ローカルテスト環境でApacheのSSLを設定する
Apacheサーバでテスト環境作っていたら、Apacheの設定ファイルにSSLの項目追加しても動かない。
$ sudo service httpd restart httpd を停止中: [ OK ] httpd を起動中: httpd: Syntax error on line 221 of /etc/httpd/conf/httpd.conf: Syntax error on line 12 of /etc/httpd/conf.d/ssl.conf: Cannot load /etc/httpd/modules/mod_ssl.so into server: /etc/httpd/modules/mod_ssl.so: cannot open shared object file: No such file or directory [失敗]
mod_ssl無いと。
mod_sslのインストール
$ sudo yum install mod_ssl openssl $ sudo service httpd restart httpd を停止中: [失敗] httpd を起動中: Syntax error on line 123 of /etc/httpd/conf.d/ssl.conf: SSLCertificateChainFile: file '/etc/pki/tls/certs/server-chain.crt' does not exist or is empty
やっぱテスト環境とはいえ鍵作らないとダメか。
秘密鍵を作成
$ sudo mkdir /etc/httpd/conf/ssl.key $ cd /etc/httpd/conf/ssl.key/ $ openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus .............................++++++ ....................++++++ e is 65537 (0x10001) Enter pass phrase for server.key: [パスフレーズを入力] Verifying - Enter pass phrase for server.key: [確認用パスフレーズを入力] $ sudo chmod 400 server.key
署名要求を作成
$ sudo openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: [パスフレーズ入力] You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Chiyoda Organization Name (eg, company) [Default Company Ltd]:Hogehoge Organizational Unit Name (eg, section) []:[Enter:省略] Common Name (eg, your name or your server's hostname) []:[ホスト名入力] Email Address []:[メールアドレス入力] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:[Enter:省略] An optional company name []:[Enter:省略] $ sudo chmod 400 server.csr
勘違いでNGな設定
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key SSLCertificateFile /etc/httpd/conf/ssl.key/server.csr
$ sudo service httpd restart httpd を停止中: [ OK ] [失敗]
ちきしょー動かねぇ
/var/log/httpd/error_log
[Mon Jan 25 17:21:30 2016] [error] Init: Unable to read server certificate from file /etc/httpd/conf/ssl.key/server.csr [Mon Jan 25 17:21:30 2016] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag [Mon Jan 25 17:21:30 2016] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
CSRファイル壊れてる?
$ sudo openssl x509 -noout -text -in /etc/httpd/conf/ssl.key/server.csr unable to load certificate 140169678825288:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
ロードできないが、、
ああ、、署名要求と証明書を混同していた。。
サーバー証明書を作成
$ sudo openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650 $ chmod 400 server.crt
SSLCertificateFile /etc/httpd/conf/ssl.key/server.crt
$ sudo service httpd restart httpd を停止中: [ OK ] httpd を起動中: Apache/2.2.15 mod_ssl/2.2.15 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server 127.0.0.1:443 (RSA) Enter pass phrase: OK: Pass Phrase Dialog successful. [ OK ]
パスフレーズ聞かれたけど、無事起動。
でも、パスフレーズを聞かれると障害時の自動再起動がされないので困る。
パスフレーズの解除
openssl rsa -in server.key -out server.key Enter pass phrase for server.key: [元のパスフレーズを入力]
$ sudo service httpd restart httpd を停止中: [ OK ] httpd を起動中: httpd: apr_sockaddr_info_get() failed for sitetest [ OK ]
うまくいった。やれやれ。
参考にしたサイト
・apache+mod_sslでSSL
http://www.server-memo.net/server-setting/apache/apache-mod_ssl.html
・サーバ証明書導入失敗の顛末
https://pc.shigizemi.com/2015/07/31/error-crt/
・Apache 2.2(Wind32) with SSL テスト環境導入ノート
http://ptsv.org/repository/apache-22wind32-with-ssl-%E3%83%86%E3%82%B9%E3%83%88%E7%92%B0%E5%A2%83%E5%B0%8E%E5%85%A5%E3%83%8E%E3%83%BC%E3%83%88/
・Apacheでの、パスフレーズ入力なしでの起動方法。
https://jp.globalsign.com/support/faq/93.html