SSL：无法加载CA证书文件/etc/pki/tls/certs/ca-bundle.crt [英] SSL: can't load CA certificate file /etc/pki/tls/certs/ca-bundle.crt

问题描述

在我的本地开发机（OSX），我使用JBoss服务器的Web服务上8443当我直接打网址，我得到的JSON响应我要找的。我们在工作中的架构包括，做认证和路由中间层（阿帕奇/ PHP）。如果后来的事情认证将请求转发到后端。

On my local dev machine (osx), I'm using jboss to server web services on 8443. When I hit the urls directly I get the json responses I'm looking for. The architecture we have at work includes a middle layer (apache/php) that does authentication and routing. If things authenticate then it forwards the request to the backend.

当我与Apache在端口80和JBoss工作8081（使用HTTP）。一切为我工作的罚款。现在，我想用8443，事情不工作。

When I was working with apache on port 80 and jboss on 8081 (using http). Everything worked fine for me. Now that I'm trying to use 8443, things aren't working.

我最近通过HTTPS（8443），而不是HTTP（8081）改为后端服务器。我可以直接打到8443的HTTPS请求，并得到JSON响应。当我打Apache和它进行身份验证，然后尝试重定向到HTTPS 8443，我从Chrome的检查得到以下信息：SSL：无法加载CA证书文件/etc/pki/tls/certs/ca-bundle.crt。

I recently changed the backend to server through https (8443) instead of http (8081). I can hit the requests on https 8443 directly and get the json response. When I hit apache and it authenticates then tries to redirect to the https 8443 I get the following message from chrome's inspector: "SSL: can't load CA certificate file /etc/pki/tls/certs/ca-bundle.crt".

我的虚拟主机是建立捉*：80的请求。我想我可能需要设置虚拟主机接受443请求，或者安装 CA证书像<一谈起href=\"http://stackoverflow.com/questions/3160909/how-do-i-deal-with-certificates-using-curl-while-trying-to-access-an-https-url\">How我对付使用卷曲，同时试图访问HTTPS URL证书吗？。我想看看是否有人知道正确的方向应该是什么。

My vhost is setup to catch *:80 requests. I think I might need to setup vhosts to accept 443 requests or install ca-certificates like talked about in How do I deal with certificates using cURL while trying to access an HTTPS url? . I'm looking to see if anyone knows what the proper direction should be.

当我看到在文件系统中，文件 /etc/pki/tls/certs/ca-bundle.crt 不存在。当我提出要求的中间层，我看到请求按 /无功/日志/的Apache2 /访问日志并没有什么大作的/ var /登录/ Apache2的/ error_log中。

When I look on the file system, the file /etc/pki/tls/certs/ca-bundle.crt doesn't exist. When I make the request to the middle layer, I see the request hit /var/log/apache2/access_log and nothing comes up in /var/log/apache2/error_log.

我们需要解决这个问题？它是虚拟主机的配置赶请求443？它是在链接安装CA证书类的东西？两者的结合？或者是其他东西？请提供有关如何解决它，或者提供提供足够的信息链接足够的信息。

What is needed to resolve this issue? Is it a configuration of vhosts to catch request to 443? Is it to install ca-cert stuff like in the link? A combination of both? Or something else? Please provide enough info on how to solve it, or provide links that provide enough info.

推荐答案

我解决我的问题，我做了文档目的后，如果任何人有类似的问题。有几个问题我必须解决，以解决这个问题。

I solved my issue and am doing a post for documentation purposes, in case anyone else has similar issues. There was a couple of issues I had to resolve to fix this.

PHP安装

我的 /etc/apache2/httpd.conf 引用我的默认的OSX的PHP安装，而不是我的家庭酿造的安装PHP的。解决方法是编辑httpd.conf并将其指向正确的安装。

My /etc/apache2/httpd.conf referenced my default osx php install instead of my home brew install of php. Solution was to edit the httpd.conf and point it to the right install.

#LoadModule php5_module /usr/local/opt/php53/libexec/apache2/libphp5.so
LoadModule php5_module /usr/local/Cellar/php53/5.3.29_4/libexec/apache2/libphp5.so

您可以通过以下命令使用家酿PHP创建一个类似的设置：

You can create a similar setup of php using home brew by the following commands:

brew install homebrew/php/php53
brew install homebrew/php/php53-igbinary --build-from-source
brew install homebrew/php/php53-intl
brew install homebrew/php/php53-mcrypt
brew install homebrew/php/php53-memcached
brew install homebrew/php/php53-mongo
brew install homebrew/php/php53-xdebug

创建CA证书包文件

该系统寻找 /etc/pki/tls/certs/ca-bundle.cert 这是在Linux上的标准路径，但不能在OSX。我们解决这个问题通过生成的文件。

The system is looking for /etc/pki/tls/certs/ca-bundle.cert which is a standard path on linux, but not on osx. We get around this by generating the file.

我生成使用密钥工具的的.keystore 文件，并使用的JBoss 我的别名。为了建立CA包文件，我们需要它在PEM格式，所以我们需要将-rfc添加到我们的出口声明。下面是命令：

I generated the .keystore file using keytool and used jboss for my alias. In order to build the ca bundle file, we need it to be in the pem format, so we need to add the -rfc to our export statement. Below are the commands:

cd /usr/local/jboss-eap-6.4/standalone/configuration
keytool -export -alias jboss -file local-sbx.dev.yourcompany.com.crt -keystore .keystore -rfc

在你的文件，你可以猫出来，并验证该文件的 BEGIN CERTIFICATE 和 END CERTIFICATE 的东西在里面。如果是这样，其以正确的格式。

After you have the file, you can cat it out and verify that the file has the BEGIN CERTIFICATE and END CERTIFICATE stuff in it. If so, its in the right format.

最后，创建目录结构，移动证书到像束（这只是一堆附加到对方的证书），然后重启apache：

Lastly, create the directory structure, move the cert to act like the bundle (which is just a bunch of certs appended to each other) and then restart apache:

mkdir -p /etc/pki/tls/certs/
sudo cp local-sbx.dev.yourcompany.com.crt /etc/pki/tls/certs/ca-bundle.crt
sudo apachectl restart

这篇关于SSL：无法加载CA证书文件/etc/pki/tls/certs/ca-bundle.crt的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！