SSL on Apache HTTP Server

醉酒当歌 提交于 2021-02-05 11:30:41

问题


I have 2 crt files for Apache server:

  • 1_root_bundle.crt
  • 2_my_domain_name.com.crt

And other bundle:

  • 1_Intermediate.crt
  • 2_my_domain_name.com.crt
  • root.crt

I have modified

/etc/apache2/sites-available/default-ssl.conf 

And tried various combinations of above mentioned files but after Apache2 service restart SSL does not work, browser shows "Connection is not secure":

SSLEngine on
SSLCertificateFile      /etc/apache2/ssl/1_Intermediate.crt
SSLCertificateKeyFile   /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateChainFile /etc/apache2/ssl/root.crt

How to make SSL on Apache server?


回答1:


It is missing the key file with your certificate private key. Usually it has the .key extension like 2_my_domain_name.com.key and the file content starts with -----BEGIN PRIVATE KEY-----

You configuration should looks like this

SSLEngine on
SSLCertificateFile      /etc/apache2/ssl/2_my_domain_name.com.crt
SSLCertificateKeyFile   /etc/apache2/ssl/2_my_domain_name.com.key
SSLCertificateChainFile /etc/apache2/ssl/1_root_bundle.crt

The SSLCertificateChainFile points to a all-in-one file where you can assemble the certificates of Certification Authorities (CA) which form the certificate chain of the server certificate.

So ensure that 1_root_bundle.crt contains 1_Intermediate.crt content and is in PEM format (base64 with --- BEGIN CERTIFICATE --- ----END CERTIFICATE--- headers)

If you use apache >= 2.4.8 you could also concatenate all certificates in the file pointed at SSLCertificateFile

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.




回答2:


1) Install Apache HTTP Server, mod_ssl

2) Configure httpd

Remember to disable SSLv2 and SSLv3, because they are vulnerable.

  # Toggle on the SSL/TLS Protocol Engine
  SSLEngine On
  # The signed certificate of the server
  SSLCertificateFile /etc/pki/tls/myserver/myserver.crt
  # The private key of the server
  SSLCertificateKeyFile /etc/pki/tls/myserver/myserver.key
  # The intermediate_certificate of the server
  SSLCertificateChainFile /etc/pki/tls/myserver/tls-ca-chain.pem

  # Accept only strong encryption
  SSLProtocol             all -SSLv2 -SSLv3
  SSLCipherSuite           HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  SSLHonorCipherOrder     on

3) Check the permissions on the certificate files.

UPD: How to create a key and certificate signing request in one step:

openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out myserver.csr

Next you have to send this csr file to one of the certificate authorities. They will send back your signed certificate, and the intermediate certificate(s).

You can also create a self-signed certificate.




回答3:


You can use the bundle file with SSLCertificateChainFile.

SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCertificateChainFile /home/ubuntu/tad.com/intermediate_bundle.crt
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt

OR

If you are using bundle so it will work without SSLCertificateChainFile file.

SSLCertificateFile /home/ubuntu/tad.com/tad.com.crt
SSLCertificateKeyFile /home/ubuntu/tad.com/tad.com.key
SSLCACertificateFile /home/ubuntu/zup.today/intermediate_bundle.crt


来源:https://stackoverflow.com/questions/37939806/ssl-on-apache-http-server

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!