环境:centos7
软件环境:nginx1.10.2
遇到问题
在nginx中添加SSL支持,使用的是免费的StartCom 的一年免费SSL签证。
将下载的server.crt和自己生成的server.key配置到nginx.conf中,但是发现使用脚本启动有问题。
nginx.conf
listen 8080 ;
listen 443 ssl;
server_name www.jeiao.com;
charset utf-8;
ssl_certificate /usr/local/nginx/ssl/www.jeiao.com.crt;
ssl_certificate_key /usr/local/nginx/ssl/www.jeiao.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
检查nginx 服务状态
[root@nginx]# systemctl status nginx.service
● nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2017-01-19 04:46:06 UTC; 19s ago
Docs: man:systemd-sysv-generator(8)
Process: 22025 ExecStop=/etc/rc.d/init.d/nginx stop (code=exited, status=0/SUCCESS)
Process: 22054 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
Main PID: 21789 (code=exited, status=0/SUCCESS)
Jan 19 04:46:06 systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
Jan 19 04:46:06 nginx[22054]: Starting nginx: Enter PEM pass phrase:
Jan 19 04:46:06 nginx[22054]: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/nginx/ssl/www.jeiao.com.key") failed (SSL: error:0906406D:PEM routines:PEM_def_callback:p...
Jan 19 04:46:06 nginx[22054]: [FAILED]
Jan 19 04:46:06 systemd[1]: nginx.service: control process exited, code=exited status=1
Jan 19 04:46:06 systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
Jan 19 04:46:06 systemd[1]: Unit nginx.service entered failed state.
Jan 19 04:46:06 systemd[1]: nginx.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
使用命令行启动nginx
/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
Enter PEM pass phrase:#输入证书的密码
大致明白了是因为 ssl key中有Passphrase需要移出。
解决办法
cp www.jeiao.com.key www.jeiao.com.key.org
openssl rsa -in www.jeiao.com.key.org -out www.jeiao.com.key
替换ssl下的key,并重启nginx。
然后使用脚本启动nginx就没有问题了。
/etc/init.d/nginx start
#启动输出log
Starting nginx (via systemctl): [ OK ]
参考链接:
http://www.akadia.com/services/ssh_test_certificate.html
http://webmasters.stackexchange.com/questions/1247/can-i-skip-the-pem-pass-phrase-question-when-i-restart-the-webserver