最近 HTTP 的服務莫名其妙的無法啟動,檢查了一下 Http 的 Error Log
# cat /var/log/httpd/error_log [Thu May 19 23:27:57 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu May 19 23:27:57 2016] [error] Certificate not verified: 'Server-Cert' [Thu May 19 23:27:57 2016] [error] SSL Library Error: -8181 Certificate has expired [Thu May 19 23:27:57 2016] [error] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
Unable to verify certificate ‘Server-Cert’. Add “NSSEnforceValidCerts off” to nss.conf so the server can start until the problem can be resolved.
恩!上網查了一下,似乎是關於 NSS 的錯誤,什麼是 NSS 呢!!
Network Security Services (NSS)
mod_nss is an SSL provider derived from the mod_ssl module for the Apache web server that uses the Network Security Services (NSS) libraries. We started with mod_ssl and replaced the OpenSSL calls with NSS calls.
大概用意是說 NSS 是用來取代 SSL 的,但我似乎沒有設定 SSL 或是 NSS ,原來 NSS 預設是啟動的.然後期限是 4年,放著不管4年後到期就會讓 HTTP 的服務無法啟動.
網路上面的暫時解決方案是,先將 /etc/httpd/conf.d/nss.conf 設定 NSSEngine off (預設是 on),服務重新開啟即可.
# vi /etc/httpd/conf.d/nss.conf # SSL Engine Switch: # Enable/Disable SSL for this virtual host. NSSEngine off # service httpd restart
NSS 期限可以透過下面的指令來查詢.
# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Thu Aug 08 10:24:03 2013
Not After : Tue Aug 08 10:24:03 2017
至於最根本的解決方式是需要再設定 NSS 的期限.可以參考 certutil 的使用方式 – https://www.centos.org/docs/5/html/CDS/ag/8.0/Managing_SSL-Using_certutil.html