CentOS 5.8 ssl Àû¿ë ¹®Á¦

   Á¶È¸ 1423   Ãßõ 0    

쪽팔리면 질문하지 맙시다. 소중한 답변 댓글을 삭제하는건 부끄러운 일 입니다 

현재 idc 가상 서버에 올려져 있지만 centos 업그레이드 재설치가 불가하다는 답변을 받았습니다.

그래서 현재 상태에 ssl을 적용하려고 vm에 올려서 테스트를 해가면서 인증서 발급받아서

이제 다 됐구나 했는데 에러가 발생하고 있습니다.


[info] Loading certificate & private key of SSL-aware server '도메인.kr:443'

[error] Init: Private key not found

[error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag

[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

[error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib


* 키 경로 및 권한은 모두 정상입니다.

* 인증서 재발급도 받아 봤습니다.


뭐가 문제인지 도움을 받고 싶습니다.


* 서버 구성 정보

[root@]# httpd -v

Server version: Apache/2.2.3

Server built:   Jul 23 2014 10:09:41


openssl 업그레이드

[root@]# openssl version

OpenSSL 1.0.2u  20 Dec 2019


curl 업그레이드

[root@]# curl -V

curl 7.76.1 (x86_64-pc-linux-gnu) libcurl/7.76.1 OpenSSL/1.0.2u zlib/1.2.3

Release-Date: 2021-04-14

Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp

Features: alt-svc AsynchDNS HTTPS-proxy Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets


yum install mod_ssl


CA 인증서 번들 다운로드:

    curl -k --remote-name https://curl.se/ca/cacert.pem

다운로드한 CA 인증서 복사:

    cp cacert.pem /etc/pki/tls/certs/


curl -k https://get.acme.sh | sh


mkdir -p /var/www/html/.well-known/acme-challenge


acme.sh --set-default-ca --server letsencrypt


acme.sh --register-account -m 이메일@등록


acme.sh --issue -d 도메인.kr -d www.도메인.kr -w /var/www/html


[root@localhost .acme.sh]# acme.sh --issue -d 도메인.kr -d www.도메인.kr -w /var/www/html

[Sun Jan  7 09:26:11 KST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory

[Sun Jan  7 09:26:11 KST 2024] Creating domain key

[Sun Jan  7 09:26:11 KST 2024] The domain key is here: /root/.acme.sh/도메인.kr_ecc/도메인.kr.key

[Sun Jan  7 09:26:11 KST 2024] Multi domain='DNS:도메인.kr,DNS:www.도메인.kr'

[Sun Jan  7 09:26:11 KST 2024] Getting domain auth token for each domain

[Sun Jan  7 09:26:17 KST 2024] Getting webroot for domain='도메인.kr'

[Sun Jan  7 09:26:17 KST 2024] Getting webroot for domain='www.도메인.kr'

[Sun Jan  7 09:26:17 KST 2024] 도메인.kr is already verified, skip http-01.

[Sun Jan  7 09:26:17 KST 2024] www.도메인.kr is already verified, skip http-01.

[Sun Jan  7 09:26:17 KST 2024] Verify finished, start to sign.

[Sun Jan  7 09:26:17 KST 2024] Lets finalize the order.

[Sun Jan  7 09:26:17 KST 2024] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1502117196/234786164176'

[Sun Jan  7 09:26:21 KST 2024] Downloading cert.

[Sun Jan  7 09:26:21 KST 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/040217d5eaa65b17f80f479037263aa1a571'

[Sun Jan  7 09:26:22 KST 2024] Cert success.

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

[Sun Jan  7 09:26:22 KST 2024] Your cert is in: /root/.acme.sh/도메인.kr_ecc/도메인.kr.cer

[Sun Jan  7 09:26:22 KST 2024] Your cert key is in: /root/.acme.sh/도메인.kr_ecc/도메인.kr.key

[Sun Jan  7 09:26:22 KST 2024] The intermediate CA cert is in: /root/.acme.sh/도메인.kr_ecc/ca.cer

[Sun Jan  7 09:26:22 KST 2024] And the full chain certs is there: /root/.acme.sh/도메인.kr_ecc/fullchain.cer

[root@localhost .acme.sh]# acme.sh --install-cert -d 도메인.kr -d www.도메인.kr \

>   --cert-file /etc/httpd/conf.d/sslkey/도메인.kr.cer \

>   --key-file /etc/httpd/conf.d/sslkey/도메인.kr.key \

>   --fullchain-file /etc/httpd/conf.d/sslkey/fullchain.cer

[Sun Jan  7 09:26:29 KST 2024] The domain '도메인.kr' seems to have a ECC cert already, lets use ecc cert.

[Sun Jan  7 09:26:29 KST 2024] Installing cert to: /etc/httpd/conf.d/sslkey/도메인.kr.cer

[Sun Jan  7 09:26:29 KST 2024] Installing key to: /etc/httpd/conf.d/sslkey/도메인.kr.key

[Sun Jan  7 09:26:29 KST 2024] Installing full chain to: /etc/httpd/conf.d/sslkey/fullchain.cer


/etc/httpd/conf.d/ssl.conf


DocumentRoot "/var/www/html"

ServerName 도메인.kr

SSLEngine on

SSLProtocol all -SSLv2

SSLCertificateFile /etc/httpd/conf.d/sslkey/도메인.kr.cer

SSLCertificateKeyFile /etc/httpd/conf.d/sslkey/도메인.kr.key

SSLCertificateChainFile /etc/httpd/conf.d/sslkey/fullchain.cer


    SSLOptions +StdEnvVars



    SSLOptions +StdEnvVars


SetEnvIf User-Agent ".*MSIE.*" \

         nokeepalive ssl-unclean-shutdown \

         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \

          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"




service httpd restart


ssl_error.log

[info] Loading certificate & private key of SSL-aware server '도메인.kr:443'

[error] Init: Private key not found

[error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag

[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag

[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

[error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib

ªÀº±Û Àϼö·Ï ½ÅÁßÇÏ°Ô.
     
Á¦·Î¼¶ 01-07
´äº¯ °¨»çÇÕ´Ï´Ù. Çѹø È®ÀÎÇغ¸°Ú½À´Ï´Ù.
SSLCertificateFile /etc/httpd/conf.d/sslkey/µµ¸ÞÀÎ.kr.cer
SSLCertificateKeyFile /etc/httpd/conf.d/sslkey/µµ¸ÞÀÎ.kr.key
SSLCertificateChainFile /etc/httpd/conf.d/sslkey/fullchain.cer

µî·ÏÇÑ ÆÄÀϵéÀÌ Á¤È®È÷ ÀÖ³ª¿ä??
ÆÄÀÏÀÌ ¾ø´Ù°í Çϴµ¥..
     
Á¦·Î¼¶ 01-07
´äº¯ °¨»çÇÕ´Ï´Ù. ½ÇÁ¦·Î Å°´Â Á¤È®ÇÏ°Ô °æ·Î¿¡ Á¸ÀçÇÕ´Ï´Ù.
¼úÀÌ 01-07
private.key ¸¸µé¾îÁà¾ß Çϴµ¥ ¾È¸¸µç°Å °°Àºµ¥¿ä.
±×°Å ¾ø´Ù°í ¿À·ù »Õ´Â°Çµ¥...
     
Á¦·Î¼¶ 01-07
´äº¯ °¨»çÇÕ´Ï´Ù.
centos 6.8¿¡¼­´Â openssl ¾÷±×·¹À̵å ÈÄ ssl_mod¸¸ ¼³Ä¡ÇÏ°í
acme.sh·Î let's encrypt ÀÎÁõ¼­ ¸¸µé°í Å° °æ·Î¸¸ µî·ÏÇߴ´ë Àß µÇ¾ú½À´Ï´Ù.
Çѹø ´õ È®ÀÎÇغ¸°Ú½À´Ï´Ù.
dateno1 01-07
ÀÏ´Ü ´Ù¸¥ÄÄ¿¡¼­ ÇØ´ç ÀÎÁõ¼­°¡ ¸ÖÂÄÇÑÁö Á¡°ËÇغ¸¼¼¿ä (ÀÌ¿Ü¿¡ ¼³Á¤´ë·Î ÆÄÀÏÀÌ Á¦´ë·Î Á¸ÀçÇÏ°í, ¼ÒÀ¯±ÇÀ̶û Á¢±Ù ±ÇÇÑ Á¦´ë·Î ¼³Á¤µÇ¾ú´ÂÁö È®Àεµ Çغ¸¼¼¿ä)

¸ÖÂÄÇÏ°Ô ¹ß±Þ&¼³Ä¡µÈ ÀÎÁõ¼­°¡ Àú·±´Ù¸é ¾ÆÆÄÄ¡ÀÚü°¡ ³Ê¹« ³°¾Æ¼­ ±×·¯´Â°Å´Ï ¹öÀüÀ» ¿Ã·ÁÁÖ¼¼¿ä (ÆÐÅ°Áö·Î Á¦°øµÇ´Â°É·Ð ¹öÀüÀÌ ³Ê¹« »·ÇÏ´Ï Á÷Á¢ ÆÐÅ°Áö¸¦ ÄÄÆÄÀÏÇØ¾ß ÇÒ²®´Ï´Ù)

ÆÐÅ°Áö ÄÄÆÄÀÏÇÒ¶§ SSL Library OSÀÇ ¶óÀ̺귯¸®¸¦ shared·Î Àоî¿À´Â°Ô ¾Æ´Ï¶ó °¡´ÉÇÏ´Ù¸é ¼Ò½º¸¦ °°ÀÌ ÁöÁ¤Çؼ­ ÃֽŹöÀüÀ» ³»Àå½ÃÅ°´Â°É ÃßõÇÕ´Ï´Ù (Àú·± °í´ë ¹öÀüÀ¸·Î ¼­ºñ½º Á¦°øÇϸé Ãë¾àÁ¡ÀÌ ³Ê¹« ¸¹°í, ¿¡·¯°¡ ÇØ°á ¾È µÉ °¡´É¼ºµµ ÀÖ½À´Ï´Ù)
Á¦·Î¼¶ 01-07
´äº¯ °¨»çÇÕ´Ï´Ù.
¼Ò½º ÄÄÆÄÀÏ¿¡¼­ Å×½ºÆ®¸¦ Çѹø Çغ¸°Ú½À´Ï´Ù.
Á¦·Î¼¶ 01-07
./configure --enable-ssl --enable-so --with-included-apr --with-ssl=/usr/local/openssl --prefix=/usr/local/apache2 --enable-rewrite
[root@localhost extra]# /usr/local/apache2/bin/httpd -v
Server version: Apache/2.2.26 (Unix)
[notice] Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.2u configured -- resuming normal operations
Apache/2.2.26À¸·Î Å×½ºÆ® ¼³Ä¡ ÈÄ Á¤»óÀûÀ¸·Î sslÀÌ Àû¿ëµÇ´Â °ÍÀ» È®ÀÎÇß½À´Ï´Ù.
´äº¯ °¨»çÇÕ´Ï´Ù.
     
dateno1 01-07
--with-ssl ÁöÁ¤ÇÒ‹š ½Ã½ºÅÛ °æ·Î¸¦ ÁöÁ¤ÇÏ´Â°Ô ¾Æ´Ï¶ó ¹Ì¸® ºôµåÇصРOpenSSLÀÇ ¶óÀ̺귯¸® °æ·Î·Î ÁöÁ¤ÇÏ¸é ½Ã½ºÅÛ ¹öÀüº¸´Ù ³ôÀº ¹öÀü ÁöÁ¤ °¡´ÉÇÕ´Ï´Ù


QnA
Á¦¸ñPage 129/5680
2014-05   4945211   Á¤ÀºÁØ1
2015-12   1481912   ¹é¸Þ°¡
02-20   1095   °ø¾ËÀÌ
02-19   1360   Á¤¹«Çö
02-19   1773   samsss
02-19   1757   ¹Ì´ã
02-19   1274   ¹Ì¿ìÁö½Ã¾ð
02-19   993   ÇÁ¶óÀÓ½ºÅæ
02-19   1548   ÁÒ½´¾Æ
02-19   1449   Ç×°ø¸ðÇÔ
02-19   998   samsss
02-19   1297   ½´ÆÛÀ¯¸ÁÁÖ
02-19   997   L2½ºÀ§Ä¡
02-19   1739   noName0070
02-19   1218   ¼­¿ï»ç¶÷
02-19   1454   ¸¶Áö¸·¼¼´ë
02-19   1229   CW33300
02-18   1295   ȸ»ó2
02-18   1806   ¿ì·Ú¸Ç
02-18   1975   ÇÚÁî
02-18   1512   ÀüÀÏÀå
02-18   1844   ¼þ±¸¸®´ç´ç