如何解决无法通过AWS Linux 2 / Apache上的端口443提供加密内容
这真令人沮丧。简而言之:从AWS负载平衡器后面为Wordpress服务器提供服务。最新的Wordpress版本就像是“使用SSL,兄弟”,而我就像是“ Naaah。我们正在使用AWS证书在负载均衡器上进行加密”,但是Wordpress有点过时了,所以我就像“很好。我将从LetsEncrypt获得帮助,并使用SSL start来完成。”
快进一整天,我仍然没有使用HTTPS。
- 像我这样的大多数实例最终都是配置错误。鉴于基本上没有什么特别的事情发生,所以我不知道这怎么可能是错误的。另外,每个conf文件上的“ httpd -t -f”产生“语法确定”。
- 我目前能够传送内容,但未加密。所有SSL测试都会失败,因为它没有被加密,未加密的内容也没有使用任何已知的协议进行加密...因此SSLLabs或其他任何内容都不会输出。
- 密钥文件有效,并且如果我通过更改权限或重命名使路径无效,则无法启动httpd。我是通过Lets Encrypt certbot获得的。请参阅下面的提取证书。此外,像OpenSSL这样的工具会完全忽略该证书,就好像没有在使用该证书一样-我知道这表明有问题,但是是什么问题?!?!?
- 如果启用任何形式的日志记录,则HTTPD完全无法启动...没有写入日志。
- 端口80和443已完全打开,并且连接没有问题。 明文内容仍通过端口80传递。 将端口80上的流量重定向到HTTPS,但这对 问题。
我只是想让它工作,你知道吗?难道我做错了什么?我可能做错了什么?
使用tools.keycdn.com/ssl
扩展密钥No chain issues detected.
1. Subject CN: kalosflorida.com > Issuer CN: Let's Encrypt Authority X32. Subject CN: Let's Encrypt Authority X3 > Issuer CN: DST Root CA X3
DECODED CERTIFICATE
{
"name": "\/CN=kalosflorida.com","subject": {
"CN": "kalosflorida.com"
},"hash": "db52d6b4","issuer": {
"C": "US","O": "Let's Encrypt","CN": "Let's Encrypt Authority X3"
},"version": 2,"serialNumber": "0x03850A3BE747D02CC0A9B2F6D067085D58B8","serialNumberHex": "03850A3BE747D02CC0A9B2F6D067085D58B8","validFrom": "200821005413Z","validTo": "201119005413Z","validFrom_time_t": 1597971253,"validTo_time_t": 1605747253,"signatureTypeSN": "RSA-SHA256","signatureTypeLN": "sha256WithRSAEncryption","signatureTypeNID": 668,"purposes": {
"1": [
true,false,"sslclient"
],"2": [
true,"sslserver"
],"3": [
true,"nssslserver"
],"4": [
false,"smimesign"
],"5": [
false,"smimeencrypt"
],"6": [
false,"crlsign"
],"7": [
true,true,"any"
],"8": [
true,"ocsphelper"
],"9": [
false,"timestampsign"
]
},"extensions": {
"keyUsage": "Digital Signature,Key Encipherment","extendedKeyUsage": "TLS Web Server Authentication,TLS Web Client Authentication","basicConstraints": "CA:FALSE","subjectKeyIdentifier": "6C:49:68:9D:7F:ED:F3:E6:3D:D0:0C:6C:06:16:17:7A:EE:00:84:FB","authorityKeyIdentifier": "keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1\n","authorityInfoAccess": "OCSP - URI:http:\/\/ocsp.int-x3.letsencrypt.org\nCA Issuers -
URI:http:\/\/cert.int-x3.letsencrypt.org\/\n","subjectAltName": "DNS:kalosflorida.com,DNS:www.kalosflorida.com","certificatePolicies": "Policy: 2.23.140.1.2.1\nPolicy: 1.3.6.1.4.1.44947.1.1.1\n CPS: http:\/\/cps.letsencrypt.org\n","ct_precert_scts": "Signed Certificate Timestamp:\n Version : v1 (0x0)\n Log ID : B2:1E:05:CC:8B:A2:CD:8A:20:4E:87:66:F9:2B:B9:8A:\n 25:20:67:6B:DA:FA:70:E7:B2:49:53:2D:EF:8B:90:5E\n Timestamp : Aug 21 01:54:13.403 2020 GMT\n Extensions: none\n Signature : ecdsa-with-SHA256\n 30:46:02:21:00:AB:71:9C:BF:C0:62:A9:4C:EB:A2:5B:\n CC:9D:7D:2F:F5:3F:55:D3:42:E9:7F:75:36:6D:85:46:\n 1A:99:0D:38:01:02:21:00:D3:FC:C5:25:52:49:FF:6D:\n 46:A4:A0:5F:E5:2B:BE:35:C9:48:5D:39:F4:CC:B4:E0:\n D7:0B:C7:38:54:20:55:41\nSigned Certificate Timestamp:\n Version : v1 (0x0)\n Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:\n 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13\n Timestamp : Aug 21 01:54:13.459 2020 GMT\n Extensions: none\n Signature : ecdsa-with-SHA256\n 30:45:02:21:00:9B:2E:1B:93:65:67:8C:96:C6:80:E2:\n 86:93:98:C0:E7:B8:60:A6:B7:CA:B8:E2:2F:2D:EC:2B:\n 65:6B:C0:0D:2B:02:20:35:88:B3:85:90:49:1B:0A:BF:\n AC:F0:2E:02:EA:78:6F:35:F8:5D:77:77:F9:C4:16:7B:\n 5E:69:04:A9:0F:D7:4A"
}
}
DECODED CERTIFICATE
{
"name": "\/C=US\/O=Let's Encrypt\/CN=Let's Encrypt Authority X3","subject": {
"C": "US","hash": "4f06f81d","issuer": {
"O": "Digital Signature Trust Co.","CN": "DST Root CA X3"
},"serialNumber": "13298795840390663119752826058995181320","serialNumberHex": "0A0141420000015385736A0B85ECA708","validFrom": "160317164046Z","validTo": "210317164046Z","validFrom_time_t": 1458232846,"validTo_time_t": 1615999246,"3": [
false,"4": [
true,"6": [
true,"extensions": {
"basicConstraints": "CA:TRUE,pathlen:0","keyUsage": "Digital Signature,Certificate Sign,CRL Sign","authorityInfoAccess": "OCSP - URI:http:\/\/isrg.trustid.ocsp.identrust.com\nCA Issuers - URI:http:\/\/apps.identrust.com\/roots\/dstrootcax3.p7c\n","authorityKeyIdentifier": "keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10\n","certificatePolicies": "Policy: 2.23.140.1.2.1\nPolicy: 1.3.6.1.4.1.44947.1.1.1\n CPS: http:\/\/cps.root-x1.letsencrypt.org\n","crlDistributionPoints": "\nFull Name:\n URI:http:\/\/crl.identrust.com\/DSTROOTCAX3CRL.crl\n","subjectKeyIdentifier": "A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1"
}
}
这是httpd.conf:
NameVirtualHost 54.87.59.147:80
NameVirtualHost 54.87.59.147:443
ServerRoot "/etc/httpd"
Include conf.modules.d/*.conf
Listen 80
<VirtualHost 54.87.59.147:80>
ServerName "www.kalosflorida.com"
ServerAlias "www.kalosflorida.com"
Redirect permanent / https://www.kalosflorida.com
</VirtualHost>
User apache
Group apache
ServerAdmin IT@Kalosflorida.com
DocumentRoot "/var/www/html"
<Directory />
AllowOverride none
Require all denied
</Directory>
<Directory "/var/www">
AllowOverride None
Require all granted
</Directory>
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride all
Allow from all
directoryIndex index.php index.html
</Directory>
DirectoryIndex index.html index.php
<Files ".ht*">
Require all denied
</Files>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
<IfModule mod_setenvif.c>
SetEnvIf X-Forwarded-Proto "^https$" HTTPS
</IfModule>
EnableSendfile on
Include /etc/httpd/conf.d/*.conf
这是ssl.conf:
Listen 443
Include /etc/httpd/conf.modules.d/00-base.conf
LoadModule ssl_module modules/mod_ssl.so
LoadModule mpm_worker_module modules/mod_mpm_worker.so
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost 54.87.59.147:443>
ServerName "www.kalosflorida.com"
ServerAlias "www.kalosflorida.com"
SSLEngine on
\# SSL Protocol support:
\# List the enable protocol levels with which clients will be able to
\# connect. Disable SSLv2 access by default:
SSLProtocol all
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/certs/fullchain.pem
SSLCertificateKeyFile /etc/certs/privkey.pem
\#SSLCertificateChainFile /etc/letsencrypt/live/www.kalosflorida.com/chain.pem
\#SSLCACertificateFile /etc/letsencrypt/live/www.kalosflorida.com/fullchain.pem
SSLVerifyClient optional
SSLVerifyDepth 10
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
输出
openssl s_client -showcerts -connect www.kalosflorida.com:443
is
CONNECTED(00000003)
140006876845984:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New,(NONE),Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1597976980
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。