当前位置: 文江博客话题详情

安装SSL证书导致服务器重启失败

发布于 2025-01-03 19:05:02 字数 392 浏览 1 评论 0原文

我通过电子邮件收到了证书,然后创建了必要的文件并将其复制过来。我重新启动服务器并收到以下错误。

[Wed Feb 08 13:02:06 2012] [错误] Init:无法从文件 /home/sslcertificates/mydomain.crt 读取服务器证书 [Wed Feb 08 13:02:06 2012] [错误] SSL 库错误:218529960 错误:0D0680A8:asn1 编码例程:ASN1_CHECK_TLEN:标签错误 [Wed Feb 08 13:02:06 2012] [错误] SSL 库错误:218595386 错误:0D07803A:asn1 编码例程:ASN1_ITEM_EX_D2I:嵌套 asn1 错误

有人有任何想法吗?

原文

I received my certificate by email and then created the necessary files and copied it over. I went to restart my server and received the following errors.

[Wed Feb 08 13:02:06 2012] [error] Init: Unable to read server certificate from file /home/sslcertificates/mydomain.crt
[Wed Feb 08 13:02:06 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Wed Feb 08 13:02:06 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Does anyone have any ideas?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(10

榆西 2025-01-10 19:05:02

导致此错误消息的另一个可能的故障来源是:
我链接到了认证请求文件,而不是证书文件。
当你阅读文件的第一行时就可以识别:
要么

-----BEGIN CERTIFICATE REQUEST-----

要么

-----BEGIN CERTIFICATE-----

:-)

Another possible source of failure which causes this errror message is:
Instead of the certificate file I linked to the certification request file.
It's recognizable when you read the first line of the file:
Either

-----BEGIN CERTIFICATE REQUEST-----

Or

-----BEGIN CERTIFICATE-----

:-)

回复 原文
焚却相思 2025-01-10 19:05:02

情况:Apache 2.4 使用 StartSSL 证书生成 ASN 编码错误

问题:

AH02564: Failed to configure encrypted (?) private key <domain>.com:80:0, check /etc/pki/tls/certs/ssl.key

某些 SSL 颁发者默认加密 ssl 密钥文件,因此请确保在服务器上解密并从虚拟主机指向它。

只需回显密钥文件即可确保其未加密。

输入图片此处描述

解密 mod_ssl 的密钥文件

openssl rsa -in ssl.key -out ssl.key

对于 Apache conf (httpd.conf) 中的 SSL 配置,添加以下配置并重新启动 Apache。

输入图片此处描述

# SSL
<VirtualHost *:443>
    ServerName gajen.com
    SSLCertificateKeyFile /etc/pki/tls/certs/ssl.key
    SSLCertificateFile /etc/pki/tls/certs/ssl.crt
    SSLCertificateChainFile /etc/pki/tls/certs/root.ca.pem
</VirtualHost>

故障排除:

  • 首先调试 Apache tail 50 /var/log/httpd/error_log
  • 调试 mod_ssl tail 50 /var/log/httpd/ssl_error_log

Situation: Apache 2.4 using the StartSSL cert generating ASN encoding error

Issue:

AH02564: Failed to configure encrypted (?) private key <domain>.com:80:0, check /etc/pki/tls/certs/ssl.key

Some SSL issuers encrypts the ssl key files by default so make sure decrypt it at the server and point it from Virtual Host.

Simply echo the key file to make sure it is not encrypted.

enter image description here

Decrypt the key file for the mod_ssl

openssl rsa -in ssl.key -out ssl.key

For SSL config in the Apache conf (httpd.conf) add the following configurations and restart the Apache.

enter image description here

# SSL
<VirtualHost *:443>
    ServerName gajen.com
    SSLCertificateKeyFile /etc/pki/tls/certs/ssl.key
    SSLCertificateFile /etc/pki/tls/certs/ssl.crt
    SSLCertificateChainFile /etc/pki/tls/certs/root.ca.pem
</VirtualHost>

For troubleshooting:

  • Debug the Apache first tail 50 /var/log/httpd/error_log
  • Debug the mod_ssl tail 50 /var/log/httpd/ssl_error_log
回复 原文
明月松间行 2025-01-10 19:05:02

就我而言,我混合了证书:SSLCertificateFile 具有 private_key,SSLCertificateKeyFile 具有 cert。

In my case I had the certificates mixed: SSLCertificateFile had the private_key and SSLCertificateKeyFile had the cert.

回复 原文
瘫痪情歌 2025-01-10 19:05:02

将其留在这里,因为这是第一次 google 搜索错误:当您安装新的密码保护证书并重新加载 apache 配置(而不是完全重新启动 apache)时,也可能会导致这种情况。重新加载本身不会引发任何错误,但也不会要求您输入密码,并且无法解密证书。

可以通过完全重新启动 apache 来解决该问题,这将要求您输入密码并允许您解密。

Leaving this here since it's the first google search for the error: This can also be caused when you install a new passphrase protected certificate and just reload the apache configuration (rather then restart apache completely). The reload itself will not throw any errors but it also will not ask for your passphrase and is unable to decrypt the certificate.

It can be resolved by restarting apache completely which will ask for the passphrase and allow you to decrypt.

回复 原文
樱桃奶球 2025-01-10 19:05:02

通过重新创建 *.key 文件并再次复制粘贴内容解决了问题。

Problem solved with recreate *.key file and copy-paste content again.

回复 原文
她如夕阳 2025-01-10 19:05:02

或者您需要先禁用旧密码自动输入。
评论规则如:

#SSLPassPhraseDialog exec:/etc/ssl/passphrase-script

Or you need before disable old password autoinput.
Comment rule like:

#SSLPassPhraseDialog exec:/etc/ssl/passphrase-script
回复 原文
奢望 2025-01-10 19:05:02

最近在 Apache 2.4 中安装 SSL 期间,我们遇到了同样的错误 - 'asn1 编码例程'

我们已正确放置所有文件并在 .conf 文件中正确指出它们。经过一天的故障排除,我们在获得证书后意识到问题不在于配置。

我们使用供应商内置系统创建了证书签名请求 (CSR)。这使我们能够粘贴我们创建的密钥。供应商返回的 SSL 证书应该映射此 CSR,该 CSR 已映射到我们的私钥。显然它不匹配。他们提供的 SSL 证书不会映射到 CSR。

可能的原因
由于 unix 行结尾(\n 而不是 \r\n)/编码(ANSI/UTF8)/预期新行,供应商端的 CSR 转换密钥是错误的。

我们使用 OpenSSL 自行创建 CSR,并绕过供应商 CSR 生成。 成功了。因此,在我们的例子中,使用 OpenSSL 创建密钥和相应的 CSR 并使用它来生成公共 SSL 是有效的。

OpenSSL 命令

openssl req -new -sha256 -key ~/site.com.ssl/site.com.key -out ~/site.com.ssl/site.com.csr

Recently during SSL installation in Apache 2.4, we faced the same error - 'asn1 encoding routines'

We had placed all the files correctly and pointed them correctly in the .conf file. After a day of troublshooting,we realized issue was not with the configuration after we got the certificate.

We created the Certificate Signing request (CSR) using our vendors inbuilt system. This allowed us to paste the key we created. The SSL certificate which vendor returned was supposed to map this CSR which was mapped to our private key. Apparently it did not match. The SSL certificate they provided does not map to the CSR.

Possible reason
The Key to CSR transformation is wrong at vendor side due to unix line endings (\n instead of \r\n) / encoding (ANSI/UTF8) / expected new lines .

We created CSR ourselves using OpenSSL, and bypassed vendor CSR generation. It worked. So, in our case, creating the key and corresponding CSR using OpenSSL and using that to generate the public SSL worked.

OpenSSL Command

openssl req -new -sha256 -key ~/site.com.ssl/site.com.key -out ~/site.com.ssl/site.com.csr
回复 原文
两相知 2025-01-10 19:05:02

我遇到这个问题是因为我收到了粘贴到电子邮件中的 IIS 样式 .p7b 文件的内容。它具有“-----BEGIN CERTIFICATE-----”和“-----END CERTIFICATE-----”标签,就像 .pem 一样,并且内容使用类似的 Base64 编码。我将其转换为 *.pem 文件,如下所示:

openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

之后,Apache 2.2 很高兴。

I had this problem because I was sent the content of an IIS-style .p7b file pasted into an email. It has "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" tags, just like .pem, and the content uses a similar looking base64 encoding. I converted it to a *.pem file like so:

openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

After that, Apache 2.2 was happy.

回复 原文
智商已欠费 2025-01-10 19:05:02

(Linux解决方案)这已经发布了很久以前 - 但我有另一种方法来解决这个问题:通过编辑/etc/apache2.conf将错误日志记录更改为更详细的模式并找到此块:

#
# LogLevel: Control the severity of messages logged to the 
error_log. 
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn

并将LogLevel更改为某些内容较低 - 我选择了trace1。然后重新启动 apache:

sudo service restart apache2

我收到了相同的错误消息,但是当我转到 /var/log/apache2/error.log 中的错误日志时,有更多错误消息可以帮助解决问题。我能够确定我将关键文件描述符指向了错误的文件。

请务必在故障排除后将 apache2.conf 更改回警告并重新启动 apache2 服务,以避免 error.log 文件变得太大。

(Linux Solution) This has been posted a long time ago - but I have another way to troubleshoot this problem: Change the error logging to a more verbose mode by editing /etc/apache2.conf and find this block:

#
# LogLevel: Control the severity of messages logged to the 
error_log. 
# Available values: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the log level for particular modules, e.g.
# "LogLevel info ssl:warn"
#
LogLevel warn

and change LogLevel to something lower - I chose trace1. Then restart apache:

sudo service restart apache2

I received the same error message but when I went to the error log in /var/log/apache2/error.log there were many more error messages to help troubleshoot the problem. I was able to determine I was pointing the key file descriptor to the wrong file.

Be sure to change the apache2.conf back to warn and restart the apache2 service after troubleshooting to avoid your error.log file from becoming too large.

回复 原文
南街九尾狐 2025-01-10 19:05:02

我刚刚遇到了类似的问题。

负责人给了我多个版本的证书。但是,我安装的证书以 -----BEGIN PKCS7----- 开头,以 -----END PKCS7-----

结尾 意识到这一点后,我搜索了以 ---- 开头的证书-BEGIN CERTIFICATE----- 并以 -----END CERTIFICATE----- 结尾

PKCS7 采用 Base64 编码。

I just faced a similar issue.

I was given multiple versions of the certificates by the person in charge of this. However, the certificate I installed started with -----BEGIN PKCS7----- and ended with -----END PKCS7-----

After realizing this, I searched for the one starting with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----

PKCS7 is Base64-encoded.

回复 原文
~没有更多了~

关于作者

情绪少女

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

檐前雨

文章 0 评论 0

鹿港巷口少年归

文章 0 评论 0

qq_32QL4xcD

文章 0 评论 0

sum_

文章 0 评论 0

DLL

文章 0 评论 0

唐婉

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文