我正试图让apache2在Ubuntu 20上使用证书(selc创建(。当我尝试使用Chrome打开端点时(https://local.pretzel.com/editor)我得到:
This site can’t provide a secure connection
local.pretzel.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR
花了一整晚的时间在这上面,可以利用一些帮助来了解我做错了什么,以及如何正确地调试它。
//Apache conf
/etc/apache2/中的httpd.conf
LoadModule mpm_prefork_module libexec/apache2/mod_mpm_prefork.so
LoadModule log_config_module libexec/apache2/mod_log_config.so
LoadModule mime_module libexec/apache2/mod_mime.so
LoadModule dir_module libexec/apache2/mod_dir.so
LoadModule authz_core_module libexec/apache2/mod_authz_core.so
LoadModule unixd_module libexec/apache2/mod_unixd.so
LoadModule rewrite_module libexec/apache2/mod_rewrite.so
LoadModule php7_module libexec/apache2/libphp7.so
LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule ssl_module libexec/apache2/mod_ssl.so
User _www
Group _www
DirectoryIndex index.html
ErrorLog "/var/log/apache2/error_log"
LogFormat "%h %l %u %t "%r" %>s %b" common
CustomLog "/var/log/apache2/access_log" common
TypesConfig /etc/apache2/mime.types
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
DirectoryIndex index.html index.php
<Directory /home/prtz/workspace/frontend/build>
Options Indexes FollowSymLinks
Require all granted
AllowOverride All
</Directory>
ServerName local.pretzel.com
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<VirtualHost *:443>
DocumentRoot "/home/prtz/workspace/frontend/build"
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/etc/apache2/local.pretzel.com.crt"
SSLCertificateKeyFile "/etc/apache2/local.pretzel.com.nopass.key"
ServerName local.pretzel.com
</VirtualHost>
/etc/apache2/可用站点/default-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName local.pretzel.com
DocumentRoot "/home/prtz/workspace/frontend/build"
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "/etc/apache2/local.pretzel.com.crt"
SSLCertificateKeyFile "/etc/apache2/local.pretzel.com.nopass.key"
<FilesMatch ".(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
/etc/apache2/可用站点/00-default.conf
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
<VirtualHost *:443>
ServerName local.pretzel.com
</VirtualHost>
nmap—编写ssl枚举密码脚本-p 443 local.pretzel.com:
nmap --script ssl-enum-ciphers -p 443 local.pretzel.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-28 21:27 PDT
Nmap scan report for local.pretzel.com (127.0.0.1)
Host is up (0.000064s latency).
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 15.49 seconds
cat/etc/hosts:
cat /etc/hosts
127.0.0.1 local.pretzel.com
127.0.0.1 localhost
127.0.1.1 ubuntu
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
使用创建证书
openssl openssl req -newkey rsa:2048 -x509 -nodes \
-keyout local.pretzel.com.key \
-new \
-out local.pretzel.com.crt \
-subj /CN=local.pretzel.com \
-reqexts SAN \
-extensions SAN \
-config <(cat /usr/lib/ssl/openssl.cnf \
<(printf '[SAN]nsubjectAltName=DNS:local.pretzel.com')) \
-sha256 \
-days 3650
sudo openssl rsa -in local.pretzel.com.key -out local.pretzel.com.nopass.key
sudo mv *.key *.crt /etc/apache2
向/usr/local/share/ca-certificates/添加了证书
sudo update-ca-certificates
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping duplicate certificate in server.pem
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
//检查证书
openssl verify local.pretzel.com.crt
local.pretzel.com.crt: OK
//使用openssl连接进行检查
openssl s_client -connect local.pretzel.com:443 -CApath /etc/ssl/certs
CONNECTED(00000003)
140129913148736:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 311 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
//检查防火墙
sudo ufw status
[sudo] password for prtz:
Status: active
To Action From
-- ------ ----
Apache ALLOW Anywhere
443 ALLOW Anywhere
80 ALLOW Anywhere
443/tcp ALLOW Anywhere
Apache (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
80 (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
//将curl与https 结合使用
curl https://local.pretzel.com
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
而在没有https的情况下,它将返回"https";Apache2 Ubuntu默认页面:它工作";
curl https://local.pretzel.com
用于解决问题的证书让Chrome接受自签名localhost证书对于apache配置;虚拟主机*:443>从httpd.conf到可用的站点/文件夹,其conf文件与我使用的域相同。
我从https中删除了额外的s,它解决了我的错误。
http://localhost:xxxx/nifi-registry