解决一次由于SSL证书到期导致的网站不能访问的问题(Nginx,php,Apache)

1. 现象

放假期间收到zabbix报警,提示主站访问不了,报502。

 

2.排查思路及过程

因为是过年休息,放假前又没有更新,基本可以排除是更新和配置导致的问题。ssh连上服务器发现服务器连接和资源都没问题。这是一套lnamp架构的网站,就是nginx反向代理到Apache,所以考虑是Apache的问题,于是重启httpd服务。

 

重启httpd服务的时候启动失败,没有看到错误,所以去查看日志文件,看到如下报错:

tail -200/var/log/httpd/error_log

[TIME2016][error]SSLLibraryError:-8181Certificatehasexpired
[TIME2016][error]Unabletoverifycertificate'Server-Cert'.Add"NSSEnforceValidCertsoff"tonss.confsotheservercanstartuntiltheproblemcanberesolved.

可以看到是证书过期了,并且给出了一种解决方法是添加‘NSSEnforceValidCerts off’到nss.conf服务器就可以启动,就是不验证证书过期时间。

 

Apache是用https需要mod_nss的模块支持,我的理解就是使用https需要安装mod_nss,下面给一个官方说明:

The mod_nss module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols using the Network Security Services (NSS) security library.

 

我的解决方法是重新生成新的证书

cd /etc/httpd/alias
#删除旧的证书
rm -f*.db
#创建新证书
gencert /etc/httpd/alias
#查看证书信息
[root@k3s-node1 yum.repos.d]# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 4 (0x4)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Sat Jun 01 09:39:47 2019
            Not After : Thu Jun 01 09:39:47 2023
        Subject: "CN=k8s.gcr.io,O=example.com,C=US"
        Subject Public Key Info:
            Public Key Algorithm: PKCS #1 RSA Encryption
            RSA Public Key:
                Modulus:
                    d9:db:af:80:13:d6:0e:76:89:6e:a5:37:53:1c:3c:aa:
                    b0:59:cd:05:15:5c:b7:46:7c:b3:1b:84:5b:19:bd:3f:
                    85:c5:99:89:3f:4c:5d:67:1e:fe:2e:de:9b:e7:5b:d9:
                    15:a2:e8:e5:19:6d:cb:05:93:ed:f1:94:de:4e:cd:3d:
                    34:bc:b9:85:2c:fe:8f:9a:dd:a9:04:73:15:ab:04:f5:
                    21:bb:ce:7d:51:6f:2d:89:fa:25:df:82:1f:0d:24:64:
                    28:95:e1:b6:be:e6:7a:5a:33:90:6e:11:b3:ae:e3:8c:
                    57:47:ad:ff:58:e3:4e:23:ec:86:d6:ea:3c:73:13:b4:
                    72:46:0f:cb:f9:d7:f5:ae:39:c3:e6:09:f5:d7:4d:d5:
                    11:45:07:b6:9a:11:ff:74:6a:fe:7b:1e:47:5e:e6:71:
                    0b:3e:6e:46:95:08:2a:40:bc:18:5c:33:b2:d0:68:1f:
                    75:12:6a:0f:9c:c4:85:84:a5:1a:eb:92:26:f8:39:eb:
                    9d:f5:cd:c4:cf:2b:83:f3:c5:02:29:6d:a8:0f:58:f2:
                    5c:83:7a:89:13:3b:33:16:86:34:38:ad:0d:32:f0:3f:
                    8e:77:bf:2f:ec:e1:45:39:b9:ed:8c:b7:4a:0c:8a:ab:
                    d3:2d:a5:8e:41:9f:70:bf:21:f3:3f:eb:e4:fa:21:fb
                Exponent: 65537 (0x10001)
        Signed Extensions:
            Name: Certificate Subject Alt Name
            DNS name: "k8s.gcr.io"

            Name: Certificate Type
            Data: 

            Name: Certificate Key Usage
            Usages: Key Encipherment

    Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
    Signature:
        37:a7:7f:6d:8a:b5:92:46:0f:dc:6c:92:82:f3:21:47:
        b4:5e:e1:5c:4e:37:fa:cb:ad:c5:d3:8a:7e:90:7d:d4:
        d0:2a:28:77:d4:d4:9f:f1:a9:cf:e5:c4:be:bf:99:5c:
        76:ce:33:bc:62:af:7a:fb:95:30:02:00:e5:32:f1:c1:
        27:3c:21:78:7f:25:1f:06:0d:7a:35:8d:b3:33:a5:f1:
        56:a5:12:96:6c:55:7e:ec:25:e5:16:1d:20:c0:5c:99:
        de:c0:6d:57:a0:b3:d1:70:53:a7:d9:f1:ce:ba:d8:1c:
        e6:8a:84:fc:6a:9c:fc:a3:56:b6:c9:c0:a1:16:30:18:
        9d:7e:9c:97:3a:82:96:89:91:39:ca:01:47:01:d6:36:
        f0:bb:b6:87:00:5d:a6:3a:9a:87:1e:79:d5:bb:e0:62:
        13:7b:c9:b4:24:39:e5:8f:ec:bc:a5:17:b7:01:67:0e:
        0d:b0:ea:c0:ad:48:87:b5:49:a9:54:ad:d2:64:cb:90:
        a6:78:1d:d3:95:b9:d4:0f:de:de:4e:81:ea:10:05:57:
        b2:38:c6:80:1f:64:6f:be:73:f0:b8:f3:52:75:a6:29:
        9a:22:ab:22:e3:d1:e4:b6:9f:61:00:4e:ff:66:8a:9a:
        f1:a8:38:ae:be:08:f9:a9:84:16:ff:bf:7a:94:37:f0
    Fingerprint (SHA-256):
        3F:6F:2E:EE:8D:BA:E4:B7:03:DF:DF:B0:31:84:51:9E:1A:E0:F3:7D:8F:B6:D4:E8:A4:E8:92:E1:53:8B:CC:EB
    Fingerprint (SHA1):
        21:DF:78:75:AF:71:40:68:CD:E7:27:27:71:67:E6:BB:F7:D2:7F:64

    Mozilla-CA-Policy: false (attribute missing)
    Certificate Trust Flags:
        SSL Flags:
            User
        Email Flags:
            User
        Object Signing Flags:
            User

现在可以看到证书的有效期是4年,新生成的证书到2023年过期。httpd服务可以正常启动。

 

启动httpd服务后发现首页还是不能访问,可以确认服务都正常启动配置没有问题。继续查看httpd的错误日志发现了新的报错:

[TIME2016][error]SSLLibraryError:-8038SEC\_ERROR\_NOT\_INITIALIZED
[TIME2016][error]NSS_Initializefailed.Certificatedatabase:/etc/httpd/alias.

 

百度了下发现是权限问题,重新授下权搞定。

chown apache.apache/etc/httpd/alias/*.db

你可能感兴趣的:(NGINX,LINUX,apache,nginx,resin)