在AWS EC2实例上启用SSL

时间:2015-06-09 16:57:47

标签: apache ssl amazon-web-services amazon-ec2

在通过虚拟主机为多个域提供服务的EC2实例上,我设置了一个负载均衡器,可以将HTTPS流量从端口:443转发到:8443,用于其中一个域,部分遵循以下示例:http://elwoodicious.com/2009/12/23/using-elb-to-serve-multiple-domains-over-ssl-on-ec2-for-giggles/

我的httpd.conf虚拟主机看起来像这样:

NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin webmaster@domain.com
    DocumentRoot /var/www/domain.om
    ServerName domain.com
    ServerAlias *.domain.com
    ErrorLog logs/domain.com-error_log
    CustomLog logs/domain.com-access_log common
</VirtualHost>

# more VirtualHosts on *:80 here

现在,只要为同一个domain.com添加新的虚拟主机,就像这样,

<VirtualHost _default_:8443>
    ServerAdmin webmaster@domain.com
    DocumentRoot /var/www/domain.om
    ServerName domain.com
    ServerAlias *.domain.com
    SSLEngine On
    RequestHeader set X_FORWARDED_PROTO 'https'
    ErrorLog logs/domain.com-https-error_log
    CustomLog logs/domain.com-https-access_log common
</VirtualHost>

... Apache无法重启。没有错误通知 - 它只是说[FAILED]

我唯一的线索:即使我删除所有*:80个虚拟主机并且只留下一个端口*:8443,Apache也会失败......即使设置NameVirtualHost *:8443

这是否意味着它是某种只允许端口80上的虚拟主机的EC2指令?

感谢您的帮助!

----------------编辑:添加错误日志

var/log/httpd/error_log包含以下内容:

[Tue Jun 09 16:52:37 2015] [notice] caught SIGTERM, shutting down
[Tue Jun 09 16:52:37 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jun 09 16:53:13 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jun 09 16:53:47 2015] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jun 09 16:53:47 2015] [notice] Digest: generating secret for digest authentication ...
[Tue Jun 09 16:53:47 2015] [notice] Digest: done
[Tue Jun 09 16:53:47 2015] [notice] Apache/2.2.29 (Unix) DAV/2 PHP/5.3.29 mod_ssl/2.2.29 OpenSSL/1.0.1k-fips configured -- resuming normal operations

var/log/httpd/ssl_error_log包含以下内容:

[Tue Jun 09 16:53:47 2015] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Tue Jun 09 16:53:47 2015] [warn] RSA server certificate CommonName (CN) `ip-xx-xx-xx-xx' does NOT match server name!?

最后,var/log/httpd/domain.com-https-error_log看起来像这样:

[Tue Jun 09 16:53:13 2015] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/httpd/conf/httpd.conf:1026)

httpd.conf的第1026行是<VirtualHost _default_:8043>。我已使用aws cli上传了我在本地计算机上创建的自签名OpenSSL证书,并将其附加到负载均衡器以获取HTTPS流量。

域的CNAME记录也指向ELB DNS名称。不确定我错过了什么。

1 个答案:

答案 0 :(得分:1)

大。错误消息有帮助。你错过了两行:

SSLCertificateFile /directory/to/file.crt
SSLCertificateKeyFile /directory/to//file.key

Here's a howto on configuring SSL on Apache

相关问题
最新问题