2016年12月31日 星期六

[研究] Apache 2.4.25 (https) + OpenSSL 1.1.0c安裝(CentOS 7.3)

[研究] Apache 2.4.25 (https) + OpenSSL 1.1.0c安裝(CentOS 7.3)

2016-12-30
2017-03-29
2017-03-30

CentOS 7.3 的 yum 目前只能安裝 httpd 到 2.4.6 版,如果想要安裝 2.4.25版

[root@localhost conf]# yum list | grep httpd.x86_64
httpd.x86_64                               2.4.6-45.el7.centos         base
libmicrohttpd.x86_64                       0.9.33-2.el7                base

[root@localhost conf]# yum list | grep openssl.x86_64
openssl.x86_64                             1:1.0.1e-60.el7             @anaconda
apr-util-openssl.x86_64                    1.5.2-6.el7                 base
xmlsec1-openssl.x86_64                     1.2.20-5.el7                base
[root@localhost conf]#

開始安裝、啟動

#先安裝 yum版的OpenSSL
su  root
yum  -y  install  openssl  openssl-devel  apr  apr-devel apr-util apr-util-devel  pcre pcre-devel  gcc

#安裝新版httpd (不可先安裝新版 openssl-1.1.0c.tar.gz,實際測試失敗)
cd  /usr/local/src
wget  http://apache.stu.edu.tw//httpd/httpd-2.4.25.tar.gz
tar  xvfz httpd-2.4.25.tar.gz
cd  httpd-2.4.25
./configure --enable-ssl --enable-cgid --enable-rewrite --enable-so
make
make install

#安裝新版openssl
yum  -y  install   gcc   zlib   zlib-devel
cd  /usr/local/src
wget  http://www.openssl.org/source/openssl-1.1.0c.tar.gz
tar xzvf  openssl-1.1.0c.tar.gz
cd  openssl-1.1.0c
./config  shared  zlib
make
make  install
mv  -f   /usr/bin/openssl /usr/bin/openssl.bak
mv  -f  /usr/include/openssl   /usr/include/openssl.bak
ln  -s  /usr/local/bin/openssl   /usr/bin/openssl
ln  -s  /usr/local/include/openssl   /usr/include/openssl
echo   “/usr/local/lib64”   >>   /etc/ld.so.conf
ldconfig  -v
openssl  version
ln  -s  /usr/local/lib64/libssl.so.1.1  /usr/lib64/libssl.so.1.1

ln  -s  /usr/local/lib64/libcrypto.so.1.1  /usr/lib64/libcrypto.so.1.1
openssl  version

#再編譯一次 httpd
cd  httpd-2.4.25
./configure --enable-ssl --enable-cgid --enable-rewrite --enable-so
make
make install

#設定 httpd 用 openssl
echo  "LoadModule ssl_module modules/mod_ssl.so"  >>  /usr/local/apache2/conf/httpd.conf
echo  "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so"  >>  /usr/local/apache2/conf/httpd.conf
echo  "Include conf/extra/httpd-ssl.conf"  >>  /usr/local/apache2/conf/httpd.conf

#產生 ssl key (這邊不可一次把 4 行貼到 putty 去執行,要一行執行完畢後再執行另一行)
cd  /usr/local/apache2/conf
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

#啟動 httpd
/usr/local/apache2/bin/httpd  -k  restart






PS :
如果要使用 AES256 加密,會要求輸入至少4位數的密碼,而且啟動 httpd 時候也會要求輸入,有些麻煩。

[root@localhost conf]# openssl genrsa -aes256 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.............................................................+++
....................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
139640097662880:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@localhost conf]#


[root@localhost conf]# /usr/local/apache2/bin/httpd -k restart
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
httpd not running, trying to start
[root@localhost conf]#

********************************************************************************

2017-03-29 重新做,補測試

[root@localhost ~]# openssl version
OpenSSL 1.1.0c  10 Nov 2016
[root@localhost ~]#

********************************************************************************

2017-03-29

考慮用 phpinfo(); 測 openssl 版本,好像有點問題,待研究

[root@localhost ~]# yum -y install httpd php

[root@localhost ~]# systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

[root@localhost ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2017-03-29 23:12:42 CST; 18s ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 96547 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 96543 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 96543 (code=exited, status=1/FAILURE)

Mar 29 23:12:42 localhost.localdomain httpd[96543]: (98)Address already in us...
Mar 29 23:12:42 localhost.localdomain httpd[96543]: (98)Address already in us...
Mar 29 23:12:42 localhost.localdomain httpd[96543]: no listening sockets avai...
Mar 29 23:12:42 localhost.localdomain httpd[96543]: AH00015: Unable to open logs
Mar 29 23:12:42 localhost.localdomain systemd[1]: httpd.service: main process...
Mar 29 23:12:42 localhost.localdomain kill[96547]: kill: cannot find process ""
Mar 29 23:12:42 localhost.localdomain systemd[1]: httpd.service: control proc...
Mar 29 23:12:42 localhost.localdomain systemd[1]: Failed to start The Apache ...
Mar 29 23:12:42 localhost.localdomain systemd[1]: Unit httpd.service entered ...
Mar 29 23:12:42 localhost.localdomain systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@localhost ~]#

********************************************************************************

2017-03-30

改成先安裝 httpd 和 php
yum  -y  install  httpd  php
systemctl   start  httpd
systemctl   status  httpd
目前都正常

再照最上面開始安裝,最後出錯了

Getting Private key
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using localhost.localdomain. Set the 'ServerName' directive globally to suppress this message
httpd not running, trying to start
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs
[root@localhost ~]#

建立一個 /var/www/html/i.php
內容
<?php
phpinfo();
?>
顯示目前 OpenSSL 是 1.0.1e 版


重新啟動 httpd,有問題,待研究

[root@localhost ~]# systemctl restart httpd.services
Failed to restart httpd.services.service: Unit not found.
[root@localhost ~]#

(待研究)

相關

[研究] Apache 2.4.25 (https) + OpenSSL 1.0.1e (yum) 安裝(CentOS 7.3)
http://shaurong.blogspot.com/2016/12/apache-2425-https-openssl-110ccentos-73.html

[研究] Apache HTTPd Web Server 2.4.6 + HTTPS (SSL) yum 安裝 (CentOS 7.2 x64)
http://shaurong.blogspot.com/2016/08/apache-httpd-web-server-246-https-ssl.html

4 則留言:

  1. 感謝版主分享很多系統實作經驗~
    可以請問您驗證過Apache真的會使用OpenSSL 1.1.0c ?
    我在與您相同的環境依照上面步驟測試過幾次
    發現Apache仍然使用 OpenSSL 1.0.1e
    Server: Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips

    回覆刪除
    回覆
    1. 上面沒有去驗證 httpd 最後使用的 OpenSSL 版本,改天抽空研究

      刪除
    2. 上面補上測試,請問您是如何測試 ?

      刪除
  2. 謝謝您這麼快花時間測試
    我的環境openssl version雖然也是OpenSSL 1.1.0c
    但是httpd最後使用的還是OpenSSL 1.0.1e版
    測試的方法應是您的方法比較好,我亂試的方法如下
    1. 查看 error_log 顯示
    Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips configured
    2. strings mod_ssl.so|grep OpenSSL 可以看到
    OpenSSL 1.0.1e 11 Feb 2013
    3. 將httpd的 80 Port打開,telnet Target_IP 80
    隨便輸入幾個字,再按下Enter,會顯示
    Server: Apache/2.4.25 (Unix) OpenSSL/1.0.1e-fips

    回覆刪除