0
我已经创建了AWS API网关,并将它指向VPS。我希望能够为我的VPS启用客户端SSL身份验证。我遵循AWS演练here。我在API网关控制台中生成了PEM编码的证书,并将其复制到我的Apache Web服务器。看起来,证书和/或虚拟主机配置在Apache SSL模块中导致致命错误。Apache配置AWS API网关证书
错误日志:
[Tue Nov 10 10:53:57.140815 2015] [ssl:info] [pid 7283] AH01914: Configuring server example.com:443 for SSL protocol
[Tue Nov 10 10:53:57.140998 2015] [ssl:trace1] [pid 7283] ssl_engine_init.c(724): Configuring permitted SSL ciphers [!aNULL:!eNULL:!EXP:HIGH:!aNULL]
[Tue Nov 10 10:53:57.141165 2015] [ssl:debug] [pid 7283] ssl_engine_init.c(843): AH01904: Configuring server certificate chain (1 CA certificate)
[Tue Nov 10 10:53:57.141175 2015] [ssl:debug] [pid 7283] ssl_engine_init.c(390): AH01893: Configuring TLS extension handling
[Tue Nov 10 10:53:57.141204 2015] [ssl:emerg] [pid 7283] AH02572: Failed to configure at least one certificate and key for example.com:443
[Tue Nov 10 10:53:57.141226 2015] [ssl:emerg] [pid 7283] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Tue Nov 10 10:53:57.141251 2015] [ssl:emerg] [pid 7283] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information
AH00016: Configuration Failed
Apache的虚拟主机配置:
<VirtualHost *:443>
ServerName example.com
ServerAdmin [email protected]
DocumentRoot /var/www/example
DirectoryIndex index.html
SSLEngine on
SSLCertificateChainFile ssl/ca.crt
SSLVerifyDepth 1
LogLevel info ssl:warn debug trace1
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
除非您还拥有SSL *服务器*证书,否则不能要求/使用SSL客户端证书。我没有看到在这里配置了证书和它的私钥,并且'无法为example.com配置至少一个证书和密钥:443'似乎表明这是问题。 –
@ Michael-sqlbot是的,你是绝对正确的。我已经创建了一个自签名证书,将密钥和证书添加到Apache配置中,并且服务器正常启动。现在,API网关正在抱怨“未知端点错误”。 – Richard
API网关不太可能使用自签名证书与后端服务器进行协商,它需要对自签名证书不允许的端点进行身份验证...证书必须来自经认可的证书颁发机构才能使验证有效 –