2013-07-27 130 views
11

之後開始我有一個SSL證書和IM運行Ubuntu的httpd不安裝證書

的domain.crt和domain.ca束文件和文件夾中的規定,但無論怎樣我不斷收到這些錯誤

[Sat Jul 27 06:35:00 2013] [error] Unable to configure verify locations for client authentication 
[Sat Jul 27 06:35:00 2013] [error] SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long 
[Sat Jul 27 06:36:55 2013] [error] Server should be SSL-aware but has no certificate configured [Hint: SSLCertificateFile] (/etc/apache2/sites-enabled/default-ssl:2) 

我port.conf是

NameVirtualHost *:80 
Listen 80 

<IfModule mod_ssl.c> 
    # If you add NameVirtualHost *:443 here, you will also have to change 
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl 
    # to <VirtualHost *:443> 
    # Server Name Indication for SSL named virtual hosts is currently not 
    # supported by MSIE on Windows XP. 
NameVirtualHost *:443 
    Listen 443 
</IfModule> 

和我的默認的SSL是如下

<IfModule mod_ssl.c> 
<VirtualHost *:443> 
     ServerAdmin [email protected] 
     ServerName www.domain.com 
     ServerAlias domain.com 
     DocumentRoot /var/www 
     <Directory /> 
       Options FollowSymLinks 
       AllowOverride None 
          ----------- 
         --------------- 
-------------------- more configs 



# SSL Engine Switch: 
     # Enable/Disable SSL for this virtual host. 
     SSLEngine on 

     # A self-signed (snakeoil) certificate can be created by installing 
     # the ssl-cert package. See 
     # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. 
     # If both key and certificate are stored in the same file, only the 
     # SSLCertificateFile directive is needed. 
     # SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem 
     SSLCertificateFile /etc/ssl/private/domain.crt 
     SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key 
     SSLCertificateChainFile /etc/ssl/private/domain.ca-bundle 

回答

21

解決方案

我添加了這些在/etc/apache2/apache2.conf中

SSLCertificateFile your.crt 
SSLCertificateKeyFile your.key 
SSLCertificateChainFile your_bundle.crt 

長的部分

有一些消息時,我啓用了Apache ssh來讀取文件在/ usr/share/doc/apache2.2-common/README.Debian.gz,它說:

6) Message "Server should be SSL-aware but has no certificate configured" in 
    error log 

Since 2.2.12, Apache is stricter about certain misconfigurations concerning 
name based SSL virtual hosts. See NEWS.Debian.gz for more details. 

And NEWS說:

* The new support for TLS Server Name Indication added in 2.2.12 causes 
    Apache to be stricter about certain misconfigurations involving name 
    based SSL virtual hosts. This may result in Apache refusing to start 
    with the logged error message: 

     Server should be SSL-aware but has no certificate configured 
     [Hint: SSLCertificateFile] 

    Up to 2.2.11, Apache accepted configurations where the necessary SSL 
    configuration statements were included in the first (default) 
    <Virtualhost *:443> block but not in subsequent <Virtualhost *:443> 
    blocks. Starting with 2.2.12, every VirtualHost block used with SSL must 
    contain the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile 
    directives (SSLCertificateKeyFile is optional in some cases). 

    When you encounter the above problem, the output of the command 

     egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' \ 
      /etc/apache2/*conf* /etc/apache2/*enabled 

    may be useful to determine which VirtualHost sections need to be changed. 

還有更多。

+6

當這些人關閉這樣的事情時,恨它吧...... –

+0

有一些方法可以將這些問題遷移到serverfault。 –

+0

偉大的答案,它爲我工作。 –

3

您可以嘗試使用SSL證書集成。 這應該在虛擬主機下的httpd.conf文件下,並且請爲SSL證書將保護的站點找到虛擬主機部分。

SSLCACertificateFile - 這將需要指向適當的 根CA證書。

SSLCertificateChainFile - 這將需要指向適當 中間根CA證書

了SSLCertificateFile - 這將需要指向終端實體 證書

(你有被稱爲「mydomain.crt」的一個)

SSLCertificateKeyFile - 這將需要指向與您的證書關聯的私鑰文件。