完成 keystone 證書加密的 HTTPS 服務提升

通過yum來安裝mod_ssl

[root@controller ~]# yum install -y mod_ssl      		//在線安裝mod_ssl
已加載插件：fastestmirror
centos                                                                                                           | 3.6 kB  00:00:00     
iaas                                                                                                             | 2.9 kB  00:00:00     
Loading mirror speeds from cached hostfile
正在解決依賴關係
--> 正在檢查事務
---> 軟件包 mod_ssl.x86_64.1.2.4.6-40.el7.centos.4 將被 安裝
--> 解決依賴關係完成

依賴關係解決

========================================================================================================================================
 Package                      架構                        版本                                          源                         大小
========================================================================================================================================
正在安裝:
 mod_ssl                      x86_64                      1:2.4.6-40.el7.centos.4                       iaas                      104 k

事務概要
========================================================================================================================================
安裝  1 軟件包

總下載量：104 k
安裝大小：224 k
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  正在安裝    : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64                                                                              1/1 
  驗證中      : 1:mod_ssl-2.4.6-40.el7.centos.4.x86_64                                                                              1/1 

已安裝:
  mod_ssl.x86_64 1:2.4.6-40.el7.centos.4                                                                                                

完畢！

HTTP 服務器上配置mod_ssl

1.建立服務器密鑰

[root@controller ~]#  cd /etc/pki/tls/certs/　 	//進入HTTP服務器配置文件所在目錄
[root@controller ~]#  make server.key　 		//建立服務器密鑰
umask 77 ; \
/usr/bin/openssl genrsa -des3 1024 > server.key
Generating RSA private key, 1024 bit long modulus
................++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase:　                     	//在這裏輸入口令
Verifying - Enter pass phrase:　  			//確認口令，再次輸入
[root@controller ~]#  openssl rsa -in server.key -out server.key　 		//從密鑰中刪除密碼（以避免系統啓動後被詢問口令）
Enter pass phrase for server.key:　			//輸入口令
writing RSA key

2.建立服務器公鑰

[root@controller ~]#  make server.csr　		//建立服務器密鑰
umask 77 ; \

/usr/bin/openssl req -utf8 -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:CN　			//輸入國名

State or Province Name (full name) [Berkshire]:Xinjiang		//輸入省名

Locality Name (eg, city) [Newbury]:Shihezi　 			//輸入城市名

Organization Name (eg, company) [My Company Ltd]:www.msdn.com　		//輸入組織名（任意）

Organizational Unit Name (eg, section) []:　	//不輸入，直接回車

Common Name (eg, your name or your server‘s hostname) []:www.msdn.com　 ← 輸入通稱（任意）

Email Address []:[email protected] 　 			//輸入電子郵箱地址


Please enter the following ’extra' attributes

to be sent with your certificate request

A challenge password []:　				//不輸入，直接回車

An optional company name []: 　			//不輸入，直接回車

3.建立服務器證書

[root@controller ~]#  openssl x509 -in server.csr -out server.pem -req -signkey server.key -days 365　				//建立服務器證書
Signature ok
subject=/C=CN/ST=Xinjiang/L=Shihezi/O=www.51cto.com/emailAddress=[email protected]
Getting Private key
Enter pass phrase for server.key:
140645233670048:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
[root@controller ~]#  chmod 400 server.*  		//修改權限爲400

4.設置SSL

[root@controller ~]#  vi /etc/httpd/conf.d/ssl.conf　	//修改SSL的設置文件
#DocumentRoot "/var/www/html"　		//找到這一行，將行首的“#”去掉
Ⅴ
DocumentRoot "/var/www/html"　 		//變爲此狀態

5.重新啓動HTTP服務，讓SSL生效

[root@controller]#  systemctl restart httpd.service　	//重新啓動HTTP服務器

本地配置文件/etc/httpd/conf.d/ssl_saturn.conf：

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/var/www/html"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!SEED:!IDEA
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>