CentOS7配置HTTPS加密访问SVN

上一篇文章已经介绍了如何在CentOS7环境下安装SVN并整合HTTP访问

http://www.cnblogs.com/fjping0606/p/7581093.html

那么本文则介绍如何添加HTTPS证书加密访问SVN（apache环境）

打开/opt/apache/conf/httpd.conf

将

#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so

去掉注释：

loadModule socache_shmcb_module modules/mod_socache_shmcb.so

将

#LoadModule ssl_module modules/mod_ssl.so

去掉注释：

LoadModule ssl_module modules/mod_ssl.so

将

#Include conf/extra/httpd-ssl.conf

去掉注释：

Include conf/extra/httpd-ssl.conf

保存并退出httpd.conf

打开/opt/apache/conf/extra/httpd-vhosts.conf

添加以下内容

lt;VirtualHost _default_:443>

DocumentRoot "/data/subversion" ##svn仓库目录

ServerName svn.test.com:443 ##上一篇文件配置的访问svn的域名

ServerAlias svn.test.com

ServerAdmin webmaster@example.com

DirectoryIndex index.html index.htm index.php default.php app.php u.ph

ErrorLog logs/example_error.log

CustomLog logs/example_access.log \

"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

SSLEngine o

SSLCertificateFile "/opt/apache/ssl/2_svn.test.com.crt" ##在腾讯云申请的https证书

SSLCertificateKeyFile "/opt/apache/ssl/3_svn.test.com.key"

SSLCertificateChainFile "/opt/apache/ssl/1_root_bundle.crt"

lt;Directory "svn.test.com">

SSLOptions +StdEnvVar

AllowOverride All

Require all granted

lt;/Directory>

lt;FilesMatch "\.(shtml|phtml|php)$">

SSLOptions +StdEnvVar

lt;/FilesMatch>

BrowserMatch "MSIE [2-5]" \

okeepalive ssl-unclean-shutdown \

downgrade-1.0 force-response-1.0

lt;/VirtualHost>

保存并退出httpd-vhost.conf

如果此时尝试重启http，会报错，因为还缺少两个文件（/opt/apache/conf/extra/httpd-ssl.conf）：

/opt/apache/conf/server.crt

/opt/apache/conf/server.key

下面介绍如何生成这两个文件

由于Centos 7移除了Openssl的MD5支持，所以会在下面最后一步生成server.crt的时候报错（ ./sign-server-cert.sh server ）：

error 7 at 0 depth lookup:certificate signature failure

配置在CentOS 7上启用MD5支持

1、暂时启用，在命令行下直接执行

export NSS_HASH_ALG_SUPPORT=+MD5

export OPENSSL_ENABLE_MD5_VERIFY=1

2、通过NetworkManager启用MD5支持

vim /usr/lib/systemd/system/NetworkManager.service

追加下面内容：

[Service]

Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"

并重新启动守护进程

ystemctl daemon-reload

ystemctl restart NetworkManager.service

开始配置生成证书

wget ftp://ftp.pl.vim.org/vol/rzm4/replay.old/mirror/ftp.modssl.org/mod_ssl_contrib/ssl.ca-0.1.tar.gz

tar zxvf ssl.ca-0.1.tar.gz

cd ssl.ca-0.1

./new-root-ca.sh (生成根证书)

No Root CA key round. Generating one

Generating RSA private key, 1024 bit long modulu

...........................++++++

....++++++

e is 65537 (0x10001)

Enter pass phrase for ca.key: (输入一个密码)

Verifying - Enter pass phrase for ca.key: (再输入一次密码)

......

Self-sign the root CA... (签署根证书)

Enter pass phrase for ca.key: (输入刚刚设置的密码)

........

........ (下面开始签署)

Country Name (2 letter code) [MY]:CN

State or Province Name (full name) [Perak]:GuangDong

Locality Name (eg, city) [Sitiawan]:GuangZhou

Organization Name (eg, company) [My Directory Sdn Bhd]:leishe

Organizational Unit Name (eg, section) [Certification Services Division]:kuaiyi

Common Name (eg, MD Root CA) []:H5 CA

Email Address []:dami_cn@163.com

这样就生成了ca.key和ca.crt两个文件，下面还要为我们的服务器生成一个证书：

./new-server-cert.sh server (这个证书的名字是server)

......

......

Country Name (2 letter code) [MY]:CN

State or Province Name (full name) [Perak]:GuangDong

Locality Name (eg, city) [Sitiawan]:GuangZhou

Organization Name (eg, company) [My Directory Sdn Bhd]:leishe

Organizational Unit Name (eg, section) [Secure Web Server]:kuaiyi

Common Name (eg, www.domain.com) []:svn.test.com ##注意这个Common Name不能和上面第一个Common Name设置相同

Email Address []:dami_cn@163.com

这样就生成了server.csr和server.key这两个文件。

还需要签署一下才能使用的：

./sign-server-cert.sh server

CA signing: server.csr -> server.crt:

Using configuration from ca.config

Enter pass phrase for ./ca.key: (输入上面设置的根证书密码)

Check that the request matches the signature

Signature ok

The Subject's Distinguished Name is as follow

countryName :PRINTABLE:'CN'

tateOrProvinceName :PRINTABLE:'GuangDong'

localityName :PRINTABLE:'GuangZhou'

organizationName :PRINTABLE:'leishen'

organizationalUnitName:PRINTABLE:'kuaiyin'

commonName :PRINTABLE:'svn.test.com'

emailAddress :IA5STRING:'dami_cn@163.com'

Certificate is to be certified until Jan 27 12:05:17 2019 GMT (365 days)

Sign the certificate? [y/n]: y

1 out of 1 certificate requests certified, commit? [y/n] y

Write out database with 1 new entrie

Data Base Updated

CA verifying: server.crt <-> CA cert

erver.crt: OK

(如果这里出现错误，最好重新来过，删除ssl.ca-0.1这个目录，从解压缩处重新开始。)

完成上面步骤，就生成了server.crt server.key两个文件

将这两个文件拷贝到/opt/apache/conf/

然后重启htt

/opt/apache/bin/apachectl restart

完成上面所有步骤，就可以使用https访问svn域名了

https://svn.test.com/leishen/mysv

参考文章

http://www.eit.name/catool/

http://blog.csdn.net/magicbreaker/article/details/1566742

http://www.zeali.net/entry/532

http://software-engineer.gatsbylee.com/centos7openvpn-verify-error-depth0-errorcertificate-signature-failure/

http://php.upupw.net/apache/6/6325.html 配置HTTP强制跳转到HTTPS