쪽팔리면 질문하지 맙시다. 소중한 답변 댓글을 삭제하는건 부끄러운 일 입니다
현재 idc 가상 서버에 올려져 있지만 centos 업그레이드 재설치가 불가하다는 답변을 받았습니다.
그래서 현재 상태에 ssl을 적용하려고 vm에 올려서 테스트를 해가면서 인증서 발급받아서
이제 다 됐구나 했는데 에러가 발생하고 있습니다.
[info] Loading certificate & private key of SSL-aware server '도메인.kr:443'
[error] Init: Private key not found
[error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
* 키 경로 및 권한은 모두 정상입니다.
* 인증서 재발급도 받아 봤습니다.
뭐가 문제인지 도움을 받고 싶습니다.
* 서버 구성 정보
[root@]# httpd -v
Server version: Apache/2.2.3
Server built: Jul 23 2014 10:09:41
openssl 업그레이드
[root@]# openssl version
OpenSSL 1.0.2u 20 Dec 2019
curl 업그레이드
[root@]# curl -V
curl 7.76.1 (x86_64-pc-linux-gnu) libcurl/7.76.1 OpenSSL/1.0.2u zlib/1.2.3
Release-Date: 2021-04-14
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HTTPS-proxy Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets
yum install mod_ssl
CA 인증서 번들 다운로드:
curl -k --remote-name https://curl.se/ca/cacert.pem
다운로드한 CA 인증서 복사:
cp cacert.pem /etc/pki/tls/certs/
curl -k https://get.acme.sh | sh
mkdir -p /var/www/html/.well-known/acme-challenge
acme.sh --set-default-ca --server letsencrypt
acme.sh --register-account -m 이메일@등록
acme.sh --issue -d 도메인.kr -d www.도메인.kr -w /var/www/html
[root@localhost .acme.sh]# acme.sh --issue -d 도메인.kr -d www.도메인.kr -w /var/www/html
[Sun Jan 7 09:26:11 KST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sun Jan 7 09:26:11 KST 2024] Creating domain key
[Sun Jan 7 09:26:11 KST 2024] The domain key is here: /root/.acme.sh/도메인.kr_ecc/도메인.kr.key
[Sun Jan 7 09:26:11 KST 2024] Multi domain='DNS:도메인.kr,DNS:www.도메인.kr'
[Sun Jan 7 09:26:11 KST 2024] Getting domain auth token for each domain
[Sun Jan 7 09:26:17 KST 2024] Getting webroot for domain='도메인.kr'
[Sun Jan 7 09:26:17 KST 2024] Getting webroot for domain='www.도메인.kr'
[Sun Jan 7 09:26:17 KST 2024] 도메인.kr is already verified, skip http-01.
[Sun Jan 7 09:26:17 KST 2024] www.도메인.kr is already verified, skip http-01.
[Sun Jan 7 09:26:17 KST 2024] Verify finished, start to sign.
[Sun Jan 7 09:26:17 KST 2024] Lets finalize the order.
[Sun Jan 7 09:26:17 KST 2024] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1502117196/234786164176'
[Sun Jan 7 09:26:21 KST 2024] Downloading cert.
[Sun Jan 7 09:26:21 KST 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/040217d5eaa65b17f80f479037263aa1a571'
[Sun Jan 7 09:26:22 KST 2024] Cert success.
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
[Sun Jan 7 09:26:22 KST 2024] Your cert is in: /root/.acme.sh/도메인.kr_ecc/도메인.kr.cer
[Sun Jan 7 09:26:22 KST 2024] Your cert key is in: /root/.acme.sh/도메인.kr_ecc/도메인.kr.key
[Sun Jan 7 09:26:22 KST 2024] The intermediate CA cert is in: /root/.acme.sh/도메인.kr_ecc/ca.cer
[Sun Jan 7 09:26:22 KST 2024] And the full chain certs is there: /root/.acme.sh/도메인.kr_ecc/fullchain.cer
[root@localhost .acme.sh]# acme.sh --install-cert -d 도메인.kr -d www.도메인.kr \
> --cert-file /etc/httpd/conf.d/sslkey/도메인.kr.cer \
> --key-file /etc/httpd/conf.d/sslkey/도메인.kr.key \
> --fullchain-file /etc/httpd/conf.d/sslkey/fullchain.cer
[Sun Jan 7 09:26:29 KST 2024] The domain '도메인.kr' seems to have a ECC cert already, lets use ecc cert.
[Sun Jan 7 09:26:29 KST 2024] Installing cert to: /etc/httpd/conf.d/sslkey/도메인.kr.cer
[Sun Jan 7 09:26:29 KST 2024] Installing key to: /etc/httpd/conf.d/sslkey/도메인.kr.key
[Sun Jan 7 09:26:29 KST 2024] Installing full chain to: /etc/httpd/conf.d/sslkey/fullchain.cer
/etc/httpd/conf.d/ssl.conf
DocumentRoot "/var/www/html"
ServerName 도메인.kr
SSLEngine on
SSLProtocol all -SSLv2
SSLCertificateFile /etc/httpd/conf.d/sslkey/도메인.kr.cer
SSLCertificateKeyFile /etc/httpd/conf.d/sslkey/도메인.kr.key
SSLCertificateChainFile /etc/httpd/conf.d/sslkey/fullchain.cer
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
service httpd restart
ssl_error.log
[info] Loading certificate & private key of SSL-aware server '도메인.kr:443'
[error] Init: Private key not found
[error] SSL Library Error: 218710120 error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag
[error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
[error] SSL Library Error: 218734605 error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib
SSLCertificateKeyFile /etc/httpd/conf.d/sslkey/µµ¸ÞÀÎ.kr.key
SSLCertificateChainFile /etc/httpd/conf.d/sslkey/fullchain.cer
µî·ÏÇÑ ÆÄÀϵéÀÌ Á¤È®È÷ ÀÖ³ª¿ä??
ÆÄÀÏÀÌ ¾ø´Ù°í Çϴµ¥..
±×°Å ¾ø´Ù°í ¿À·ù »Õ´Â°Çµ¥...
centos 6.8¿¡¼´Â openssl ¾÷±×·¹À̵å ÈÄ ssl_mod¸¸ ¼³Ä¡ÇÏ°í
acme.sh·Î let's encrypt ÀÎÁõ¼ ¸¸µé°í Å° °æ·Î¸¸ µî·ÏÇߴ´ë Àß µÇ¾ú½À´Ï´Ù.
Çѹø ´õ È®ÀÎÇغ¸°Ú½À´Ï´Ù.
¸ÖÂÄÇÏ°Ô ¹ß±Þ&¼³Ä¡µÈ ÀÎÁõ¼°¡ Àú·±´Ù¸é ¾ÆÆÄÄ¡ÀÚü°¡ ³Ê¹« ³°¾Æ¼ ±×·¯´Â°Å´Ï ¹öÀüÀ» ¿Ã·ÁÁÖ¼¼¿ä (ÆÐÅ°Áö·Î Á¦°øµÇ´Â°É·Ð ¹öÀüÀÌ ³Ê¹« »·ÇÏ´Ï Á÷Á¢ ÆÐÅ°Áö¸¦ ÄÄÆÄÀÏÇØ¾ß ÇÒ²®´Ï´Ù)
ÆÐÅ°Áö ÄÄÆÄÀÏÇÒ¶§ SSL Library OSÀÇ ¶óÀ̺귯¸®¸¦ shared·Î Àоî¿À´Â°Ô ¾Æ´Ï¶ó °¡´ÉÇÏ´Ù¸é ¼Ò½º¸¦ °°ÀÌ ÁöÁ¤Çؼ ÃֽŹöÀüÀ» ³»Àå½ÃÅ°´Â°É ÃßõÇÕ´Ï´Ù (Àú·± °í´ë ¹öÀüÀ¸·Î ¼ºñ½º Á¦°øÇϸé Ãë¾àÁ¡ÀÌ ³Ê¹« ¸¹°í, ¿¡·¯°¡ ÇØ°á ¾È µÉ °¡´É¼ºµµ ÀÖ½À´Ï´Ù)
¼Ò½º ÄÄÆÄÀÏ¿¡¼ Å×½ºÆ®¸¦ Çѹø Çغ¸°Ú½À´Ï´Ù.
[root@localhost extra]# /usr/local/apache2/bin/httpd -v
Server version: Apache/2.2.26 (Unix)
[notice] Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/1.0.2u configured -- resuming normal operations
Apache/2.2.26À¸·Î Å×½ºÆ® ¼³Ä¡ ÈÄ Á¤»óÀûÀ¸·Î sslÀÌ Àû¿ëµÇ´Â °ÍÀ» È®ÀÎÇß½À´Ï´Ù.
´äº¯ °¨»çÇÕ´Ï´Ù.