2,247 瀏覽數

Http 錯誤訊息

最近 HTTP 的服務莫名其妙的無法啟動,檢查了一下 Http 的 Error Log

# cat /var/log/httpd/error_log
[Thu May 19 23:27:57 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Thu May 19 23:27:57 2016] [error] Certificate not verified: 'Server-Cert'
[Thu May 19 23:27:57 2016] [error] SSL Library Error: -8181 Certificate has expired
[Thu May 19 23:27:57 2016] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

Unable to verify certificate ‘Server-Cert’. Add “NSSEnforceValidCerts off” to nss.conf so the server can start until the problem can be resolved.
恩!上網查了一下,似乎是關於 NSS 的錯誤,什麼是 NSS 呢!!

Network Security Services (NSS)
mod_nss is an SSL provider derived from the mod_ssl module for the Apache web server that uses the Network Security Services (NSS) libraries. We started with mod_ssl and replaced the OpenSSL calls with NSS calls.

大概用意是說 NSS 是用來取代 SSL 的,但我似乎沒有設定 SSL 或是 NSS ,原來 NSS 預設是啟動的.然後期限是 4年,放著不管4年後到期就會讓 HTTP 的服務無法啟動.

網路上面的暫時解決方案是,先將 /etc/httpd/conf.d/nss.conf 設定 NSSEngine off (預設是 on),服務重新開啟即可.

# vi /etc/httpd/conf.d/nss.conf

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
NSSEngine off

# service httpd restart

NSS 期限可以透過下面的指令來查詢.

# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
        Issuer: "CN=Certificate Shack,O=example.com,C=US"
        Validity:
            Not Before: Thu Aug 08 10:24:03 2013
            Not After : Tue Aug 08 10:24:03 2017

至於最根本的解決方式是需要再設定 NSS 的期限.可以參考 certutil 的使用方式.
https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html

發表迴響