訪問我的網站: https://intbird.world 查看https效果
Centos7 apache httpd配置第三方ssl證書 並 將http替換爲https 詳細記錄
文章來自:http://blog.csdn.net/intbird
轉載請說明出處
網站爲什麼要採用https
1.什麼是https:
HTTPS 協議是由 HTTP 加上 TLS/SSL 協議構建的可進行加密傳輸、身份認證的網絡協議,主要通過數字證書、加密算法、非對稱密鑰等技術完成互聯網數據傳輸加密,實現互聯網傳輸安全保護。設計目標主要有三個。
(1)數據保密性:保證數據內容在傳輸的過程中不會被第三方查看。就像快遞員傳遞包裹一樣,都進行了封裝,別人無法獲知裏面裝了什麼 [4] 。
(2)數據完整性:及時發現被第三方篡改的傳輸內容。就像快遞員雖然不知道包裹裏裝了什麼東西,但他有可能中途掉包,數據完整性就是指如果被掉包,我們能輕鬆發現並拒收 [4] 。
(3)身份校驗安全性:保證數據到達用戶期望的目的地。就像我們郵寄包裹時,雖然是一個封裝好的未掉包的包裹,但必須確定這個包裹不會送錯地方,通過身份校驗來確保送對了地方 [4] 。
2.https缺點:
相同網絡環境下,HTTPS 協議會使頁面的加載時間延長近 50%,增加 10%到 20%的耗電。此外,HTTPS 協議還會影響緩存,增加數據開銷和功耗 [2] 。
HTTPS 協議的安全是有範圍的,在黑客攻擊、拒絕服務攻擊和服務器劫持等方面幾乎起不到什麼作用 [2] 。
最關鍵的是,SSL 證書的信用鏈體系並不安全。特別是在某些國家可以控制 CA 根證書的情況下,中間人攻擊一樣可行 [2] 。
成本增加。部署 HTTPS 後,因爲 HTTPS 協議的工作要增加額外的計算資源消耗,例如 SSL 協議加密算法和 SSL 交互次數將佔用一定的計算資源和服務器成本。在大規模用戶訪問應用的場景下,服務器需要頻繁地做加密和解密操作,幾乎每一個字節都需要做加解密,這就產生了服務器成本。隨着雲計算技術的發展,數據中心部署的服務器使用成本在規模增加後逐步下降,相對於用戶訪問的安全提升,其投入成本已經下降到可接受程度 [4]
1. https原理
HTTPS(Hyper Text Transfer Protocol over SecureSocket Layer)
+
SSL(Secure Sockets Layer)
1.HTTPS
2.SSL
1.自建證書創建:
// 生成私鑰
openssl genrsa -out private.key 2048
// 生成csr(Certificate Signing Request)給證書頒發機構的一些信息
openssl req -new -key private.key -out server.csr
// 根據 私鑰 生成 服務器密鑰
openssl rsa -in private.key -out server.key
// 根據服務器密鑰生成服務器證書文件
openssl x509 -req -in server.csr -out server.crt -outform pem -signkey server.key -days 365 -sha256
2.第三方證書申請:
1. 付費:XXX
很多,企業版的不便宜,略~
2. 免費: https://letsencrypt.org/zh-cn/
很多, 有效時間短,但是可以通過腳本(搜github)續約達到長期
如國外大公司聯合維護的letsencrypt
3. 我採用的freessl.cn 亞太免費一年: https://freessl.cn/
3.自建證書和第三方證書區別
1.自建證書: 服務器和客戶端相互信任,可能會被竊聽,而且會被瀏覽器提示不安全
2.第三方證書: 客戶端請求到服務端再通過證書鏈找到第三方頒發機構,由頒 發機構完全
3. CRL及OCSP的異曲同工之妙
4.附chrome幫助文章 Chrome Support
2.工具準備
- cyberduck (ftp): edit 選擇 visual studio code
- termius (ssh): 保存host,方便連接
- centos主機端安裝openssl
yum install mod_ssl openssl
附: 快捷工具圖標
3.證書配置:
1. 從證書提供商下載頒發後的有密鑰的證書:
2. 將證書導入到本地工具快速轉換等
3. 修改httpd配置,使其支持https
修改ssl.conf如下圖所示:
/etc/httpd/conf.d/ssl.conf
http的配置文件(暫不修改):
/etc/httpd/conf/httpd.conf
- 修改VirtualHost,如果有多個https需求則配置多個該標籤
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName intbird.world:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLCertificateFile /etc/pki/tls/certs/intbird.world.crt
SSLCertificateKeyFile /etc/pki/tls/private/intbird.world_key.key
SSLCertificateChainFile /etc/pki/tls/certs/intbird.world.ca_bundle.crt
</VirtualHost>
4.驗證配置:
apachectl configtest
出現異常:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using intbird.world. Set the 'ServerName' directive globally to suppress this message
Syntax OK
解決方法:
修改httpd.conf
#Listen 80 -> Listen 80
或者 添加 ServerName
ServerName intbird.world:80
5.重啓服務器:
systemctl restart httpd
出現異常
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
6.排查異常方法:
1.命令行工具
systemctl status httpd.service
異常1: 服務器443端口被佔用(解決方法就不用說了)
[root@intbird ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2020-03-28 10:21:53 CST; 15s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 3950 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 3949 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 3949 (code=exited, status=1/FAILURE)
Mar 28 10:21:53 intbird.world httpd[3949]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
Mar 28 10:21:53 intbird.world httpd[3949]: (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
Mar 28 10:21:53 intbird.world httpd[3949]: no listening sockets available, shutting down
Mar 28 10:21:53 intbird.world httpd[3949]: AH00015: Unable to open logs
Mar 28 10:21:53 intbird.world systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 28 10:21:53 intbird.world kill[3950]: kill: cannot find process ""
Mar 28 10:21:53 intbird.world systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 28 10:21:53 intbird.world systemd[1]: Failed to start The Apache HTTP Server.
Mar 28 10:21:53 intbird.world systemd[1]: Unit httpd.service entered failed state.
Mar 28 10:21:53 intbird.world systemd[1]: httpd.service failed.
[root@intbird ~]# netstat -lnp|grep 443
異常2: RSA密鑰和證書不匹配問題
[root@intbird ~]# systemctl restart httpd
Enter SSL pass phrase for www.intbird.world:443 (RSA) : ***********
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@intbird ~]# systemctl restart httpd
Enter SSL pass phrase for www.intbird.world:443 (RSA) : ***********
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@intbird ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2020-03-28 12:24:47 CST; 6s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 1342 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 1339 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 1339 (code=exited, status=1/FAILURE)
Mar 28 12:24:43 intbird.world systemd[1]: Starting The Apache HTTP Server...
Mar 28 12:24:47 intbird.world systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 28 12:24:47 intbird.world kill[1342]: kill: cannot find process ""
Mar 28 12:24:47 intbird.world systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 28 12:24:47 intbird.world systemd[1]: Failed to start The Apache HTTP Server.
Mar 28 12:24:47 intbird.world systemd[1]: Unit httpd.service entered failed state.
Mar 28 12:24:47 intbird.world systemd[1]: httpd.service failed.
2. 查看詳細日誌
查看 apache httpd log詳細日誌,快速排查問題
error_log:
[Sat Mar 28 12:44:31.340523 2020] [suexec:notice] [pid 1431] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Mar 28 12:44:35.811231 2020] [ssl:emerg] [pid 1431] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/ssl_error_log for more information
ssl_error_log
[Sat Mar 28 12:44:35.811057 2020] [ssl:emerg] [pid 1431] AH02238: Unable to configure RSA server private key
[Sat Mar 28 12:44:35.811212 2020] [ssl:emerg] [pid 1431] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
3.解決異常
1. 443端口被佔用解決
1. netstat -tln | grep $port 得到 pid
2. kill $pid 或者修改佔用端口的軟件用其他端口
2. RSA密鑰和證書不匹配問題
// 1.查看密鑰和證書是否正確配置
find /etc/pki/tls/certs/intbird.world.crt
// 2.驗證moudls是否一致
openssl x509 -noout -text -in certfile -modulus
openssl rsa -noout -text -in密鑰文件-modulus
!發現不匹配解決: 重新正確配置一下
7.重啓服務器會要求輸入密碼
[root@intbird ~]# systemctl restart httpd
Enter SSL pass phrase for intbird.world:443 (RSA) : ***********
[root@intbird ~]#
8.打開網址驗證:
9.強制將網址的http請求轉發爲https請求:
-
解決方法:
1.httpd.conf 文件啓用rewrite
2.ssl.conf 文件添加VirtualHost
如圖所示
![在這裏插入圖片描述]()
<VirtualHost *>
ServerName intbird.world
Redirect 301 / https://intbird.world/
</VirtualHost>
10.收集一下上面用到的幾個經常要打開的地址
// httpd:
// 重啓: systemctl restart httpd
//不重啓應用配置: systemctl reload httpd.service
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/ssl.conf
// 密鑰目錄
/etc/pki/tls/certs
/etc/pki/tls/private
done
文章來自:http://blog.csdn.net/intbird
轉載請說明出處