
[Mon Dec 02 11:08:57.784990 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Mon Dec 02 11:08:57.785061 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSAPrivat$
[Mon Dec 02 11:08:57.785135 2019] [ssl:error] [pid 4560] SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
[Mon Dec 02 11:08:57.785200 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
[Mon Dec 02 11:08:57.785269 2019] [ssl:error] [pid 4560] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRI$
[Mon Dec 02 11:08:57.785434 2019] [ssl:emerg] [pid 4560] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
[Mon Dec 02 11:08:57.785469 2019] [ssl:emerg] [pid 4560] AH02564: Failed to configure encrypted (?) private key MyWebSite.com:443:0, check /etc/apache2/ssl/MyWebSite$
AH00016: Configuration Failed
如图所示,“找不到私钥”不是指密钥的路径,而是指密钥已损坏。我通过以下方式打开钥匙检查了这一点:
sudo nano MyWebSite.key
如果密钥正确,就会有文字
----- 开始私钥 -----
在键的顶部。然后解决方案是重新生成证书请求,重新颁发证书并安装新证书。如果您遇到和我一样的情况,我希望这对您有所帮助。
【讨论】:
以上是关于当我在 apache2 ubuntu 服务器上启用 SSL 时,http 和 https 都不起作用的主要内容,如果未能解决你的问题,请参考以下文章
Moodle - 如何在 apache2 (ubuntu 14.04) 上启用斜线参数
VM 上的 Apache 2 *有时* 找不到启用 mods 的目录