0
我已經創建了AWS API網關,並將它指向VPS。我希望能夠爲我的VPS啓用客戶端SSL身份驗證。我遵循AWS演練here。我在API網關控制檯中生成了PEM編碼的證書,並將其複製到我的Apache Web服務器。看起來,證書和/或虛擬主機配置在Apache SSL模塊中導致致命錯誤。Apache配置AWS API網關證書
錯誤日誌:
[Tue Nov 10 10:53:57.140815 2015] [ssl:info] [pid 7283] AH01914: Configuring server example.com:443 for SSL protocol
[Tue Nov 10 10:53:57.140998 2015] [ssl:trace1] [pid 7283] ssl_engine_init.c(724): Configuring permitted SSL ciphers [!aNULL:!eNULL:!EXP:HIGH:!aNULL]
[Tue Nov 10 10:53:57.141165 2015] [ssl:debug] [pid 7283] ssl_engine_init.c(843): AH01904: Configuring server certificate chain (1 CA certificate)
[Tue Nov 10 10:53:57.141175 2015] [ssl:debug] [pid 7283] ssl_engine_init.c(390): AH01893: Configuring TLS extension handling
[Tue Nov 10 10:53:57.141204 2015] [ssl:emerg] [pid 7283] AH02572: Failed to configure at least one certificate and key for example.com:443
[Tue Nov 10 10:53:57.141226 2015] [ssl:emerg] [pid 7283] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Tue Nov 10 10:53:57.141251 2015] [ssl:emerg] [pid 7283] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
Apache的虛擬主機配置:
<VirtualHost *:443>
ServerName example.com
ServerAdmin [email protected]
DocumentRoot /var/www/example
DirectoryIndex index.html
SSLEngine on
SSLCertificateChainFile ssl/ca.crt
SSLVerifyDepth 1
LogLevel info ssl:warn debug trace1
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
除非您還擁有SSL *服務器*證書,否則不能要求/使用SSL客戶端證書。我沒有看到在這裏配置了證書和它的私鑰,並且'無法爲example.com配置至少一個證書和密鑰:443'似乎表明這是問題。 –
@ Michael-sqlbot是的,你是絕對正確的。我已經創建了一個自簽名證書,將密鑰和證書添加到Apache配置中,並且服務器正常啓動。現在,API網關正在抱怨「未知端點錯誤」。 – Richard
API網關不太可能使用自簽名證書與後端服務器進行協商,它需要對自簽名證書不允許的端點進行身份驗證...證書必須來自經認可的證書頒發機構才能使驗證有效 –