原本一直正常运行的apache服务器,今天无法正常重启,检查http.conf及其他设置并无修改,按log提示是由于SSL证书过期导致无法正常启动,处理方法如下:
查看error_log发现以下提示信息(意思是证书过期)
[Thu Feb 07 05:17:42 2013] [error] Certificate not verified: 'Server-Cert'
[Thu Feb 07 05:17:42 2013] [error] SSL Library Error: -8181 Certificate has expired
[Thu Feb 07 05:17:42 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
一,处理办法
按上面信息提示,可先设置禁止检查证书,待更新证书后再取消此设置,操作方法:
在/etc/httpd/conf.d/nss.conf中加入NSSEnforceValidCerts off此行设置
但由于证书过期,我们需要处理的事情是更新证书,方法如下:
1,先查看证书是否过期
引用
# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Mon Dec 01 10:43:20 2008
Not After : Sat Dec 01 10:43:20 2012
2,清除旧的证书,并更新证书
引用
# cd /etc/httpd/alias
# rm -f *.db
# /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Thu Feb 07 07:02:53 2013
Not After : Tue Feb 07 07:02:53 2017
3,最后需要修改新的证书的权限
chown root.apache /etc/httpd/alias/*.db
chmod 0640 /etc/httpd/alias/*.db