CentOS 7 上 安装使用 WoSign CA SSL 证书的请教

作者 cnhap, 2016-08-14, 19:59:04

« 上一篇主题 - 下一篇主题 »

cnhap

关闭 防火墙后
https://192.168.1.2/   打开的 是 Testing 123..  不是我的网站

同时还有个问题我一直没有说呢,外网一直无法访问,内网可以了,路由器设置没有问题,之前windows 主机 外网是可以访问的。 现在关闭防火墙后 内网 https 显示了,外网还是无法显示网页
不会和我 安装的 CentOS 7 不是最小化安装有关吗?我安装了 中文和 英文 带桌面。

[root@cnhap ~]# firewall-cmd --add-service=http --permanent
FirewallD is not running
[root@cnhap ~]# firewall-cmd --list-all
FirewallD is not running
[root@cnhap ~]# systemctl enable firewalld && systemctl start firewalld
[root@cnhap ~]# firewall-cmd --add-service=http --permanent
success
[root@cnhap ~]# firewall-cmd --zone=public --add-port=4444/tcp --permanent
success
[root@cnhap ~]# firewall-cmd --zone=public --add-port=443/tcp --permanent
success
[root@cnhap ~]# systemctl restart firewalld
[root@cnhap ~]# firewall-cmd --list-all
public (default, active)
  interfaces: enp3s0
  sources:
  services: dhcpv6-client http ssh
  ports: 443/tcp 4444/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:


时不时会出现 这个错误
[root@cnhap ~]# systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
[root@cnhap ~]#


lonelicloud

1)testing 1 2 3 的问题可以参考这个 https://cnzhx.net/blog/centos-rhel-install-lamp-phpmyadmin/#faq 看是不是这个问题。如果不是我就不知道了。

2)CentOS 7 在这里只是做个服务器,跟你的内外网应该没有关系(也就是说你用 Windows 也是这样)。当然,跟是不是最小化安装更没有关系——如果你内网机器能访问的话。所以还是关闭防火墙进行测试吧,至少排除防火墙的问题(看你的指令输出,该开的端口也都开了)。但是我没用过花生壳,不太了解。个人感觉花生壳应该是只跟路由器有关而跟内网的主机无关的吧?

3)时不时出现的那个错误的结尾很明确的告诉你需要进一步运行 "systemctl status httpd.service" 或者 "journalctl -xe" 来查看详细错误信息。没有详细错误信息我也不可能知道是什么问题。
欢迎光临水景一页

问题解决后请「修改」原始帖子将其前缀改为「已解决」。

请阅读"论坛管理"里面的置顶内容,帮助维护论坛正常运行,方便你我他!

cnhap

[root@cnhap ~]# SELINUX=disabled
[root@cnhap ~]# setenforce 0
setenforce: SELinux is disabled
[root@cnhap ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
[root@cnhap ~]#


博主可能我没有表达清楚,用http://192.168.1.2  可以打开我的网站的。用https://192.168.1.2 打开的是 Testing 123..

彻底关闭 SELinux  我之前已经运行过了,上面代码 就是 又运行的 。

运行 "systemctl status httpd.service" 或者 "journalctl -xe" 是下面的信息

[root@cnhap ~]# systemctl status httpd.service
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 一 2016-08-15 01:01:15 CST; 22h ago
     Docs: man:httpd(8)
           man:apachectl(8)
  Process: 15733 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
  Process: 15720 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=0/SUCCESS)
Main PID: 15720 (code=exited, status=0/SUCCESS)

8月 15 01:01:15 cnhap.org systemd[1]: Starting The Apache HTTP Server...
8月 15 01:01:15 cnhap.org httpd[15720]: AH00548: NameVirtualHost has no eff...7
8月 15 01:01:15 cnhap.org httpd[15720]: httpd (pid 13164) already running
8月 15 01:01:15 cnhap.org kill[15733]: kill: cannot find process ""
8月 15 01:01:15 cnhap.org systemd[1]: httpd.service: control process exite...=1
8月 15 01:01:15 cnhap.org systemd[1]: Failed to start The Apache HTTP Server.
8月 15 01:01:15 cnhap.org systemd[1]: Unit httpd.service entered failed state.
8月 15 01:01:15 cnhap.org systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@cnhap ~]# journalctl -xe
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-562.scope has begun starting up.
8月 15 23:29:39 cnhap.org sshd[6053]: pam_unix(sshd:session): session opened for
8月 15 23:29:39 cnhap.org dbus[676]: [system] Activating service name='org.freed
8月 15 23:29:39 cnhap.org dbus-daemon[676]: dbus[676]: [system] Activating servi
8月 15 23:29:39 cnhap.org dbus-daemon[676]: dbus[676]: [system] Successfully act
8月 15 23:29:39 cnhap.org dbus[676]: [system] Successfully activated service 'or
8月 15 23:30:01 cnhap.org systemd[1]: Started Session 563 of user root.
-- Subject: Unit session-563.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-563.scope has finished starting up.
--
-- The start-up result is done.
8月 15 23:30:01 cnhap.org systemd[1]: Starting Session 563 of user root.
-- Subject: Unit session-563.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-563.scope has begun starting up.
8月 15 23:30:01 cnhap.org CROND[6158]: (root) CMD (/usr/lib64/sa/sa1 1 1)
lines 4043-4065/4065 (END)
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-562.scope has begun starting up.
8月 15 23:29:39 cnhap.org sshd[6053]: pam_unix(sshd:session): session opened for
8月 15 23:29:39 cnhap.org dbus[676]: [system] Activating service name='org.freed
8月 15 23:29:39 cnhap.org dbus-daemon[676]: dbus[676]: [system] Activating servi
8月 15 23:29:39 cnhap.org dbus-daemon[676]: dbus[676]: [system] Successfully act
8月 15 23:29:39 cnhap.org dbus[676]: [system] Successfully activated service 'or
8月 15 23:30:01 cnhap.org systemd[1]: Started Session 563 of user root.
-- Subject: Unit session-563.scope has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-563.scope has finished starting up.
--
-- The start-up result is done.
8月 15 23:30:01 cnhap.org systemd[1]: Starting Session 563 of user root.
-- Subject: Unit session-563.scope has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit session-563.scope has begun starting up.
8月 15 23:30:01 cnhap.org CROND[6158]: (root) CMD (/usr/lib64/sa/sa1 1 1)

lonelicloud

1) 在 http 可以正常工作的前提下,https 显示 test 1 2 3 可能是因为之前提到的错误,也可能是服务器 SSL 相关的配置问题(极可能在 ssl.conf 和 vhost_yoursite_ssl.conf (这个名字你的可能不同)这两个文件里面)。test 1 2 3 是由 /etc/httpd/conf.d/welcome.conf 那个文件配置的一个用于测试的页面。也就是说你配置的 vhost_yoursite_ssl.conf 这个用于 https 浏览的主机(是的,这个跟 http 那个配置是并行的,相当与两个网站)没有正确运行或配置。这个需要你自己慢慢尝试了。我之前遇到过,但是除了那个记录下来的原因外,其它的没有记录下来,也就没法直接告诉你答案了。

2)那个错误提示是有时候才出现的对吧?好像是因为你的 httpd 服务已经正在运行,然后你又尝试再启动一次,就遇到了这个错误。如果要重新启动 httpd 服务,需要用下面的指令,

systemctl restart httpd

而不是,

systemctl start httpd
欢迎光临水景一页

问题解决后请「修改」原始帖子将其前缀改为「已解决」。

请阅读"论坛管理"里面的置顶内容,帮助维护论坛正常运行,方便你我他!

cnhap

ssl.conf 的代码
#
# When we also provide SSL we have to listen to the
# the HTTPS port in addition.
#
Listen 443 https

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly.
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect.  Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite  AESGM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;

#   Speed-optimized SSL Cipher configuration:
#   If speed is your main concern (on busy HTTPS servers e.g.),
#   you might want to force clients to specific, performance
#   optimized ciphers. In this case, prepend those ciphers
#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
#   (as in the example below), most connections will no longer
#   have perfect forward secrecy - if the server's key is
#   compromised, captures of past or future traffic must be
#   considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on

#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/tls/certs/2_cnhap.org.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/tls/private/3_cnhap.org.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
SSLCertificateChainFile /etc/pki/tls/certs/1_root_bundle.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>                                 



vhost_ssl.conf 的代码
<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    # ipv6 地址需要用方括号 [ ] 括起来
    # NameVirtualHost [<your-ipv6-ip>]:443
#
# 主机 1
# cnhap.org
#
<VirtualHost *:443>
SSLEngine On
     SSLProtocol all -SSLv2 -SSLv3
     Header add Strict-Transport-Security "max-age=31536000″
     SSLHonorCipherOrder On
     SSLCompression off
     SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

# 下面这两行后半部分换成你自己的证书文件和密钥
# SSLCertificateFile /etc/pki/tls/certs/2_cnhap.org.crt
# SSLCertificateKeyFile /etc/pki/tls/private/3_cnhap.org.key
SSLCertificateFile /etc/httpd/ssl/2_cnhap.org.crt
    SSLCertificateKeyFile /etc/httpd/ssl/3_cnhap.org.key




ServerAdmin admin@cnhap.org
ServerName cnhap.org
ServerAlias www
# 非常感谢 cheers 的提醒,虽然测试显示无影响,但 Apache 文档如此要求
# 注意下面这行末尾不要带 /
DocumentRoot /srv/www/cnhap.org/html

<Directory "/srv/www/cnhap.org/html/">
    Options FollowSymLinks
    # 下一行这样设置就可以在网站文件的目录中使用 .htaccess
    AllowOverride All
    # 下一行是替代 Allow from all 的新机制
    Require all granted
</Directory>

ErrorLog /srv/www/cnhap.org/logs/error-ssl.log
CustomLog /srv/www/cnhap.org/logs/access-ssl.log combined
ServerSignature Off
</VirtualHost>
</IfModule>



博主 帮我看看 哪里没有配置对 我觉得 vhost_ssl.conf  的可能性 比较大。

lonelicloud

应该是需要你用域名访问这个主机才行。
你修改本地系统的 hosts 文件,把这个域名和 IP 对应起来,然后再通过浏览器访问应该就可以了。
欢迎光临水景一页

问题解决后请「修改」原始帖子将其前缀改为「已解决」。

请阅读"论坛管理"里面的置顶内容,帮助维护论坛正常运行,方便你我他!

cnhap

博主 不是要用域名 访问的 问题,我 已经 在路由器上 设置了 用域名 直接解析到 内网主机的 IP 上, 内网 已经可以用 域名 访问的 ,https://cnhap.org/  博主 可以访问下看看 显示的  还是 Testing 123..  的  家庭 电信 宽带 已经 将 80端口 封了, 我只能用 443 端口 来 弄 。

lonelicloud

#17
嗯,我试过了,确实如此。

我也不能保证能帮你解决,尽量试试吧。可能会比较麻烦,因为没法直接确定问题的原因。下面有几个点,你可以挨个儿试试看(一个一个的试;注意修改设置后需要重启 httpd 服务)。

1)前面提到过的 selinux 配置。先看看现在是不是禁用状态;如果是,重启一下 httpd 服务再访问试试看。

2)检查一下该主机的网站文件目录及子目录和文件的访问权限是否正确(至少应该是 0755)。

3)检查 httpd.conf 配置文件中的 DirectoryIndex 后面是不是有 index.php index.html index.htm (WordPress 默认使用 index.php 作为目录的索引文件)。

4)以上都检查过了之后,如果还不行,就将 ssl.conf 中 <VirtualHost _default_:443> 到 </VirtualHost> 的内容都注释掉看看是否有效果(注意备份原来的配置文件)。

5)把下面的代码放到 requireall granted 下面,
# BEGIN WordPress
        <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteBase /
        RewriteRule ^index\.php$ - [L]
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.php [L]
        </IfModule>
        # END WordPress


如果以上都不行,就容我再想想吧。
欢迎光临水景一页

问题解决后请「修改」原始帖子将其前缀改为「已解决」。

请阅读"论坛管理"里面的置顶内容,帮助维护论坛正常运行,方便你我他!

cnhap

1 . [root@cnhap ~]# sestatus
SELinux status:                 disabled
[root@cnhap ~]# systemctl restart httpd

第一步 排除 不是 第一步的问题

2、/srv/www/cnhap.org/html  这个文件夹起 权限 是 775  在进去的 很多权限 我之前 就设置成 777了 ,这个问题也排除。

3、 httpd.conf 配置文件中的 DirectoryIndex   默认 只有index.htm    添加 后面的 这部分   index.php index.html index.htm   并执行 systemctl restart httpd  后 https 还是 显示的 Testing 123.. 

4、 以上都检查过了之后,如果还不行,就将 ssl.conf 中 <VirtualHost _default_:443> 到 </VirtualHost> 的内容都注释掉看看是否有效果   执行到 这部后  我将 全部用 #号注释了  访问 https  出来了 。哪里的原因呢?

5、 第五步 我也没有看懂,也就没有操作了。


博主 帮我分析下 哪里的原因 不可能 就这样将 ssl.conf  注释了 不用 ?

lonelicloud

你的意思是,第四步注释掉 ssl.conf 中的默认主机之后 https 连接能够正常显示网站了吗?
SSL.conf 中的那段配置本意是用于没有配置 SSL 主机的时候作为测试主机的。既然你已经配置主机了,那部分也就不需要了,即使永远注释掉它也不会有什么问题。
至于个中具体的原理我也说不上来,因为我当时配置的时候这部分没有注释掉也没有导致仅显示 testing 页面的情况。如果要猜一下的话,估计是因为你的主机没有使用显式的 IP 作为主机地址吧。
欢迎光临水景一页

问题解决后请「修改」原始帖子将其前缀改为「已解决」。

请阅读"论坛管理"里面的置顶内容,帮助维护论坛正常运行,方便你我他!