2016-12-30
2017-03-29
2017-03-30
CentOS 7.3 的 yum 目前只能安裝 httpd 到 2.4.6 版,如果想要安裝 2.4.25版
[root@localhost conf]# yum list | grep httpd.x86_64
httpd.x86_64 2.4.6-45.el7.centos base
libmicrohttpd.x86_64 0.9.33-2.el7 base
[root@localhost conf]# yum list | grep openssl.x86_64
openssl.x86_64 1:1.0.1e-60.el7 @anaconda
apr-util-openssl.x86_64 1.5.2-6.el7 base
xmlsec1-openssl.x86_64 1.2.20-5.el7 base
[root@localhost conf]#
開始安裝、啟動
#先安裝 yum版的OpenSSL
su root
yum -y install openssl openssl-devel apr apr-devel apr-util apr-util-devel pcre pcre-devel gcc
#安裝新版httpd (不可先安裝新版 openssl-1.1.0c.tar.gz,實際測試失敗)
cd /usr/local/src
wget http://apache.stu.edu.tw//httpd/httpd-2.4.25.tar.gz
tar xvfz httpd-2.4.25.tar.gz
cd httpd-2.4.25
./configure --enable-ssl --enable-cgid --enable-rewrite --enable-so
make
make install
#安裝新版openssl
yum -y install gcc zlib zlib-devel
cd /usr/local/src
wget http://www.openssl.org/source/openssl-1.1.0c.tar.gz
tar xzvf openssl-1.1.0c.tar.gz
cd openssl-1.1.0c
./config shared zlib
make
make install
mv -f /usr/bin/openssl /usr/bin/openssl.bak
mv -f /usr/include/openssl /usr/include/openssl.bak
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl /usr/include/openssl
echo “/usr/local/lib64” >> /etc/ld.so.conf
ldconfig -v
openssl version
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
openssl version
#再編譯一次 httpd
cd httpd-2.4.25
./configure --enable-ssl --enable-cgid --enable-rewrite --enable-so
make
make install
#設定 httpd 用 openssl
echo "LoadModule ssl_module modules/mod_ssl.so" >> /usr/local/apache2/conf/httpd.confecho "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so" >> /usr/local/apache2/conf/httpd.conf
echo "Include conf/extra/httpd-ssl.conf" >> /usr/local/apache2/conf/httpd.conf
#產生 ssl key (這邊不可一次把 4 行貼到 putty 去執行,要一行執行完畢後再執行另一行)
cd /usr/local/apache2/conf
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
#啟動 httpd
/usr/local/apache2/bin/httpd -k restart
PS :
如果要使用 AES256 加密,會要求輸入至少4位數的密碼,而且啟動 httpd 時候也會要求輸入,有些麻煩。
[root@localhost conf]# openssl genrsa -aes256 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.............................................................+++
....................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
139640097662880:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@localhost conf]#
[root@localhost conf]# /usr/local/apache2/bin/httpd -k restart
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
httpd not running, trying to start
[root@localhost conf]#
********************************************************************************
2017-03-29 重新做,補測試
[root@localhost ~]# openssl version
OpenSSL 1.1.0c 10 Nov 2016
[root@localhost ~]#
********************************************************************************
2017-03-29
考慮用 phpinfo(); 測 openssl 版本,好像有點問題,待研究
[root@localhost ~]# yum -y install httpd php
[root@localhost ~]# systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@localhost ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2017-03-29 23:12:42 CST; 18s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 96547 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 96543 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 96543 (code=exited, status=1/FAILURE)
Mar 29 23:12:42 localhost.localdomain httpd[96543]: (98)Address already in us...
Mar 29 23:12:42 localhost.localdomain httpd[96543]: (98)Address already in us...
Mar 29 23:12:42 localhost.localdomain httpd[96543]: no listening sockets avai...
Mar 29 23:12:42 localhost.localdomain httpd[96543]: AH00015: Unable to open logs
Mar 29 23:12:42 localhost.localdomain systemd[1]: httpd.service: main process...
Mar 29 23:12:42 localhost.localdomain kill[96547]: kill: cannot find process ""
Mar 29 23:12:42 localhost.localdomain systemd[1]: httpd.service: control proc...
Mar 29 23:12:42 localhost.localdomain systemd[1]: Failed to start The Apache ...
Mar 29 23:12:42 localhost.localdomain systemd[1]: Unit httpd.service entered ...
Mar 29 23:12:42 localhost.localdomain systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@localhost ~]#
********************************************************************************
2017-03-30
改成先安裝 httpd 和 php
yum -y install httpd php
systemctl start httpd
systemctl status httpd
目前都正常
再照最上面開始安裝,最後出錯了
Getting Private key
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
httpd not running, trying to start
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
[root@localhost ~]#
建立一個 /var/www/html/i.php
內容
<?php
phpinfo();
?>
顯示目前 OpenSSL 是 1.0.1e 版
重新啟動 httpd,有問題,待研究
[root@localhost ~]# systemctl restart httpd.services
Failed to restart httpd.services.service: Unit not found.
[root@localhost ~]#
2017-03-30
改成先安裝 httpd 和 php
yum -y install httpd php
systemctl start httpd
systemctl status httpd
目前都正常
再照最上面開始安裝,最後出錯了
Getting Private key
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
httpd not running, trying to start
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
[root@localhost ~]#
建立一個 /var/www/html/i.php
內容
<?php
phpinfo();
?>
顯示目前 OpenSSL 是 1.0.1e 版
重新啟動 httpd,有問題,待研究
[root@localhost ~]# systemctl restart httpd.services
Failed to restart httpd.services.service: Unit not found.
[root@localhost ~]#
相關
[研究] Apache 2.4.25 (https) + OpenSSL 1.0.1e (yum) 安裝(CentOS 7.3)
http://shaurong.blogspot.com/2016/12/apache-2425-https-openssl-110ccentos-73.html
[研究] Apache HTTPd Web Server 2.4.6 + HTTPS (SSL) yum 安裝 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-246-https-ssl.html
感謝版主分享很多系統實作經驗~
回覆刪除可以請問您驗證過Apache真的會使用OpenSSL 1.1.0c ?
我在與您相同的環境依照上面步驟測試過幾次
發現Apache仍然使用 OpenSSL 1.0.1e
Server: Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips
上面沒有去驗證 httpd 最後使用的 OpenSSL 版本,改天抽空研究
刪除上面補上測試,請問您是如何測試 ?
刪除謝謝您這麼快花時間測試
回覆刪除我的環境openssl version雖然也是OpenSSL 1.1.0c
但是httpd最後使用的還是OpenSSL 1.0.1e版
測試的方法應是您的方法比較好,我亂試的方法如下
1. 查看 error_log 顯示
Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips configured
2. strings mod_ssl.so|grep OpenSSL 可以看到
OpenSSL 1.0.1e 11 Feb 2013
3. 將httpd的 80 Port打開,telnet Target_IP 80
隨便輸入幾個字,再按下Enter,會顯示
Server: Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips