如何在GCE安装SSL [字preSS +阿帕奇] [英] How to install SSL on GCE [Wordpress + Apache]

问题描述

我使用OpenSSL的命令创建当作PrivateKey文件：

 的OpenSSL genrsa -des3退房手续private.key 2048
 

进入我的密码，并随后产生CSR：

  OpenSSL的REQ -new -key privatekey.key退房手续csrkey.csr
 

我用这个CSR键创建通过我的RapidSSL SSL证书。他们发表了我3证书.CER结局分别是：

1. CACertificate-1.cer


2. CACertificate-2.cer


3. ServerCertificate-1.cer

我上传的所有这些证书到/ etc / apache2的/文件夹

的

在/ etc / apache2的/载：

• CACertificate-1.cer


• CACertificate-2.cer


• ServerCertificate-1.cer


• Privatekey.key


• Csrkey.csr


• Chain.ctr（<一个href=\"https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO6252&actp=search&viewlocale=en_US\"相对=nofollow>我得到这个从快速SSL作为intermidiate证书）

然后我不得不添加code到/etc/apache2/apache2.conf中：

 ＆LT;虚拟主机_default_：443＆GT;
在SSLEngine的
的DocumentRoot的/ var / www / html等
服务器名example.co.uk
在SSLEngine的
了SSLCertificateFile /etc/apache2/CACertificate-1.cer
了SSLCertificateKeyFile /etc/apache2/privatekey.key
SSLCertificateChainFile /etc/apache2/chain.ctr
＆LT; /虚拟主机＆GT;
 

我的 /etc/apache2/apache2.conf中文件不具备＆LT;虚拟主机＆GT; ，当我试图重新启动Apache它它说：SSLEngine的命令没有在该模块中deined。所以，我一看四周，发现 /etc/apache2/sites-available/default-ssl.conf 这的确含有＆LT;虚拟主机＆GT;

我继续通过增加code以上，但使用的Apache重新启动后，

 须藤apachectl中重启
 

  

但 https://example.co.uk 是给我一个灰色的屏幕：SSL连接错误

  
  

ERR_SSL_PROTOCOL_ERROR隐藏的细节无法建立安全连接
  到服务器。这可能是与服务器的问题，或者它可以是
  要求你没有一个客户端身份验证证书。

解决方案

下面是使在谷歌Compute Engine上的Apache服务（您可以跳过你已经采取了这些步骤）的HTTPS协议的步骤：

1. 创建一个安全的目录来安装和保护你的钥匙

$ sudo的命令mkdir /etc/apache2/ssl.crt 结果
$ CD /etc/apache2/ssl.crt

<醇开始=2>

生成私钥

$ sudo的OpenSSL的genrsa -out example.key 2048

<醇开始=3>

生成一个证书签名请求（CSR）

$ sudo的OpenSSL的REQ -new -key example.key退房手续example.csr

<醇开始=4>

您可以使用新的CSR，以获得从证书颁发机构（CA）的有效证书。另外，您也可以通过运行以下命令生成一个自签名证书

$ sudo的OpenSSL的X​​509 -req -days 365 -in example.csr -signkey example.key退房手续example.crt

  

注意：自签名证书不适用于公共场所。
  虽然自签名证书实现了完整的加密，它会
  导致大多数浏览器present警告或错误，当访问者尝试
  访问您的网站。上述命令被提供用于测试目的
  只有

打开进行编辑Apache的SSL网站配置文件

$ sudo的纳米/etc/apache2/sites-available/default-ssl.conf

<醇开始=6>

编辑以下指令的价值观

了SSLCertificateFile /etc/apache2/ssl.crt/example.crt

了SSLCertificateKeyFile /etc/apache2/ssl.crt/example.key

取消注释和编辑SSLCertificateChainFile值，如果你从你的CA获得一个证书链文件

SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

<醇开始=8>

保存配置文件并关闭它。

现在启用此站点配置文件

$ sudo的a2ensite默认的ssl.conf

<醇开始=10>

您可以使用下面的命令来验证，看看配置错误

$ sudo的apachectl中configtest

重新启动Apache服务

$ sudo的服务的Apache2重启

<醇开始=12>

添加/启用以下协议GCE防火墙规则：为你的虚拟机实例的端口对

TCP：80和TCP：443

I created a privatekey file using openssl command:

openssl genrsa -des3 -out private.key 2048

Entered my password, and followed by generating CSR:

openssl req -new -key privatekey.key -out csrkey.csr

I use this CSR key to create my SSL certificate through RapidSSL. They issued me 3 certificate ending in .cer namely:

1. CACertificate-1.cer
2. CACertificate-2.cer
3. ServerCertificate-1.cer

I uploaded all of these certificates to the /etc/apache2/ folder

/etc/apache2/ contains:

• CACertificate-1.cer
• CACertificate-2.cer
• ServerCertificate-1.cer
• Privatekey.key
• Csrkey.csr
• Chain.ctr (I got this from Rapid SSL as an intermidiate certificate)

I then had to add the code to /etc/apache2/apache2.conf:

<VirtualHost _default_:443>
SSLEngine on
DocumentRoot /var/www/html
ServerName example.co.uk
SSLEngine on
SSLCertificateFile /etc/apache2/CACertificate-1.cer
SSLCertificateKeyFile /etc/apache2/privatekey.key
SSLCertificateChainFile /etc/apache2/chain.ctr
</VirtualHost>

My /etc/apache2/apache2.conf file didn't have the <VirtualHost>, when I tried to restart apache it it said "SSLEngine command not deined in this module". So I have a look around and found /etc/apache2/sites-available/default-ssl.conf which did contain <VirtualHost>

I proceeded by adding the code above, but after restarting apache using

sudo apachectl restart

But the https://example.co.uk is giving me a grey screen: SSL connection error

ERR_SSL_PROTOCOL_ERROR Hide details Unable to make a secure connection to the server. This may be a problem with the server, or it may be requiring a client authentication certificate that you don't have.

解决方案

Here are the steps to enable HTTPS protocol of your Apache service on Google Compute Engine (You can safely skip those steps that you've already taken) :

1. Create a secure directory to install and protect your keys

$ sudo mkdir /etc/apache2/ssl.crt
$ cd /etc/apache2/ssl.crt

2. Generate a private key

$ sudo openssl genrsa -out example.key 2048

3. Generate a certificate signing request (CSR)

$ sudo openssl req -new -key example.key -out example.csr

4. You can use your new CSR to obtain a valid certificate from a certificate authority (CA). Alternatively, you can generate a self-signed certificate by running the following command

$ sudo openssl x509 -req -days 365 -in example.csr -signkey example.key -out example.crt

Caution: Self-signed certificates are not suitable for public sites. While a self-signed certificate implements full encryption, it will cause most browsers to present a warning or error when visitors try to access your site. The above command is provided for testing purposes only.

5. Open Apache’s SSL site configuration file for editing

$ sudo nano /etc/apache2/sites-available/default-ssl.conf

6. Edit the following directives’ values

SSLCertificateFile /etc/apache2/ssl.crt/example.crt

SSLCertificateKeyFile /etc/apache2/ssl.crt/example.key

7. Uncomment and edit SSLCertificateChainFile value, if you got a certificate chain file from your CA

SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt

8. Save the configuration file and close it.

9. Now enable this site configuration file

$ sudo a2ensite default-ssl.conf

10. You can use the command below to verify and see configuration errors

$ sudo apachectl configtest

11. Restart the Apache service

$ sudo service apache2 restart

12. Add/Enable GCE firewall rules for the following protocol:ports pairs for your VM instance

tcp:80 and tcp:443

这篇关于如何在GCE安装SSL [字preSS +阿帕奇]的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！