我想将今天生成的 ssl 证书放在网站上,但它不起作用。安全页面未加载,但不安全页面有效。这是我的配置:
<VirtualHost *:80>
ServerName example.com
ServerAdmin example@gmail.com
ServerAlias www.example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
ErrorLog /var/log/example-error.log
CustomLog /var/log/example-access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAdmin example@gmail.com
ServerAlias www.example.com
DocumentRoot /var/www/example
<Directory /var/www/example>
Options -Indexes +FollowSymLinks +MultiViews
AllowOverride All
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile /root/certs/example.crt
SSLCertificateKeyFile /root/XXX.key
SSLCertificateChainFile /root/certs/example.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel debug
</VirtualHost>
奇怪的是我在 ssl_error_log 中没有错误:
[Fri Apr 02 22:33:55.266922 2021] [ssl:info] [pid 12429] AH02200: Loading certificate & private key of SSL-aware server 'example.com:443'
[Fri Apr 02 22:33:55.267378 2021] [ssl:debug] [pid 12429] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Fri Apr 02 22:33:55.267430 2021] [ssl:info] [pid 12429] AH01914: Configuring server example.com:443 for SSL protocol
[Fri Apr 02 22:33:55.267738 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate)
[Fri Apr 02 22:33:55.267751 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Fri Apr 02 22:33:55.267762 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Fri Apr 02 22:33:55.267939 2021] [ssl:debug] [pid 12429] ssl_util_ssl.c(508): AH02412: [example.com:443] Cert matches for name 'example.com' [subject: CN=example.com / issuer: CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1,O=DigiCert Inc,C=US / serial: example / notbefore: Apr 2 00:00:00 2021 GMT / notafter: May 3 23:59:59 2022 GMT]
[Fri Apr 02 22:33:55.267957 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
[Fri Apr 02 22:33:55.310426 2021] [ssl:info] [pid 12429] AH02200: Loading certificate & private key of SSL-aware server 'example.com:443'
[Fri Apr 02 22:33:55.310726 2021] [ssl:debug] [pid 12429] ssl_engine_pphrase.c(506): AH02249: unencrypted RSA private key - pass phrase not required
[Fri Apr 02 22:33:55.310770 2021] [ssl:info] [pid 12429] AH01914: Configuring server example.com:443 for SSL protocol
[Fri Apr 02 22:33:55.310983 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(886): AH01904: Configuring server certificate chain (1 CA certificate)
[Fri Apr 02 22:33:55.310994 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(406): AH01893: Configuring TLS extension handling
[Fri Apr 02 22:33:55.311002 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(933): AH02232: Configuring RSA server certificate
[Fri Apr 02 22:33:55.311108 2021] [ssl:debug] [pid 12429] ssl_util_ssl.c(508): AH02412: [example.com:443] Cert matches for name 'example.com' [subject: CN=example.com / issuer: CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1,O=DigiCert Inc,C=US / serial: XXX / notbefore: Apr 2 00:00:00 2021 GMT / notafter: May 3 23:59:59 2022 GMT]
[Fri Apr 02 22:33:55.311117 2021] [ssl:debug] [pid 12429] ssl_engine_init.c(988): AH02236: Configuring RSA server private key
[root@vps httpd]# curl https: //xxx.com
curl: (7) Failed connect to xxx.com:443; Connection refused
打开的端口是防火墙。
有什么想法吗?
答案 0 :(得分:2)
除了 Ryan 写的绝对正确的内容之外,您应该修复(或删除)
SSLCertificateChainFile /root/certs/example.crt
如果你想修复它,你不应该在这里使用证书,而是使用链,这意味着用于签署你的 csr 的证书。链可能包含也可能不包含根:我个人从不包含根。
顺便说一句,我建议您将证书移到根主目录之外:例如,您可以在 apache 根目录(/etc/{apache2,httpd}/certs)中创建一个子文件夹。