Apache 因SSL Library Certificate has expired 无法启动,据说没有修改任何的配


今天收到一个老用户的电话,说一直在运行的Apache(httpd) 服务突然无法启动。据说没有修改任何的配置文件,就是昨晚重启机器后服务就无法起来了。类似的问题,首先排除的是系统和服务日志,messages 和httpd下面的error.log都没发现报错信息。在httpd 服务中加入-x 排错标记,发现是httpd 执行失败,怀疑与Apache 上额外的模块有关。把/etc/httpd/conf.d中的文件都移走,HTTPD服务可正常启动。逐一排除,发现问题是nss.conf 配置导致的。但从配置文件的修改时间来看,该文件在最近并没有修改,而是与其他配置一样都保持在系统刚安装的时间。

 再次查看服务日志,从/var/log/httpd/nss_error_log 文件中看到如下的错误:

[Thu Feb 07 05:17:42 2013] [error] Certificate not verified: 'Server-Cert'
[Thu Feb 07 05:17:42 2013] [error] SSL Library Error: -8181 Certificate has expired
[Thu Feb 07 05:17:42 2013] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

看来是证书过期了。

一、问题分析

上述日志中已经提示,可加入NSSEnforceValidCerts off 禁止校验证书的参数来避免该问题。经确认,这是可行的。先来看看mod_nss 模块是干什么用的?

# rpm -qi mod_nss
The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library.

那证书的有效时间是多少呢?(4年)

# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 MD5 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Mon Dec 01 10:43:20 2008
            Not After : Sat Dec 01 10:43:20 2012

这是在安装mod_nss 包时生成的:

# rpm -q mod_nss --scripts
postinstall scriptlet (using /bin/sh):
umask 077

if [ "$1" -eq 1 ] ; then
    if [ ! -e /etc/httpd/alias/key3.db ]; then
        /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
        echo ""
        echo "mod_nss certificate database generated."
        echo ""
    fi
fi

# cd /etc/httpd/alias
# rm -f *.db
# /usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Thu Feb 07 07:02:53 2013
            Not After : Tue Feb 07 07:02:53 2017

相关内容