Apache tls — различия между версиями
Материал из pNp Wiki
Andy (обсуждение | вклад) (→Включение TLS в Apache) |
Andy (обсуждение | вклад) (→Включение TLS в Apache) |
||
| Строка 18: | Строка 18: | ||
SSLProtocol all -SSLv2 -SSLv3 | SSLProtocol all -SSLv2 -SSLv3 | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | Далее следует создать сертификат. | + | Далее следует создать сертификат. Сделать это можно несколькими способами: |
| + | |||
| + | ==== Создание сертификата при помощи cli ==== | ||
| + | Помнить все ключи для openssl не обязательно, достаточно поглядеть в имеющихся <code>Makefile</code>'ах: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | [root@vm-01 certs]# rpm -ql openssl | head | ||
| + | /etc/pki/CA | ||
| + | /etc/pki/CA/certs | ||
| + | /etc/pki/CA/crl | ||
| + | /etc/pki/CA/newcerts | ||
| + | /etc/pki/CA/private | ||
| + | /etc/pki/tls/certs/Makefile | ||
| + | /etc/pki/tls/certs/make-dummy-cert | ||
| + | /etc/pki/tls/certs/renew-dummy-cert | ||
| + | /etc/pki/tls/misc/CA | ||
| + | /etc/pki/tls/misc/c_hash | ||
| + | [root@vm-01 certs]# | ||
| + | </syntaxhighlight> | ||
| + | Посмотрим содержимое <code>/etc/pki/tls/certs/Makefile</code>: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | [root@vm-01 certs]# cat /etc/pki/tls/certs/Makefile | ||
| + | UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8) | ||
| + | SERIAL=0 | ||
| + | DAYS=365 | ||
| + | KEYLEN=2048 | ||
| + | TYPE=rsa:$(KEYLEN) | ||
| + | |||
| + | .PHONY: usage | ||
| + | .SUFFIXES: .key .csr .crt .pem | ||
| + | .PRECIOUS: %.key %.csr %.crt %.pem | ||
| + | |||
| + | usage: | ||
| + | @echo "This makefile allows you to create:" | ||
| + | @echo " o public/private key pairs" | ||
| + | @echo " o SSL certificate signing requests (CSRs)" | ||
| + | @echo " o self-signed SSL test certificates" | ||
| + | @echo | ||
| + | @echo "To create a key pair, run \"make SOMETHING.key\"." | ||
| + | @echo "To create a CSR, run \"make SOMETHING.csr\"." | ||
| + | @echo "To create a test certificate, run \"make SOMETHING.crt\"." | ||
| + | @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." | ||
| + | @echo | ||
| + | @echo "To create a key for use with Apache, run \"make genkey\"." | ||
| + | @echo "To create a CSR for use with Apache, run \"make certreq\"." | ||
| + | @echo "To create a test certificate for use with Apache, run \"make testcert\"." | ||
| + | @echo | ||
| + | @echo "To create a test certificate with serial number other than zero, add SERIAL=num" | ||
| + | @echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n" | ||
| + | @echo | ||
| + | @echo Examples: | ||
| + | @echo " make server.key" | ||
| + | @echo " make server.csr" | ||
| + | @echo " make server.crt" | ||
| + | @echo " make stunnel.pem" | ||
| + | @echo " make genkey" | ||
| + | @echo " make certreq" | ||
| + | @echo " make testcert" | ||
| + | @echo " make server.crt SERIAL=1" | ||
| + | @echo " make stunnel.pem SERIAL=2" | ||
| + | @echo " make testcert SERIAL=3" | ||
| + | |||
| + | %.pem: | ||
| + | umask 77 ; \ | ||
| + | PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ | ||
| + | PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ | ||
| + | /usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \ | ||
| + | cat $$PEM1 > $@ ; \ | ||
| + | echo "" >> $@ ; \ | ||
| + | cat $$PEM2 >> $@ ; \ | ||
| + | $(RM) $$PEM1 $$PEM2 | ||
| + | |||
| + | %.key: | ||
| + | umask 77 ; \ | ||
| + | /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@ | ||
| + | |||
| + | %.csr: %.key | ||
| + | umask 77 ; \ | ||
| + | /usr/bin/openssl req $(UTF8) -new -key $^ -out $@ | ||
| + | |||
| + | %.crt: %.key | ||
| + | umask 77 ; \ | ||
| + | /usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL) | ||
| + | |||
| + | TLSROOT=/etc/pki/tls | ||
| + | KEY=$(TLSROOT)/private/localhost.key | ||
| + | CSR=$(TLSROOT)/certs/localhost.csr | ||
| + | CRT=$(TLSROOT)/certs/localhost.crt | ||
| + | |||
| + | genkey: $(KEY) | ||
| + | certreq: $(CSR) | ||
| + | testcert: $(CRT) | ||
| + | |||
| + | $(CSR): $(KEY) | ||
| + | umask 77 ; \ | ||
| + | /usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR) | ||
| + | |||
| + | $(CRT): $(KEY) | ||
| + | umask 77 ; \ | ||
| + | /usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL) | ||
| + | [root@vm-01 certs]# | ||
| + | </syntaxhighlight> | ||
| + | Для создания <code>crt</code> сертификата нам подойдет нижняя строка, с небольшой модификацией: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | [root@vm-01 certs]# /usr/bin/openssl req -new -nodes -x509 -days 365 -out /etc/pki/tls/certs/vm-01.example.com.crt -keyout /etc/pki/tls/private/vm-01.example.com.key | ||
| + | Generating a 2048 bit RSA private key | ||
| + | ........................................+++ | ||
| + | ........................................+++ | ||
| + | writing new private key to '/etc/pki/tls/private/vm-01.example.com.key' | ||
| + | ----- | ||
| + | You are about to be asked to enter information that will be incorporated | ||
| + | into your certificate request. | ||
| + | What you are about to enter is what is called a Distinguished Name or a DN. | ||
| + | There are quite a few fields but you can leave some blank | ||
| + | For some fields there will be a default value, | ||
| + | If you enter '.', the field will be left blank. | ||
| + | ----- | ||
| + | Country Name (2 letter code) [XX]:RU | ||
| + | State or Province Name (full name) []:Moscow | ||
| + | Locality Name (eg, city) [Default City]:Moscow | ||
| + | Organization Name (eg, company) [Default Company Ltd]:Horns and Hoofs | ||
| + | Organizational Unit Name (eg, section) []: | ||
| + | Common Name (eg, your name or your server's hostname) []:vm-01.example.com | ||
| + | Email Address []: | ||
| + | [root@vm-01 certs]# | ||
| + | </syntaxhighlight> | ||
| + | Проверим наличие нужных файлов: | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | [root@vm-01 certs]# ls -lahi /etc/pki/tls/certs/vm-01.example.com.crt | ||
| + | 57343108 -rw-r--r--. 1 root root 1.3K Jan 31 10:00 /etc/pki/tls/certs/vm-01.example.com.crt | ||
| + | [root@vm-01 certs]# ls -lahi /etc/pki/tls/private/vm-01.example.com.key | ||
| + | 34004217 -rw-r--r--. 1 root root 1.7K Jan 31 10:00 /etc/pki/tls/private/vm-01.example.com.key | ||
| + | [root@vm-01 certs]# | ||
| + | </syntaxhighlight> | ||
Версия 10:03, 31 января 2018
Содержание
Конфигурирование Apache. Конфигурация TLS
Предварительные требования
- Виртуальная машина с двумя сетевыми интерфейсами
- Установленные пакеты:
bash-completion,policycoreutils,policycoreutils-python,policycoreutils-devel,setroubleshoot-server,httpd,httpd-manual,elinks,curl,perl,openssl,mod-ssl
Включение TLS в Apache
Установим mod_ssl
[root@vm-01 ~]# yum install -y mod_ssl crypto-utils
После инсталляции пакета, у нас появился файл /etc/httpd/conf.d/ssl.conf в котором указываются настройки защищенного
соединения для вебсервера. Нам нужно дописать в него параметр -SSLv3 в секцию SSLProtocol:
# SSL Protocol support:
# List the enable protocol levels with which clients will be able to
# connect. Disable SSLv2 access by default:
SSLProtocol all -SSLv2 -SSLv3
Далее следует создать сертификат. Сделать это можно несколькими способами:
Создание сертификата при помощи cli
Помнить все ключи для openssl не обязательно, достаточно поглядеть в имеющихся Makefile'ах:
[root@vm-01 certs]# rpm -ql openssl | head
/etc/pki/CA
/etc/pki/CA/certs
/etc/pki/CA/crl
/etc/pki/CA/newcerts
/etc/pki/CA/private
/etc/pki/tls/certs/Makefile
/etc/pki/tls/certs/make-dummy-cert
/etc/pki/tls/certs/renew-dummy-cert
/etc/pki/tls/misc/CA
/etc/pki/tls/misc/c_hash
[root@vm-01 certs]#
Посмотрим содержимое /etc/pki/tls/certs/Makefile:
[root@vm-01 certs]# cat /etc/pki/tls/certs/Makefile
UTF8 := $(shell locale -c LC_CTYPE -k | grep -q charmap.*UTF-8 && echo -utf8)
SERIAL=0
DAYS=365
KEYLEN=2048
TYPE=rsa:$(KEYLEN)
.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem
usage:
@echo "This makefile allows you to create:"
@echo " o public/private key pairs"
@echo " o SSL certificate signing requests (CSRs)"
@echo " o self-signed SSL test certificates"
@echo
@echo "To create a key pair, run \"make SOMETHING.key\"."
@echo "To create a CSR, run \"make SOMETHING.csr\"."
@echo "To create a test certificate, run \"make SOMETHING.crt\"."
@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
@echo
@echo "To create a key for use with Apache, run \"make genkey\"."
@echo "To create a CSR for use with Apache, run \"make certreq\"."
@echo "To create a test certificate for use with Apache, run \"make testcert\"."
@echo
@echo "To create a test certificate with serial number other than zero, add SERIAL=num"
@echo "You can also specify key length with KEYLEN=n and expiration in days with DAYS=n"
@echo
@echo Examples:
@echo " make server.key"
@echo " make server.csr"
@echo " make server.crt"
@echo " make stunnel.pem"
@echo " make genkey"
@echo " make certreq"
@echo " make testcert"
@echo " make server.crt SERIAL=1"
@echo " make stunnel.pem SERIAL=2"
@echo " make testcert SERIAL=3"
%.pem:
umask 77 ; \
PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
/usr/bin/openssl req $(UTF8) -newkey $(TYPE) -keyout $$PEM1 -nodes -x509 -days $(DAYS) -out $$PEM2 -set_serial $(SERIAL) ; \
cat $$PEM1 > $@ ; \
echo "" >> $@ ; \
cat $$PEM2 >> $@ ; \
$(RM) $$PEM1 $$PEM2
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
%.csr: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -out $@
%.crt: %.key
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $^ -x509 -days $(DAYS) -out $@ -set_serial $(SERIAL)
TLSROOT=/etc/pki/tls
KEY=$(TLSROOT)/private/localhost.key
CSR=$(TLSROOT)/certs/localhost.csr
CRT=$(TLSROOT)/certs/localhost.crt
genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)
$(CSR): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY)
umask 77 ; \
/usr/bin/openssl req $(UTF8) -new -key $(KEY) -x509 -days $(DAYS) -out $(CRT) -set_serial $(SERIAL)
[root@vm-01 certs]#
Для создания crt сертификата нам подойдет нижняя строка, с небольшой модификацией:
[root@vm-01 certs]# /usr/bin/openssl req -new -nodes -x509 -days 365 -out /etc/pki/tls/certs/vm-01.example.com.crt -keyout /etc/pki/tls/private/vm-01.example.com.key
Generating a 2048 bit RSA private key
........................................+++
........................................+++
writing new private key to '/etc/pki/tls/private/vm-01.example.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:RU
State or Province Name (full name) []:Moscow
Locality Name (eg, city) [Default City]:Moscow
Organization Name (eg, company) [Default Company Ltd]:Horns and Hoofs
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:vm-01.example.com
Email Address []:
[root@vm-01 certs]#
Проверим наличие нужных файлов:
[root@vm-01 certs]# ls -lahi /etc/pki/tls/certs/vm-01.example.com.crt
57343108 -rw-r--r--. 1 root root 1.3K Jan 31 10:00 /etc/pki/tls/certs/vm-01.example.com.crt
[root@vm-01 certs]# ls -lahi /etc/pki/tls/private/vm-01.example.com.key
34004217 -rw-r--r--. 1 root root 1.7K Jan 31 10:00 /etc/pki/tls/private/vm-01.example.com.key
[root@vm-01 certs]#
