访问我的网站: https://intbird.world 查看https效果
Centos7 apache httpd配置第三方ssl证书 并 将http替换为https 详细记录
文章来自:http://blog.csdn.net/intbird
转载请说明出处
网站为什么要采用https
1.什么是https:
HTTPS 协议是由 HTTP 加上 TLS/SSL 协议构建的可进行加密传输、身份认证的网络协议,主要通过数字证书、加密算法、非对称密钥等技术完成互联网数据传输加密,实现互联网传输安全保护。设计目标主要有三个。
(1)数据保密性:保证数据内容在传输的过程中不会被第三方查看。就像快递员传递包裹一样,都进行了封装,别人无法获知里面装了什么 [4] 。
(2)数据完整性:及时发现被第三方篡改的传输内容。就像快递员虽然不知道包裹里装了什么东西,但他有可能中途掉包,数据完整性就是指如果被掉包,我们能轻松发现并拒收 [4] 。
(3)身份校验安全性:保证数据到达用户期望的目的地。就像我们邮寄包裹时,虽然是一个封装好的未掉包的包裹,但必须确定这个包裹不会送错地方,通过身份校验来确保送对了地方 [4] 。
2.https缺点:
相同网络环境下,HTTPS 协议会使页面的加载时间延长近 50%,增加 10%到 20%的耗电。此外,HTTPS 协议还会影响缓存,增加数据开销和功耗 [2] 。
HTTPS 协议的安全是有范围的,在黑客攻击、拒绝服务攻击和服务器劫持等方面几乎起不到什么作用 [2] 。
最关键的是,SSL 证书的信用链体系并不安全。特别是在某些国家可以控制 CA 根证书的情况下,中间人攻击一样可行 [2] 。
成本增加。部署 HTTPS 后,因为 HTTPS 协议的工作要增加额外的计算资源消耗,例如 SSL 协议加密算法和 SSL 交互次数将占用一定的计算资源和服务器成本。在大规模用户访问应用的场景下,服务器需要频繁地做加密和解密操作,几乎每一个字节都需要做加解密,这就产生了服务器成本。随着云计算技术的发展,数据中心部署的服务器使用成本在规模增加后逐步下降,相对于用户访问的安全提升,其投入成本已经下降到可接受程度 [4]
1. https原理
HTTPS(Hyper Text Transfer Protocol over SecureSocket Layer)
+
SSL(Secure Sockets Layer)
1.HTTPS
2.SSL
1.自建证书创建:
// 生成私钥
openssl genrsa -out private.key 2048
// 生成csr(Certificate Signing Request)给证书颁发机构的一些信息
openssl req -new -key private.key -out server.csr
// 根据 私钥 生成 服务器密钥
openssl rsa -in private.key -out server.key
// 根据服务器密钥生成服务器证书文件
openssl x509 -req -in server.csr -out server.crt -outform pem -signkey server.key -days 365 -sha256
2.第三方证书申请:
1. 付费:XXX
很多,企业版的不便宜,略~
2. 免费: https://letsencrypt.org/zh-cn/
很多, 有效时间短,但是可以通过脚本(搜github)续约达到长期
如国外大公司联合维护的letsencrypt
3. 我采用的freessl.cn 亚太免费一年: https://freessl.cn/
3.自建证书和第三方证书区别
1.自建证书: 服务器和客户端相互信任,可能会被窃听,而且会被浏览器提示不安全
2.第三方证书: 客户端请求到服务端再通过证书链找到第三方颁发机构,由颁 发机构完全
3. CRL及OCSP的异曲同工之妙
4.附chrome帮助文章 Chrome Support
2.工具准备
- cyberduck (ftp): edit 选择 visual studio code
- termius (ssh): 保存host,方便连接
- centos主机端安装openssl
yum install mod_ssl openssl
附: 快捷工具图标
3.证书配置:
1. 从证书提供商下载颁发后的有密钥的证书:
2. 将证书导入到本地工具快速转换等
3. 修改httpd配置,使其支持https
修改ssl.conf如下图所示:
/etc/httpd/conf.d/ssl.conf
http的配置文件(暂不修改):
/etc/httpd/conf/httpd.conf
- 修改VirtualHost,如果有多个https需求则配置多个该标签
<VirtualHost *:443>
DocumentRoot "/var/www/html"
ServerName intbird.world:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLCertificateFile /etc/pki/tls/certs/intbird.world.crt
SSLCertificateKeyFile /etc/pki/tls/private/intbird.world_key.key
SSLCertificateChainFile /etc/pki/tls/certs/intbird.world.ca_bundle.crt
</VirtualHost>
4.验证配置:
apachectl configtest
出现异常:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using intbird.world. Set the 'ServerName' directive globally to suppress this message
Syntax OK
解决方法:
修改httpd.conf
#Listen 80 -> Listen 80
或者 添加 ServerName
ServerName intbird.world:80
5.重启服务器:
systemctl restart httpd
出现异常
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
6.排查异常方法:
1.命令行工具
systemctl status httpd.service
异常1: 服务器443端口被占用(解决方法就不用说了)
[root@intbird ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2020-03-28 10:21:53 CST; 15s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 3950 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 3949 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 3949 (code=exited, status=1/FAILURE)
Mar 28 10:21:53 intbird.world httpd[3949]: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443
Mar 28 10:21:53 intbird.world httpd[3949]: (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:443
Mar 28 10:21:53 intbird.world httpd[3949]: no listening sockets available, shutting down
Mar 28 10:21:53 intbird.world httpd[3949]: AH00015: Unable to open logs
Mar 28 10:21:53 intbird.world systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 28 10:21:53 intbird.world kill[3950]: kill: cannot find process ""
Mar 28 10:21:53 intbird.world systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 28 10:21:53 intbird.world systemd[1]: Failed to start The Apache HTTP Server.
Mar 28 10:21:53 intbird.world systemd[1]: Unit httpd.service entered failed state.
Mar 28 10:21:53 intbird.world systemd[1]: httpd.service failed.
[root@intbird ~]# netstat -lnp|grep 443
异常2: RSA密钥和证书不匹配问题
[root@intbird ~]# systemctl restart httpd
Enter SSL pass phrase for www.intbird.world:443 (RSA) : ***********
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@intbird ~]# systemctl restart httpd
Enter SSL pass phrase for www.intbird.world:443 (RSA) : ***********
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@intbird ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Sat 2020-03-28 12:24:47 CST; 6s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 1342 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 1339 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 1339 (code=exited, status=1/FAILURE)
Mar 28 12:24:43 intbird.world systemd[1]: Starting The Apache HTTP Server...
Mar 28 12:24:47 intbird.world systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Mar 28 12:24:47 intbird.world kill[1342]: kill: cannot find process ""
Mar 28 12:24:47 intbird.world systemd[1]: httpd.service: control process exited, code=exited status=1
Mar 28 12:24:47 intbird.world systemd[1]: Failed to start The Apache HTTP Server.
Mar 28 12:24:47 intbird.world systemd[1]: Unit httpd.service entered failed state.
Mar 28 12:24:47 intbird.world systemd[1]: httpd.service failed.
2. 查看详细日志
查看 apache httpd log详细日志,快速排查问题
error_log:
[Sat Mar 28 12:44:31.340523 2020] [suexec:notice] [pid 1431] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sat Mar 28 12:44:35.811231 2020] [ssl:emerg] [pid 1431] AH02311: Fatal error initialising mod_ssl, exiting. See /etc/httpd/logs/ssl_error_log for more information
ssl_error_log
[Sat Mar 28 12:44:35.811057 2020] [ssl:emerg] [pid 1431] AH02238: Unable to configure RSA server private key
[Sat Mar 28 12:44:35.811212 2020] [ssl:emerg] [pid 1431] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
3.解决异常
1. 443端口被占用解决
1. netstat -tln | grep $port 得到 pid
2. kill $pid 或者修改占用端口的软件用其他端口
2. RSA密钥和证书不匹配问题
// 1.查看密钥和证书是否正确配置
find /etc/pki/tls/certs/intbird.world.crt
// 2.验证moudls是否一致
openssl x509 -noout -text -in certfile -modulus
openssl rsa -noout -text -in密钥文件-modulus
!发现不匹配解决: 重新正确配置一下
7.重启服务器会要求输入密码
[root@intbird ~]# systemctl restart httpd
Enter SSL pass phrase for intbird.world:443 (RSA) : ***********
[root@intbird ~]#
8.打开网址验证:
9.强制将网址的http请求转发为https请求:
-
解决方法:
1.httpd.conf 文件启用rewrite
2.ssl.conf 文件添加VirtualHost
如图所示
<VirtualHost *>
ServerName intbird.world
Redirect 301 / https://intbird.world/
</VirtualHost>
10.Caddy自动全网https
intbird.world:443
{
tls /etc/pki/tls/certs/intbird.world.pem /etc/pki/tls/private/intbird.world.key
@api {
path /api/*
}
reverse_proxy @api localhost:10086
root * /var/www/html/
file_server /
}
11.SSL安全检查
https://myssl.com/
12.收集一下上面用到的几个经常要打开的地址
// httpd:
// 重启: systemctl restart httpd
//不重启应用配置: systemctl reload httpd.service
/etc/httpd/conf/httpd.conf
/etc/httpd/conf.d/ssl.conf
// 密钥目录
/etc/pki/tls/certs
/etc/pki/tls/private
done
文章来自:http://blog.csdn.net/intbird
转载请说明出处