Post Views: 1,780

[php]
[Tue Apr 16 13:54:47 2013] [error] Certificate not verified: ‘Server-Cert’
[Tue Apr 16 13:54:47 2013] [error] SSL Library Error: -8181 Certificate has expired
[Tue Apr 16 13:54:47 2013] [error] Unable to verify certificate ‘Server-Cert’. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
[/php]

这两天有一同事来问我,为什么httpd服务起不来了,于是登上机器,查看了一番,发现这个问题以前有同事遇到过,并整理发表了一篇文章。可参考

下面是处理过程,以免遗忘。

一、故障现象:
手工启动 httpd 服务失败,/var/log/message 中只有失败的记录,没有其他的信息。

二、分析与处理:
1、既然 message 没有更多信息,那要去 /var/log/httpd/ 目录下看详细日志信息;

2、在 nss_error_log 日志中发现了如下信息
[php]
[Tue Apr 16 13:54:47 2013] [error] Certificate not verified: ‘Server-Cert’
[Tue Apr 16 13:54:47 2013] [error] SSL Library Error: -8181 Certificate has expired
[Tue Apr 16 13:54:47 2013] [error] Unable to verify certificate ‘Server-Cert’. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
[/php]
看到这个还比较熟悉,因为之前有同事整理过这个问题,我觉得他的思路是清晰的,值得我们借鉴;

3、如果事先不知道是这个错误导致的话,可以先把 /etc/httpd/conf.d/ 目录中的模块配置文件全部移走,然后启动httpd服务,如果正常,那么一点一点将模块文件放回 /etc/httpd/conf.d/ 目录中,慢慢来排查是哪里出现问题;

4、按照上面的报错信息来看,可以在 nss.conf 中,添加 NSSEnforceValidCerts off 来直接避免检查;

5、当然,也可以删除旧的证书,产生新的证书:
查看证书时间
[php]
[root@test]# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Tue Apr 12 06:25:46 2008
Not After : Sun Apr 12 06:25:46 2012
Subject: "CN=Intranet,O=example.com,C=US"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
b9:4e:4f:00:15:31:44:fc:5f:26:ad:d5:e8:1a:1a:6c:
38:29:49:58:8b:69:e6:eb:8c:3c:f3:68:0a:08:b4:06:
18:1f:4c:1a:74:d8:d9:68:05:e2:f9:a3:42:30:bf:a7:
55:4e:76:f0:da:5d:27:ca:49:b9:3d:b8:56:f6:f5:7b:
48:01:a1:8a:fb:ce:6f:98:02:85:06:c6:b0:34:ce:ac:
5e:4b:fb:b2:01:6c:4a:c8:50:c4:03:e4:6a:f4:55:84:
49:de:cd:23:b4:c5:94:58:3d:52:70:be:19:f6:2c:8a:
2b:d6:f2:de:94:04:56:81:c4:12:b3:3c:04:c4:a0:19
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Type
Data: <SSL Server>

Name: Certificate Key Usage
Usages: Key Encipherment

Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
8a:c3:aa:b8:fd:33:af:5d:38:6a:30:22:ea:3c:d5:6a:
38:ff:b6:e7:5f:1d:3a:c8:47:90:09:19:eb:d2:a1:51:
b8:95:19:f4:fc:de:1b:ca:08:35:22:f2:c2:a1:33:28:
51:d0:7c:8d:74:62:44:ef:d3:cb:f2:17:e1:f7:88:73:
ac:2e:1a:8c:ce:83:b1:62:2e:8c:bf:ae:7a:b2:5b:1a:
41:e9:35:fd:6b:7b:cb:a7:c5:1b:69:67:e7:15:f4:98:
9b:63:b3:22:f9:d5:33:9d:03:a1:37:11:4d:2a:7f:2e:
cb:60:e2:47:bd:29:24:a3:c6:39:ea:22:b5:4e:af:20
Fingerprint (MD5):
FF:1E:87:6A:71:B4:B6:E7:12:BD:48:CC:96:A5:66:05
Fingerprint (SHA1):
C6:F1:6D:0F:6B:F9:AE:A2:83:26:FB:6C:DD:04:F6:08:5F:EB:16:7F

Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
[/php]

删掉旧的证书
[php]
cd /etc/httpd/alias
mkdir back
mv *.db back
[/php]

重新生成证书
[php]
/usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
[/php]

再次检查证书时间
[php]
[root@test conf.d]# certutil -d /etc/httpd/alias -L -n Server-Cert
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Issuer: "CN=Certificate Shack,O=example.com,C=US"
Validity:
Not Before: Tue Apr 16 06:25:46 2013
Not After : Sun Apr 16 06:25:46 2017
Subject: "CN=Intranet,O=example.com,C=US"
Subject Public Key Info:
Public Key Algorithm: PKCS #1 RSA Encryption
RSA Public Key:
Modulus:
b9:4e:4f:00:15:31:44:fc:5f:26:ad:d5:e8:1a:1a:6c:
38:29:49:58:8b:69:e6:eb:8c:3c:f3:68:0a:08:b4:06:
18:1f:4c:1a:74:d8:d9:68:05:e2:f9:a3:42:30:bf:a7:
55:4e:76:f0:da:5d:27:ca:49:b9:3d:b8:56:f6:f5:7b:
48:01:a1:8a:fb:ce:6f:98:02:85:06:c6:b0:34:ce:ac:
5e:4b:fb:b2:01:6c:4a:c8:50:c4:03:e4:6a:f4:55:84:
49:de:cd:23:b4:c5:94:58:3d:52:70:be:19:f6:2c:8a:
2b:d6:f2:de:94:04:56:81:c4:12:b3:3c:04:c4:a0:19
Exponent: 65537 (0x10001)
Signed Extensions:
Name: Certificate Type
Data: <SSL Server>

Name: Certificate Key Usage
Usages: Key Encipherment

Signature Algorithm: PKCS #1 MD5 With RSA Encryption
Signature:
8a:c3:aa:b8:fd:33:af:5d:38:6a:30:22:ea:3c:d5:6a:
38:ff:b6:e7:5f:1d:3a:c8:47:90:09:19:eb:d2:a1:51:
b8:95:19:f4:fc:de:1b:ca:08:35:22:f2:c2:a1:33:28:
51:d0:7c:8d:74:62:44:ef:d3:cb:f2:17:e1:f7:88:73:
ac:2e:1a:8c:ce:83:b1:62:2e:8c:bf:ae:7a:b2:5b:1a:
41:e9:35:fd:6b:7b:cb:a7:c5:1b:69:67:e7:15:f4:98:
9b:63:b3:22:f9:d5:33:9d:03:a1:37:11:4d:2a:7f:2e:
cb:60:e2:47:bd:29:24:a3:c6:39:ea:22:b5:4e:af:20
Fingerprint (MD5):
FF:1E:87:6A:71:B4:B6:E7:12:BD:48:CC:96:A5:66:05
Fingerprint (SHA1):
C6:F1:6D:0F:6B:F9:AE:A2:83:26:FB:6C:DD:04:F6:08:5F:EB:16:7F

Certificate Trust Flags:
SSL Flags:
User
Email Flags:
User
Object Signing Flags:
User
[/php]

如何知道生成证书的方法
[php]
[root@test conf.d]# rpm -q mod_nss –scripts
postinstall scriptlet (using /bin/sh):
umask 077

if [ "$1" -eq 1 ] ; then
if [ ! -e /etc/httpd/alias/key3.db ]; then
/usr/sbin/gencert /etc/httpd/alias > /etc/httpd/alias/install.log 2>&1
echo ""
echo "mod_nss certificate database generated."
echo ""
fi
fi
[/php]

6、手工重启下 httpd 服务,一切恢复正常。