apache 证书配置
This tutorial series explains how to troubleshoot and fix some of the most common errors that you may encounter when using the Apache web server.
本教程系列说明了如何解决和修复使用Apache Web服务器时可能遇到的一些最常见的错误。
Each tutorial in this series includes descriptions of common Apache configuration, network, filesystem, or permission errors. The series begins with an overview of the commands and log files that you can use to troubleshoot Apache. Subsequent tutorials examine specific errors in detail.
本系列中的每个教程都包含对常见Apache配置,网络,文件系统或权限错误的描述。 本系列文章首先概述了可用于对Apache进行故障排除的命令和日志文件。 后续教程将详细检查特定的错误。
介绍 (Introduction)
Apache generates an AH02572: Failed to configure at least one certificate and key error message when it is configured to use the ssl module, but is missing a TLS/SSL public certificate and corresponding private key. The error will prevent Apache from starting up, and the error message itself will be found in Apache’s logs.
Apache生成AH02572: Failed to configure at least one certificate and key其配置为使用ssl模块时, AH02572: Failed to configure at least one certificate and key错误消息,但缺少TLS / SSL公共证书和相应的私钥。 该错误将阻止Apache启动,并且错误消息本身将在Apache的日志中找到。
In this tutorial you will learn how to troubleshoot an AH02572 error using the methods described in the How to Troubleshoot Common Apache Errors tutorial at the beginning of this series. You will also learn how to set the SSLCertificateFile and SSLCertificateKeyFile directives to resolve the message.
在本教程中,您将学习如何使用本系列开头的“ 如何对常见Apache错误进行故障排除”教程中描述的方法对AH02572错误进行故障排除 。 您还将学习如何设置SSLCertificateFile和SSLCertificateKeyFile指令来解析消息。
If you have already determined that your Apache server is affected by an AH02572 error and you would like to skip the troubleshooting steps, the Adding an SSL Certificate to Apache section at the end of this tutorial explains how to resolve the error.
如果您已经确定AH02572错误影响了Apache服务器,并且想跳过故障排除步骤,那么本教程结尾的“ 向Apache添加SSL证书”部分将说明如何解决该错误。
使用systemctl故障排除 (Troubleshooting Using systemctl)
When you are troubleshooting an AH02572: Failed to configure at least one certificate and key error message, Apache will not be running. Its systemctl status will show a failed message.
对AH02572: Failed to configure at least one certificate and key进行故障排除时AH02572: Failed to configure at least one certificate and key错误消息,Apache将无法运行。 其systemctl状态将显示failed消息。
To examine Apache’s status with systemctl, run the following command on Ubuntu and Debian derived Linux distributions:
要使用systemctl检查Apache的状态,请在Ubuntu和Debian派生的Linux发行版上运行以下命令:
- sudo systemctl status apache2.service -l --no-pager sudo systemctl状态apache2.service -l --no-pager
On CentOS and Fedora systems, use this command to examine Apache’s status:
在CentOS和Fedora系统上,使用以下命令检查Apache的状态:
- sudo systemctl status httpd.service -l --no-pager sudo systemctl状态httpd.service -l --no-pager
The -l flag will ensure that systemctl outputs the entire contents of a line, instead of substituting in ellipses (…) for long lines. The --no-pager flag will output the entire log to your screen without invoking a tool like less that only shows a screen of content at a time.
-l标志将确保systemctl输出一行的全部内容,而不是用省略号( … )代替长行。 --no-pager标志将整个日志输出到您的屏幕,而无需调用诸如less的工具,该工具一次只显示一个屏幕。
You should receive output that is similar to the following:
您应该收到类似于以下内容的输出:
Output
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Fri 2020-07-31 16:02:41 UTC; 20s ago
Process: 36 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Jul 31 16:02:41 7d6ef84b6907 systemd[1]: Starting The Apache HTTP Server...
Jul 31 16:02:41 7d6ef84b6907 apachectl[36]: Action 'start' failed.
Jul 31 16:02:41 7d6ef84b6907 apachectl[36]: The Apache error log may have more information.
Jul 31 16:02:41 7d6ef84b6907 systemd[1]: apache2.service: Control process exited, code=exited status=1
Jul 31 16:02:41 7d6ef84b6907 systemd[1]: apache2.service: Failed with result 'exit-code'.
Jul 31 16:02:41 7d6ef84b6907 systemd[1]: Failed to start The Apache HTTP Server.
The important lines to note are the ones showing that Apache failed to start. However, there is nothing in the output that indicates an AH02572 error message. Examining the systemd logs for Apache using the journalctl command, or checking Apache’s configuration files with apachectl configtest will not help locate information that you can use to troubleshoot the error.
需要注意的重要内容是表明Apache无法启动的内容。 但是,输出中没有任何内容指示AH02572错误消息。 使用journalctl命令检查Apache的systemd日志,或者使用apachectl configtest检查Apache的配置文件,将无助于查找可用于解决错误的信息。
To diagnose and resolve an AH02572 error, the next section explains how to examine Apache’s logs directly.
为了诊断和解决AH02572错误,下一节将说明如何直接检查Apache的日志。
检查Apache的日志 (Examining Apache’s Logs)
Apache logs diagnostic information about its internal operations to various locations, which differ depending on your Linux distribution. Typically, Apache is configured to log error messages to a separate log file from access requests in order to help with debugging, monitoring, and alerting.
Apache将有关其内部操作的诊断信息记录到各个位置,具体位置取决于您的Linux发行版。 通常,将Apache配置为将错误消息与访问请求记录到单独的日志文件中,以帮助进行调试,监视和警报。
On Ubuntu and Debian-derived systems, Apache defaults to using /var/log/apache2/error.log for error messages.
在Ubuntu和Debian衍生的系统上,Apache默认使用/var/log/apache2/error.log来显示错误消息。
On CentOS, Fedora, and RedHat-derived systems, Apache defaults to logging errors to the /var/log/httpd/error_log file.
在CentOS,Fedora和RedHat派生的系统上,Apache默认将错误记录到/var/log/httpd/error_log文件中。
To examine Apache’s logs for evidence of an AH02572 error message, use the grep utility to search for the error code in the appropriate log file for your distribution. While there are other tools like less that you could use to find evidence of an AH02572 error, grep will only display lines with the error code so you can be sure of whether you’re affected by the issue.
要检查Apache日志中是否有AH02572错误消息的证据,请使用grep实用程序在适当的日志文件中搜索错误代码以进行分发。 尽管还有其他工具(例如, less一些)可用于查找AH02572错误的证据,但grep仅显示带有错误代码的行,因此您可以确定自己是否受此问题影响。
Invoke grep like this on Ubuntu and Debian-derived systems:
在Ubuntu和Debian衍生的系统上像这样调用grep :
- sudo grep AH02572 /var/log/apache2/error.log 须藤grep AH02572 /var/log/apache2/error.log
On CentOS, Fedora, and RedHat-derived systems, use the following command:
在CentOS,Fedora和RedHat派生的系统上,使用以下命令:
- sudo grep AH02572 /var/log/httpd/error_log 须藤grep AH02572 / var / log / httpd / error_log
If your Apache server is affected by an AH02572 error, you will have output like the following:
如果您的Apache服务器受到AH02572错误的影响,则将显示以下内容:
Output
[Mon Aug 03 13:21:47.677235 2020] [ssl:emerg] [pid 26:tid 140355819735360] AH02572: Failed to configure at least one certificate and key for 203.0.113.0:443
If your server is affected by an AH02572 error, the next section of this tutorial explains how to resolve it, by either disabling the ssl module, or configuring Apache with a private key and public certificate file.
如果您的服务器受到AH02572错误的影响,本教程的下一部分将说明如何通过禁用ssl模块或使用私钥和公共证书文件配置Apache来解决该问题。
解决AH02572错误 (Resolving an AH02572 Error)
There are three ways to resolve an AH02572 error. The first option to resolve the error is to configure Apache with a private key and public certificate that is signed by a recognized Certificate Authority (CA). Let’s Encrypt is a free CA and you can use it to issue a valid certificate. This approach will ensure that traffic to and from your server is encrypted properly, and that web browsers and other HTTP clients trust your Apache server.
有三种方法可以解决AH02572错误。 解决该错误的第一个选项是使用由公认的证书颁发机构(CA)签名的私钥和公共证书来配置Apache。 让我们加密是一个免费的CA,您可以使用它来颁发有效的证书。 这种方法将确保正确加密往返服务器的流量,并确保Web浏览器和其他HTTP客户端信任您的Apache服务器。
Another approach is to create a self-signed certificate for your Apache server. This approach is useful for development and testing environments, or in cases where your server is not directly connected to the Internet and you can establish trust between systems manually.
另一种方法是为您的Apache服务器创建一个自签名证书。 此方法对开发和测试环境很有用,或者在服务器未直接连接到Internet并且可以手动在系统之间建立信任的情况下。
The last approach to resolving an AH02572 error is to turn off Apache’s ssl module entirely. This option is the least preferred since traffic to and from your server will not be encrypted. However, if you are only using your Apache server for local development or in a trusted environment, this approach can be valid.
解决AH02572错误的最后一种方法是完全关闭Apache的ssl模块。 此选项是首选,因为不会加密往返服务器的流量。 但是,如果仅将Apache服务器用于本地开发或在受信任的环境中使用,则此方法可能有效。
The following sections explain how to resolve an AH02572 error using each of the three options.
以下各节说明如何使用这三个选项来解决AH02572错误。
使用加密TLS证书解决AH02572错误 (Resolving an AH02572 Error with a Let’s Encrypt TLS Certificate)
To encrypt traffic to your Apache server using a free Let’s Encrypt TLS Certificate, use one of the guides that is specific to your Linux distribution from this tutorial series: How To Secure Apache with Let’s Encrypt.
要使用免费的Let's Encrypt TLS证书来加密到Apache服务器的流量,请使用本教程系列中特定于您的Linux发行版的指南之一: 如何使用Let's Encrypt保护Apache 。
The Let’s Encrypt process is mostly automated, and the scripts will configure Apache for you. Moreover, the issued certificate will also be renewed automatically so you do not have to worry about it expiring in the future.
Let's Encrypt过程大部分是自动化的,这些脚本将为您配置Apache。 此外,颁发的证书也将自动更新,因此您不必担心证书将来会过期。
If you are using a Linux distribution that is not included in the How To Secure Apache with Let’s Encrypt series, the Let’s Encrypt documentation includes links to interactive Certbot instructions that can help you configure your Apache server with a valid TLS certificate.
如果使用的Linux发行版未包含在“ 如何使用Let's Encrypt保护Apache”系列中,则“ Let's Encrypt”文档包含指向交互式Certbot指令的链接, 这些指令可帮助您使用有效的TLS证书配置Apache服务器。
使用自签名证书解决AH02572错误 (Resolving an AH02572 Error with a Self-Signed Certificate)
To encrypt traffic to your Apache server using a self-signed certificate, use one of the tutorials from this series that explains how to create Self-signed SSL Certificates with Apache.
要使用自签名证书对到Apache服务器的通信进行加密,请使用本系列中的教程之一,该教程说明了如何使用Apache创建自签名SSL证书 。
These tutorials demonstrate how to generate a private key and public certificate for your Apache server. They also demonstrate how to use the SSLCertificateFile and SSLCertificateKeyFile Apache directives to configure your server with the certificate that you generate.
这些教程演示了如何为Apache服务器生成私钥和公共证书。 他们还演示了如何使用SSLCertificateFile和SSLCertificateKeyFile Apache指令使用生成的证书来配置服务器。
If you are not using a distribution that is listed in the Self-signed SSL Certificates with Apache set of tutorials, this OpenSSL Essentials: Working with SSL Certificates, Private Keys and CSRs guide can help you create a private key and self-signed public certificate that you can use with Apache.
如果您没有使用带有Apache的自签名SSL证书集的教程中列出的发行版,则此OpenSSL Essentials:使用SSL证书,私钥和CSR指南可以帮助您创建私钥和自签名的公共证书。可以与Apache一起使用。
Note: Where possible, it is best to use a free Let’s Encrypt certificate, or other commercially issued TLS certificate. Self-signed TLS certificates are not trusted by default by browsers and other HTTP clients. As a result, your users will see a security error when visiting your site. However, if you are doing local development, or your use case does not require a valid TLS certificate you can opt for the self-signed approach.
注意:尽可能使用免费的Let's Encrypt证书或其他商业发行的TLS证书。 默认情况下,浏览器和其他HTTP客户端不信任自签名TLS证书。 结果,您的用户在访问您的网站时将看到安全错误。 但是,如果您正在进行本地开发,或者您的用例不需要有效的TLS证书,则可以选择自签名方法。
禁用ssl模块 (Disabling the ssl Module)
The last approach to resolving an AH02572 error is to turn off Apache’s TLS/SSL support by disabling the ssl module. This approach is less desirable than encrypting traffic to your server with a TLS certificate, so be certain that you do not need TLS support before disabling the module.
解决AH02572错误的最后一种方法是通过禁用ssl模块来关闭Apache的TLS / SSL支持。 与使用TLS证书加密到服务器的流量相比,此方法不那么理想,因此请确保在禁用模块之前不需要TLS支持。
To disable Apache’s ssl module on Ubuntu and Debian-derived systems, run the following command:
要在Ubuntu和Debian派生的系统上禁用Apache的ssl模块,请运行以下命令:
- sudo a2dismod ssl 须藤a2dismod ssl
On CentOS, Fedora, and RedHat-derived systems, disable the module with the following command:
在CentOS,Fedora和RedHat派生的系统上,使用以下命令禁用该模块:
- sudo rm /etc/httpd/conf.modules.d/00-ssl.conf 须藤rm /etc/httpd/conf.modules.d/00-ssl.conf
Once you have disabled the ssl module, run apachectl to test that the configuration is valid.
禁用ssl模块后,请运行apachectl来测试配置是否有效。
- sudo apachectl configtest 须藤apachectl configtest
A successful apachectl configtest invocation should result in output like this:
成功的apachectl configtest调用应导致如下输出:
Output
Syntax OK
You can now restart Apache using the appropriate systemctl restart command for your Linux distribution.
现在,您可以使用适用于Linux发行版的适当的systemctl restart命令来重新启动Apache。
On Ubuntu and Debian-derived systems, run the following:
在Ubuntu和Debian衍生的系统上,运行以下命令:
- sudo systemctl restart apache2.service sudo systemctl重新启动apache2.service
On CentOS, Fedora, and RedHat-derived systems use this command to restart Apache:
在CentOS,Fedora和RedHat派生的系统上,使用以下命令重新启动Apache:
- sudo systemctl restart httpd.service sudo systemctl重新启动httpd.service
If there are no errors from the systemctl command then you have disabled the ssl module successfully.
如果systemctl命令没有错误,则说明您已成功禁用ssl模块。
结论 (Conclusion)
AH02572: Failed to configure at least one certificate and key errors are challenging to detect and troubleshoot. They cannot be diagnosed with the usual systemctl, journalctl, and apachectl commands. In this tutorial you learned how to use the grep utility to examine Apache’s logs directly for evidence of an AH02572 error.
AH02572: Failed to configure at least one certificate and key错误很难检测和排除故障。 无法使用常规的systemctl , journalctl和apachectl命令来诊断它们。 在本教程中,您学习了如何使用grep实用程序直接检查Apache的日志以寻找AH02572错误的证据。
Next you learned how to use Let’s Encrypt to configure Apache with a TLS certificate to secure your traffic and resolve the AH02572 error. You also learned about using self-signed TLS certificates for development and isolated environments. Finally you learned how to turn off the ssl module for those situations where it is not needed.
接下来,您学习了如何使用“让我们加密”为Apache配置TLS证书来保护您的流量并解决AH02572错误。 您还了解了如何将自签名TLS证书用于开发和隔离环境。 最后,您学习了如何在不需要ssl情况下关闭ssl模块。
apache 证书配置
扫一扫
4133
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
