apache - 本地 WAMP 服务器不接受自签名 SSL 证书

问题描述

这是错误：

AH02577: Init: SSLPassPhraseDialog builtin is not supported on Win32 (key file C:/wamp/bin/apache/apache2.4.33/conf/key/certificate.crt)
AH02564: Failed to configure encrypted (?) private key localhost:443:0, check C:/wamp/bin/apache/apache2.4.33/conf/key/certificate.crt
SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSA)
SSL Library Error: error:04093004:rsa routines:old_rsa_priv_decode:RSA lib
SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)

这是我所做的：

创建密钥（不带密码）和证书并将它们放在 Apache conf 文件夹中的一个名为key

openssl req -config config.conf -new -x509 -sha256 -newkey rsa:2048 -nodes -keyout private.key -days 365 -out certificate.crt

config.conf 的内容：

[ req ]
default_bits        = 2048
default_keyfile     = server-key.pem
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only

# The Subject DN can be formed using X501 or RFC 4514 (see RFC 4519 for a description).
#   Its sort of a mashup. For example, RFC 4514 does not provide emailAddress.
[ subject ]
countryName         = Country Name (2 letter code)
countryName_default     = GB

stateOrProvinceName     = State or Province Name (full name)
stateOrProvinceName_default = GB

localityName            = Locality Name (eg, city)
localityName_default        = Cardiff

organizationName         = Organization Name (eg, company)
organizationName_default    = Company

# Use a friendly name here because its presented to the user. The server's DNS
#   names are placed in Subject Alternate Names. Plus, DNS names here is deprecated
#   by both IETF and CA/Browser Forums. If you place a DNS name here, then you 
#   must include the DNS name in the SAN too (otherwise, Chrome and others that
#   strictly follow the CA/Browser Baseline Requirements will fail).
commonName          = Common Name (e.g. server FQDN or YOUR name)
commonName_default      = Example Company

emailAddress            = Email Address
emailAddress_default        = test@example.com

# Section x509_ext is used when generating a self-signed certificate. I.e., openssl req -x509 ...
[ x509_ext ]

subjectKeyIdentifier        = hash
authorityKeyIdentifier  = keyid,issuer

# You only need digitalSignature below. *If* you don't allow
#   RSA Key transport (i.e., you use ephemeral cipher suites), then
#   omit keyEncipherment because that's key transport.
basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage  = serverAuth, clientAuth

# Section req_ext is used when generating a certificate signing request. I.e., openssl req ...
[ req_ext ]

subjectKeyIdentifier        = hash

basicConstraints        = CA:FALSE
keyUsage            = digitalSignature, keyEncipherment
subjectAltName          = @alternate_names
nsComment           = "OpenSSL Generated Certificate"

# RFC 5280, Section 4.2.1.12 makes EKU optional
#   CA/Browser Baseline Requirements, Appendix (B)(3)(G) makes me confused
#   In either case, you probably only need serverAuth.
# extendedKeyUsage  = serverAuth, clientAuth

[ alternate_names ]

DNS.1       = site.local
DNS.2       = www.site.local
DNS.3       = admin.site.local

# Add these if you need them. But usually you don't want them or
#   need them in production. You may need them for development.
DNS.4       = localhost
DNS.5       = localhost.localdomain
DNS.6       = 127.0.0.1

# IPv6 localhost
DNS.7     = ::1

通过取消注释这些行来激活 Apache SSLhttpd.conf

LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

httpd-ssl.conf通过在里面配置这些条目来设置 SSL<VirtualHost _default_:443>

DocumentRoot "${INSTALL_DIR}/www"
ServerName localhost:443
ServerAdmin admin@example.com
ErrorLog "${APACHE_DIR}/logs/error.log"
TransferLog "${APACHE_DIR}/logs/access.log"
SSLCertificateFile "${APACHE_DIR}/conf/key/certificate.crt"
SSLCertificateFile "${APACHE_DIR}/conf/key/private.key"

并注释掉这一行

SSLPassPhraseDialog  builtin

以下是我用来尝试排序的参考资料，

• https://articlebin.michaelmilette.com/how-to-add-ssl-https-to-wampserver/
• 如何使用 openssl 创建自签名证书？
• https://support.quovadisglobal.com/kb/a90/i-get-error-message-error-init-sslpassphrasedialog-builtin-is-not-supported-on-win32.aspx

我准备放弃所以我希望有人有一些想法。

标签： apacheopensslwampserver